From 726f5655f4eb7c9941f9128a9e4f9375c425d10f Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 5 Jul 2026 11:20:46 -0700 Subject: [PATCH] fix(ui): dom-based xss via location.hash in siteinfo.js The siteInfo.js file uses `decodeURIComponent(location.hash.replace("#", "")).split(";")` to extract domain and tabId from the URL fragment, then directly interpolates `domain` into a URL without additional validation. While `punycode.toASCII()` is applied, the domain value is still user-controlled and could be manipulated. The code then sets `location.href` to an constructed URL, which could be exploited for open redirect or XSS if the domain contains malicious characters that bypass the punycode conversion. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/ui/siteInfo.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ui/siteInfo.js b/src/ui/siteInfo.js index 2bb275af..f9a18cdb 100644 --- a/src/ui/siteInfo.js +++ b/src/ui/siteInfo.js @@ -39,5 +39,6 @@ } } let ace = punycode.toASCII(domain); - location.href = `${BASE}/about/${domain};${ace}`; + let url = new URL(`/about/${domain};${ace}`, BASE); + location.href = url.href; })();