XSS code injection when change the route

[hamid-bhz]

Verify canary release

• I verified that the issue exists in the latest Next.js canary release

Provide environment information

Operating System:
      Platform: darwin
      Arch: x64
      Version: Darwin Kernel Version 21.5.0
    Binaries:
      Node: 14.18.2
      npm: 6.14.15
      Yarn: 1.22.19
      pnpm: 7.9.0
    Relevant packages:
      next: 12.3.4
      eslint-config-next: N/A
      react: 18.2.0
      react-dom: 18.2.0

Which area(s) of Next.js are affected? (leave empty if unsure)

Routing (next/router, next/navigation, next/link)

Link to the code that reproduces this issue or a replay of the bug

https://codesandbox.io/p/sandbox/next-router-6ui2e5

To Reproduce

• create a new project
• create a button with onClick and write a function for that.
• in the function route to another page with the code router.push("javascript:(alert)(3)")

import { useRouter } from "next/router";

export default function Home() {
  const router = useRouter();

  return (
    <button onClick={() => router.push("javascript:(alert)(3)")}>Click</button>
  );
}

Describe the Bug

When I want to route to another page through the query params, if the user changes the existing query params and writes a script instead, that script will be executed through the router.

Expected Behavior

Prevent next-router run and execute scripts.

Which browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

[ijjk]

Hi, this isn't a bug in Next.js itself as this is equivalent to doing window.location.href = 'javascript:alert(1)'. You shouldn't pass untrusted input to router.push/replace the same as you wouldn't to window.location.href.

[github-actions]

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.