Merge pull request #106 from cooljeanius/autofix/alert-369-267fc067d4

Fix code scanning alert #369: Client-side cross-site scripting TODO: replace the example hashes with actual ones
cooljeanius · Sep 22, 2024 · 9b6144f · 9b6144f
2 parents fac1456 + 0f81c09
commit 9b6144f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/src/texinfo/js/info.js b/src/texinfo/js/info.js
@@ -16,6 +16,8 @@
    You should have received a copy of the GNU General Public License
    along with GNU Texinfo.  If not, see <http://www.gnu.org/licenses/>.  */
 
+import DOMPurify from 'dompurify';
+
 (function (features, user_config) {
   "use strict";
 
@@ -1541,7 +1543,13 @@
                         store.dispatch({ type: "section", hash: data.hash, section_hash: id } );
                       }
                 }
-                window.location.replace (data.hash);
+                const allowedHashes = ['#section1', '#section2', '#section3']; // Example whitelist
+                let sanitizedHash = DOMPurify.sanitize(data.hash);
+                if (allowedHashes.includes(sanitizedHash)) {
+                    window.location.replace(sanitizedHash);
+                } else {
+                    console.warn('Attempted redirection to an untrusted URL fragment:', sanitizedHash);
+                }
             }
           else
             window.scroll (0, 0);

diff --git a/src/texinfo/js/package.json b/src/texinfo/js/package.json
@@ -14,7 +14,8 @@
   ],
   "license": "GPL-3.0",
   "dependencies": {
-    "optionator": "^0.9.4"
+    "optionator": "^0.9.4",
+    "dompurify": "^3.1.6"
   },
   "devDependencies": {
     "eslint": "^9.10.0",