Open
Description
lib/rack/rewrite/rule.rb#redirect_message - this method is passing location as is into a link. Suppose that location contains something like #"><script>alert(1)</script>, then resulting body will be Redirecting to <a href="#"><script>alert(1)</script>">#"><script>alert(1)</script></a>. Not all browsers will evaluate response body, but this is still possible.
Solution: do not place that link at all. You can argue that the link should be properly escaped before passing to rack-rewrite, but people tend to make mistakes and the lib should not make it worse.
Better solution: provide a hook to override that short template and by default do not include the link.
Metadata
Metadata
Assignees
Labels
No labels