Skip to content

Security: DOM-based XSS via location.hash in siteInfo.js#575

Open
tomaioo wants to merge 1 commit into
hackademix:mainfrom
tomaioo:fix/security/dom-based-xss-via-location-hash-in-sitei
Open

Security: DOM-based XSS via location.hash in siteInfo.js#575
tomaioo wants to merge 1 commit into
hackademix:mainfrom
tomaioo:fix/security/dom-based-xss-via-location-hash-in-sitei

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 5, 2026

Copy link
Copy Markdown

Summary

Security: DOM-based XSS via location.hash in siteInfo.js

Problem

Severity: High | File: src/ui/siteInfo.js:L21

The siteInfo.js file uses decodeURIComponent(location.hash.replace("#", "")).split(";") to extract domain and tabId from the URL fragment, then directly interpolates domain into a URL without additional validation. While punycode.toASCII() is applied, the domain value is still user-controlled and could be manipulated. The code then sets location.href to an constructed URL, which could be exploited for open redirect or XSS if the domain contains malicious characters that bypass the punycode conversion.

Solution

Validate and sanitize the domain parameter before using it in URL construction. Use URL() constructor with proper base URL to prevent injection, or implement a strict allowlist of valid domain characters. Consider using browser.runtime.sendMessage for cross-tab communication instead of URL parameters.

Changes

  • src/ui/siteInfo.js (modified)

The siteInfo.js file uses `decodeURIComponent(location.hash.replace("#", "")).split(";")` to extract domain and tabId from the URL fragment, then directly interpolates `domain` into a URL without additional validation. While `punycode.toASCII()` is applied, the domain value is still user-controlled and could be manipulated. The code then sets `location.href` to an constructed URL, which could be exploited for open redirect or XSS if the domain contains malicious characters that bypass the punycode conversion.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant