Add XSS attack catch

MyEtherWallet · Jun 18, 2019 · 5a93d4d · 5a93d4d
1 parent f1f1676
commit 5a93d4d
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+### v3.38.0
+- XSS fix []()
+
 ### v3.37.0
 - Change Webchain chain ID [#2256](https://github.com/kvhnuke/etherwallet/pull/2256)
 - Added InsightsNetworkMigrationToEOS contract ABI [#2252](https://github.com/kvhnuke/etherwallet/pull/2252)

diff --git a/app/layouts/phishing.html b/app/layouts/phishing.html
@@ -6,16 +6,16 @@ <h1>You've been redirected to safety!</h1>
 </section>
 <script>
 (function() {
-  const regex = /[-a-zA-Z0-9@:%_\+.~#?&//=]{2,256}\.[a-z]{2,4}\b(\/[-a-zA-Z0-9@:%_\+.~#?&//=]*)?/gi;
-	const url = globalFuncs.stripTags(window.location.search.replace("?phishing-address=", ""));
-  console.log(url, url.match(regex) !== null);
+  const regex = /(http(s)?:\/\/.)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)/gi;
+  const url = globalFuncs.stripTags(window.location.search.replace("?phishing-address=", ""));
+  const actualUrl = new URL(url).origin;
   const body = document.getElementById("phishingMsg");
   const fragment = document.createDocumentFragment();
   const newP1 = document.createElement("p");
   const newP2 = document.createElement("p");
-  url.match(regex) !== null ? 
+  actualUrl.match(regex) !== null ? 
     newP1.innerHTML = `</br></br></br></br></br>
-      The url ${url} has been flagged as a supicious site by the community.
+      The url ${actualUrl} has been flagged as a supicious site by the community.
     ` :
     newP1.innerHTML =  `</br></br></br></br></br>
       Unparsable url found.