Vue-router vulnerability allowing for DOM-based open redirects

I am currently working on a Vue application that was created using Vue-cli.
Vue version: 2.6.11
vue-router version: 3.2.0

Link for Reproduction
https://github.com/keyhangholami/dom-based-open-redirect

Instructions to replicate
To reproduce the issue, add 3 or more forward slashes in the URL followed by any random URL and a date formatted with slashes (e.g. ) and then press Enter.

Expected outcome
I would expect to see the 404 page when the URL is invalid (contains 3 or more slashes and a date).

Actual behavior
However, what actually happens is that the app redirects me to Google (or any other specified URL) along with all query parameters, even though I have not set any redirect rules. I do have the following route set up to redirect to a 404 page:

{ path: '*', name: '404-page', component: Page404, props: false }
javascriptvue.jsvue-router

Answer №1

Dealing with the same problem, I made the following updates:

Vue version 2.6.14

Vue-router version 3.5.3

Vue-template-compiler version 2.6.14

This resolved the issue for me.

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

What is the best way to connect a nested Vuex object to a Vue.js property within the Tiptap text editor?

I'm attempting to connect the nested Vuex state object to the editor property of the tiptap's editor-content component. The structure of the state is as follows: <template> <table :style="{ backgroundColor: element.options.ba ...

javascriptvue.jsvuexnuxt.jstiptap

Exclusive event bus dedicated to a single view

My task involves creating an event bus that functions exclusively on a single page. This is crucial due to the fact that multiple pages (views) have identical event listener names. Additionally, some components are nested within other components, making ...

vue.js

Using Javascript to iterate through and increase HTML code with values all the way up to 55

I am looking for a way to automatically generate a list of links in an HTML page using JavaScript. I have tried a few scripts, but none have worked for me. This is the current structure of my HTML... <a href="1.html"><img src="images/1.jpg" widt ...

javascripthtmlloopsstatic

The overflow of Highcharts tooltips is set to be hidden

My issue arises when the chart drawing area is smaller than a highchart tooltip, causing part of the tooltip to be hidden as it overflows the chart. I would like the tooltip to remain visible at all times, regardless of the size of the chart area. I have ...

javascriptjquerytooltiphighcharts

Setting a value in the selectpicker of rsuitejs involves assigning a specific value to the

const _DATA = [{ code: 'code1', name: 'Jagger' },{ code: 'code2', name: 'Tigger' },{ code: 'code3', name: 'Lion' }] <SelectPicker data={_DATA.map(x => {return {label: x.n ...

javascriptreactjstypescriptnext.jsrsuite

[Vue alert]: Issue in created function: "TypeError: Unable to assign value to undefined property"

I'm currently in the process of developing a VueJS application where I have implemented a child component called Child.vue that receives data from its parent. Child.vue export default{ props:['info'], data: function(){ ...

javascripthtmlvue.jsvuejs2vue-component

Implementing class attributes in VueJS functional components

Creating a VueJS functional component to emulate div behavior involves setting its class based on the props it receives. For example: <MyDiv textAlign="left">Div with left aligned text</MyDiv> Transforms into: <div class="text-left">Di ...

javascriptvue.js

Fulfill the promise in AngularJS and assign it to a different factory

Presenting my factory below: .factory('UserData', ['User', '$q', function(User, $q) { var deferred = $q.defer(); return { user: null, get: function() { var _this = this; _this. ...

javascriptangularjsangular-promise

Retrieve JavaScript Variable Value when Button is Clicked via asp:HiddenField

Having limited experience with JavaScript and jQuery, I decided to make some modifications to a jQuery Slider for adjusting dates. You can check out what I've done so far here: http://jsfiddle.net/ryn_90/Tq7xK/6/. I managed to get the slider working ...

c#javascriptjqueryasp.net

Issue with mouseout gap in Microsoft Edge when using the <select> element

A noticeable gap appears in Microsoft Edge between the <select> menu and its options when expanding the menu, as shown here: https://i.stack.imgur.com/SprJ2.png This particular issue can cause problems with the mouseout event due to inconsistent be ...

javascripthtmlcssmicrosoft-edge

Error message in Ionic 2: "Property is not found on type"

Currently, I am working on a project in Ionic 2 and have encountered a stumbling block with a seemingly simple task. My issue lies with a Textbox where I aim to input text that will then be displayed. I found some code on a website (http://www.tizag.com/j ...

javascripttypescriptionic-frameworkionic2

Guide to automatically inserting text into an html form and submitting it without manual intervention

Currently, I am in the process of a project where my main goal is to design an HTML form for submitting replies. One interesting feature I want to include is an option for users who are feeling lazy to simply click on "auto-generate comment", which will ...

javascriptjqueryhtml

Similar to TypeScript's `hasOwnProperty` counterpart

When working with TypeScript objects, is there a way to loop through a dictionary and set properties of another dictionary similar to how it is done in JavaScript? for (let key in dict) { if (obj.hasOwnProperty(key)) { obj[key] = dict[key]; } } If ...

javascriptobjecttypescripttypescript1.8

Encountered a problem while attempting to create two separate div elements. The template root is designed to have only one element. This issue

<template> <div class="footerpart-container"> <div class="general-container"> dadada </div> <div class="legal-container"> dadad </div> <div class="helpsupport-container"> dada ...

htmlcssvue.js

Using the append() method in d3 with a function argument adds new

This is functional code: // A d3.select("body").selectAll(".testDiv") .data(["div1", "div2", "div3"]) .enter().append("div") .classed("testDiv", true) .text(function(d) { return d; }); The next snippet is essentially the same, except that ins ...

javascriptd3.js

Looking to include a new item into an array with the help of AngularJS

Having just started with angularJS, I am facing difficulties in adding an object from a form to an array. When I click on "Add New Product", it triggers the "newItemModal". I enter the new product information but the submit button doesn't seem to work ...

javascriptangularjsarraysfrontendjavascript-objects

Sorting nested table rows in vueJS is an essential feature to enhance

I am working with a json object list (carriers) that looks like this: https://i.stack.imgur.com/0FAKw.png Within my *.vue file, I am rendering this using the following code: <tr v-for="carrier in this.carriers"> <td>{{ carrier.id ...

javascripthtmlvue.js

The constructor for audio in Next JS cannot be found

I'm facing an issue and struggling to find a solution. My project follows the standard structure of Next JS. In the root directory, I have included a components folder. Within the components folder, there is a component with the following code: imp ...

javascriptnext.jsweb-audio-api

Using private API keys in Nuxt to trigger a request upon clicking a button: a step-by-step guide

I've stored my API credentials securely in the privateRuntimeConfig option within the nuxt.config.js file to prevent client-side access. However, I'm facing a dilemma when it comes to sending requests to the API after a user clicks a button. In ...

vue.jsserverrequestnuxt.jscredentials

Troubleshooting issues with the delete functionality in a NodeJS CRUD API

I've been struggling to implement the Delete functionality in my nodejs CRUD API for the past couple of days, but I just can't seem to get it right. As I'm still learning, there might be a small detail that I'm overlooking causing this ...

javascriptjsonnode.jscrudhttp-status-code-400