Skip to content

Commit

Permalink
Fix XSS injection issues
Browse files Browse the repository at this point in the history
  • Loading branch information
@dzirtusss
dzirtusss committed Dec 14, 2023
1 parent bda8631 commit 0372181
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/jstreamer.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,6 @@ def generate(template, object = nil, **options)
# Creates new stream (low-level engine)
# @return stream low-level engine
def create_new_stream
Oj::StringWriter.new
Oj::StringWriter.new(escape_mode: :xss_safe)
end
end
18 changes: 18 additions & 0 deletions spec/jstreamer_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,23 @@ def render
it "retruns stream" do
expect(described_class.create_new_stream).not_to be_nil
end

it "handles Unicode XSS injections" do
stream = described_class.create_new_stream

stream.push_value("\u2028\u2029\u0000", "x")
result = stream.to_s.split(":").last

expect(result).to eq('"\\u2028\\u2029\\u0000"')
end

it "handles HTML XSS injections" do
stream = described_class.create_new_stream

stream.push_value("<>&", "x")
result = stream.to_s.split(":").last

expect(result).to eq('"\\u003c\\u003e\\u0026"')
end
end
end

0 comments on commit 0372181

Please sign in to comment.