Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SXSS via caching - theme= #213

Open
poeyer opened this issue Sep 6, 2023 · 1 comment
Open

SXSS via caching - theme= #213

poeyer opened this issue Sep 6, 2023 · 1 comment
Labels
enhancement New feature or request
Milestone
v0.5

Comments

@poeyer
Copy link

poeyer commented Sep 6, 2023
edited
Loading

Critical issue

https://github.com/pacocoursey/next-themes/blob/main/packages/next-themes/src/index.tsx#L83

Example:
Append to URL: ?theme=%27-console.log(%27test/%27%2bdocument.domain)-%27
forcedTheme enabled on Provider

Not everybody has CSP enabled so make sure to sanitize the data attribute/class

The value of the "theme" parameter is reflected on the page, this reflection is then stored with the page/cache. So if someone else visits that page (without using any payload) the previously injected javascript will still be returned and execute.

After a while the page/cache will reset and the injection will no longer be returned. If an attacker continuously request the page with injections the page will assumably always respond with the injections though.
@poeyer poeyer closed this as not planned Won't fix, can't repro, duplicate, stale Sep 6, 2023
@poeyer
Copy link
Author

poeyer commented Sep 6, 2023
edited
Loading

Some notes, if you pass %27-console.log(%27test/%27%2bdocument.domain)-%27 to the forcedTheme, you will store executable JavaScript that can lead to serious issues. May I suggests sanitising the input of forcedTheme?

@poeyer poeyer reopened this Sep 6, 2023
lotyp added a commit to lotyp/next-themes that referenced this issue Sep 7, 2023
@lotyp
fix: pacocoursey#213 allow only registered themes
49760ed
@lotyp lotyp mentioned this issue Sep 7, 2023
Open
@trm217 trm217 self-assigned this Nov 7, 2024
@trm217 trm217 added the enhancement New feature or request label Nov 7, 2024
@trm217 trm217 added this to the v0.5 milestone Nov 7, 2024
@trm217 trm217 removed their assignment Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v0.5
Development

No branches or pull requests
2 participants
@poeyer @trm217