arian/anubis-mirror
1
0
Fork 0
mirror of https://github.com/TecharoHQ/anubis.git synced 2026-04-11 02:58:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(lib): block XSS attacks via nonstandard URLs

Browse Source 
This could allow an attacker to craft an Anubis pass-challenge URL that
forces a redirect to nonstandard URLs, such as the `javascript:` scheme
which executes arbitrary JavaScript code in a browser context when the
user clicks the "Try again" button.

Release-status: cut
Signed-off-by: Xe Iaso <me@xeiaso.net>
This commit is contained in:
Xe Iaso
2025-07-24 13:49:15 +00:00
parent 21f570962c
commit a0a6b3f147
3 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/docs/CHANGELOG.md
View File

@@ -13,6 +13,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
<!-- This changes the project to: -->
### Fixes
#### Fixes a problem with nonstandard URLs and redirects
This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.
This has been fixed by disallowing any URLs without the scheme `http` or `https`.
## v1.21.1: Minfilia Warde - Echo 1
- Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).