fix(utils/redirect): escape HTML special characters in body#1317
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughRedirect embedding now HTML-escapes special characters ( Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip You can enable review details to help with troubleshooting, context usage and more.Enable the |
commit: |
The `redirect()` function only escaped double quotes in the meta refresh HTML body, leaving `<`, `>`, `&`, and `'` unescaped. A malicious redirect URL containing HTML tags (e.g. `<script>`) could inject markup into the redirect page body. Now properly escapes all HTML-significant characters using percent-encoding for URL characters (`<`, `>`, `'`, `"`) and HTML entities for `&`. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace manual regex chain with standard URL/encodeURI escaping: - Absolute URLs: URL constructor properly percent-encodes unsafe chars - Relative URLs: encodeURI handles the escaping Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
bd6e58f to
c69de1f
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@src/utils/response.ts`:
- Line 47: The encodedLoc assignment must ensure ampersands are HTML-escaped for
use inside the meta-refresh body: after computing encodedLoc (via
URL.canParse(...) ? new URL(location).href : encodeURI(location)), replace all
'&' with '&'; additionally, for the encodeURI(...) branch ensure single
quotes are percent-encoded (replace "'" with "%27") as a safety net, while
avoiding redundant "'->%27" on the URL.href branch. Update the logic around
encodedLoc (the URL.canParse / new URL(location).href / encodeURI(path)) to
perform these replacements before using encodedLoc in the HTML meta-refresh.
In `@test/utils.test.ts`:
- Around line 45-53: Update the "escapes special characters in HTML body" test
to assert that ampersand and single-quote are escaped by adding checks after
fetching the body: reuse the existing malicious variable and result/body
variables and assert body does not contain literal "&" or "'" unescaped where
they would appear, and assert it contains their percent-encoded/escaped
equivalents (e.g., "%26" and "%27" or the expected HTML-escaped sequences) so
that redirect(malicious), t.fetch("/"), result.headers.get("location"), and body
assertions cover &, ' in addition to <script>.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a8bf44aa-0055-4361-89a5-e97f4ce54122
📒 Files selected for processing (2)
src/utils/response.tstest/utils.test.ts
Per maintainer review: - URL.canParse may not be available in all runtimes - encodeURI handles both absolute and relative URLs correctly - No need for conditional logic — encodeURI is sufficient Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`encodeURI` does not escape HTML metacharacters (`"`, `<`, `>`), allowing potential XSS via attribute breakout in the `<meta>` refresh tag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Bug Fixes
Tests