Page MenuHomePhabricator

XSS vulnerabilities in the Vite server package
Open, Needs TriagePublic

Description

These are from the reporting tool snyk

From https://cwe.mitre.org/data/definitions/79.html:
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

The following files are affected:
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/send.ts#L48
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/middlewares/transform.ts#L88
https://github.com/vitejs/vite/blob/v2.6.12/packages/vite/src/node/server/middlewares/base.ts#L45

The suggested fix for the above is using escapeHtml like in the following example