Merge pull request #330 from topcoder-platform/VULN-2658

eisbilir · web-flow · commit 2aa0a39e700a · 2022-10-20T16:23:30.000+03:00
Fix Reflected XSS
diff --git a/web-assets/js/setupAuth0WithRedirect.js b/web-assets/js/setupAuth0WithRedirect.js
@@ -422,7 +422,10 @@ const authSetup = function () {
 
     // XSS rules
     const encode = function(str) {
-        return str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"})
+        str = str.replace(/[\x26\x0A\<>'"]/g,function(str){return"&#"+str.charCodeAt(0)+";"})
+        return String(str).replace(/[^\w. ]/gi, function(c){
+            return '&#'+c.charCodeAt(0)+';';
+          });
     }
     // end XSS rules
 
