Multiple Potential XSS Vulnerability

[dPhoeniixx]

Summary

I found that an attacker is able to preform cross site scripting attacks due of unsafe redirect due of multiple vulnerable codes in hello.all.js

PoC

1. ?state={"oauth_proxy":"javascript:alert(document.domain)//"}&code=0
2. #oauth_redirect=javascript:alert(1)

Vulnerable codes

else if ('oauth_redirect' in p) {
    var url = decodeURIComponent(p.oauth_redirect);
    location.assign(url);
    return;
}

if (p && p.state && (p.code || p.oauth_token)) {
    var state = JSON.parse(p.state);
    // Add this path as the redirect_uri
    p.redirect_uri = state.redirect_uri || location.href.replace(/[\?\#].*$/, '');
    // Redirect to the host
    var path = _this.qs(state.oauth_proxy, p);
    location.assign(path);
    return;
}

Permanently solution

I have found an issue about previously XSS #619, I think it can be happen again in future. so for permanently solution you can apply your validation in location.assign function

window.location.assign = function(url) {
        if(isValidUrl(url)){
	        window.location = url;
        }
};

[dPhoeniixx]

I just noticed that the first vulnerability is already fixed, but the second is still reproducible.