Xe Iaso d40e9056bc

fix(lib): block XSS attacks via nonstandard URLs (#904) ...

* fix(lib): block XSS attacks via nonstandard URLs

This could allow an attacker to craft an Anubis pass-challenge URL that
forces a redirect to nonstandard URLs, such as the `javascript:` scheme
which executes arbitrary JavaScript code in a browser context when the
user clicks the "Try again" button.

Release-status: cut
Signed-off-by: Xe Iaso <me@xeiaso.net>

* chore: spelling

Signed-off-by: Xe Iaso <me@xeiaso.net>

---------

Signed-off-by: Xe Iaso <me@xeiaso.net>

2025-07-24 14:05:00 +00:00

..

challenge

feat(lib): use new challenge creation flow (#749)

2025-07-04 20:42:28 +00:00

localization

feat(localization): Add in Bokmål and Nynorsk translations (#855)

2025-07-21 22:37:49 -04:00

policy

feat(expressions): add missingHeader function to bot environment (#870)

2025-07-20 19:09:29 -04:00

store

fix broken bbolt database cleanup process (#848) (#848)

2025-07-18 13:51:32 -04:00

testdata

fix(config): actually load threshold config (#696)

2025-06-19 17:13:01 -04:00

anubis_test.go

fix(lib): block XSS attacks via nonstandard URLs (#904)

2025-07-24 14:05:00 +00:00

anubis.go

fix(lib): block XSS attacks via nonstandard URLs (#904)

2025-07-24 14:05:00 +00:00

config_test.go

fix(config): actually load threshold config (#696)

2025-06-19 17:13:01 -04:00

config.go

fix: make ogtags and dnsbl use the Store instead of memory (#760)

2025-07-05 16:17:46 -04:00

http_test.go

fix: Dynamic cookie domain not working (#731)

2025-06-29 15:38:55 -04:00

http.go

fix: race conditions, cookie logic, and the try again button (#833)

2025-07-15 00:54:08 +00:00