This repository has been archived by the owner on Jun 14, 2022. It is now read-only.
Sanitize location.hash before using it #353
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
In https://github.com/studiopress/atomic-blocks/blob/develop/dist/getting-started/settings.js#L20 you are currently taking the unsanitized
location.hashand working with it. This might be insecure because the user or someone else can exploit that for some XSS.Using something like https://github.com/cure53/DOMPurify to make sure the hash is checked before working with it might be a nice addition to just make sure there are not XSS explorations of this.
The text was updated successfully, but these errors were encountered: