Skip to content

Commit

Permalink
Merge pull request #63 from sharetribe/hot-fix-replace-tag-starts-fro…
Browse files Browse the repository at this point in the history
…m-script-tag

Replace '<' with unicode equivalent in script tag
  • Loading branch information
OtterleyW authored Nov 26, 2019
2 parents c3ee14f + 9d2ed60 commit 471fe2a
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 2 deletions.
14 changes: 14 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,23 @@ https://github.com/sharetribe/flex-template-web/

## Upcoming version 2019-XX-XX

## [v5.0.2] 2019-11-26

- [fix] Fix XSS-vulnerability on SearchPage where URL param 'address' was exposed directly to
schema, which is just a script tag: <script type="application/ld+json">. On server-side, this
could leak malformed HTML through to browsers and made it possible to inject own script tags.

However, CSP prevents any data breach: injected js can't send data to unknonwn 3rd party sites.

NOTE: Check that `REACT_APP_CSP` is in block mode on your production environment. You can read more
from Flex docs: https://www.sharetribe.com/docs/guides/how-to-set-up-csp-for-ftw/
[#62](https://github.com/sharetribe/ftw-hourly/pull/62)

- [fix] Add missing translation key EditListingDescriptionPanel.createListingTitle and change link
name in UserNav. [#62](https://github.com/sharetribe/ftw-hourly/pull/62)

[v5.0.2]: https://github.com/sharetribe/ftw-hourly/compare/v5.0.1...v5.0.2

## [v5.0.1] 2019-11-22

- [fix] Fix proptype validation error for initialized date object for FieldDateInput
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "app",
"version": "v5.0.1",
"version": "v5.0.2",
"private": true,
"license": "Apache-2.0",
"dependencies": {
Expand Down
4 changes: 3 additions & 1 deletion src/components/Page/Page.js
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,9 @@ class PageComponent extends Component {
<meta httpEquiv="Content-Type" content="text/html; charset=UTF-8" />
<meta httpEquiv="Content-Language" content={intl.locale} />
{metaTags}
<script type="application/ld+json">{schemaArrayJSONString}</script>
<script type="application/ld+json">
{schemaArrayJSONString.replace(/</g, '\\u003c')}
</script>
</Helmet>
<CookieConsent />
<div
Expand Down

0 comments on commit 471fe2a

Please sign in to comment.