kunthawat/moreminimore-redesign
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Activity

fix DOM XSS via unvalidated form redirects (#120)

Browse Source 
* implement safe url validation for redirects

added validation for safe redirect urls to prevent xss attacks

* add changeset: fix dom xss in form redirects
(marked as patch version bump for @emdash-cms/plugin-forms)

---------

Co-authored-by: Matt Kane <mkane@cloudflare.com>
This commit is contained in:
jul
2026-04-04 16:51:36 +02:00
committed by GitHub
parent 9ebc8b1f3f
commit 66beb4da1f
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
packages/plugins/forms/src/client/index.ts
View File

@@ -137,7 +137,13 @@ async function handleSubmit(e: Event) {
if (result.success) {
clearSavedState(form);
if (result.redirect) {
window.location.href = result.redirect;
// prevent xss
if (isSafeRedirectUrl(result.redirect)) {
window.location.href = result.redirect;
} else {
showStatus(form, result.message || "Submitted successfully.", "success");
form.reset();
}
} else {
showStatus(form, result.message || "Submitted successfully.", "success");
form.reset();
@@ -157,6 +163,16 @@ async function handleSubmit(e: Event) {
}
}
/** validates that a redirect url uses a safe protocol */
function isSafeRedirectUrl(url: string): boolean {
try {
const parsed = new URL(url, window.location.href);
return ["http:", "https:", "mailto:", "tel:"].includes(parsed.protocol);
} catch {
return false;
}
}
// ─── Click Handler (Prev/Next) ───────────────────────────────────
function handleClick(e: Event) {