| CARVIEW |
Select Language
HTTP/2 200
date: Fri, 10 Oct 2025 16:54:57 GMT
content-type: text/html; charset=utf-8
vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, X-Requested-With,Accept-Encoding, Accept, X-Requested-With
etag: W/"2a6c1fedfd324c71b087cabc01112f5a"
cache-control: max-age=0, private, must-revalidate
strict-transport-security: max-age=31536000; includeSubdomains; preload
x-frame-options: deny
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: no-referrer-when-downgrade
content-security-policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com github.githubassets.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com wss://alive-staging.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com release-assets.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com marketplace-screenshots.githubusercontent.com/ copilotprodattachments.blob.core.windows.net/github-production-copilot-attachments/ github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
server: github.com
content-encoding: gzip
accept-ranges: bytes
set-cookie: _gh_sess=%2FrmWFPVaYEbDE4uelf4jEa6BsvE1CqMIXCDV2SSzRjDtQRcDoiSgQ86Bbb300qZXWG4M71k7DrecYjV7kF98TnKBmcteESyOBRUFXK%2BzlPAGTwD6UhicLzg%2BDHGv%2FwPylhr%2FuzgQPl%2F1wYKVDM4eyDolShcY2SdZ5k9P4EpAKpLqZ9D%2F5dp5RRDJLe08zarVN5JZOUb0vw%2F%2FNWQZqzaEkL1mnGGDL%2B8AfoOTchgdf1Pp%2Fa2bjAvFIOmTCNA9XeYwHVEzC3THOdqaOO56%2BADhdw%3D%3D--cxM3itAYcorzqr8l--favJ9959Qbcbmxcd6Xgl3g%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
set-cookie: _octo=GH1.1.1403310784.1760115296; Path=/; Domain=github.com; Expires=Sat, 10 Oct 2026 16:54:56 GMT; Secure; SameSite=Lax
set-cookie: logged_in=no; Path=/; Domain=github.com; Expires=Sat, 10 Oct 2026 16:54:56 GMT; HttpOnly; Secure; SameSite=Lax
x-github-request-id: AD26:379ADD:1D07C41:226EB88:68E93A60
Potential XSS · Advisory · snarfed/bridgy · GitHub
Skip to content
Navigation Menu
{{ message }}
-
Notifications
You must be signed in to change notification settings - Fork 58
Potential XSS
Low
Package
https://brid.gy/
(service)
Affected versions
< 20230828t215720
Patched versions
20230828t215720
Description
Severity
Low
/ 10
CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
None
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:N
CVE ID
No known CVE
Weaknesses
No CWEs
Credits
-
janboddez Reporter
You can’t perform that action at this time.
Fixed in snarfed/granary@62e574c and snarfed/granary@2172378, more followup in snarfed/granary#586.
Summary
Probably not super severe, but I think there may be a potential XSS vulnerability. It might just be a bug, in fact, because I didn't really look at Bridgy's source code, but I thought I'd report it here first.
Details
Here's an example: https://brid.gy/comment/mastodon/@janboddez@indieweb.social/110961328502802311/110961820713137731
On line 45 of that page's source code (you want to avoid being redirected), there's this here markup:
<a class="tag" href="[https://github.com/pfefferle/wordpress-webmention/issues/399](view-source:https://github.com/pfefferle/wordpress-webmention/issues/399)"><br /> not converted to \n from Bridgy · Issue #399 · pfefferle/wordpress-webmention</a>The
<br />is unescaped, but it is not part of the original source's markup. Instead, it is (correctly) escape there (i.e., on Mastodon). While it doesn't really matter, it is part of the link preview card (below the Mastodon post in question).But then somehow it is decoded on the "intermediate" Bridgy page. So that makes me think one could possibly insert some other, somehow less "innocent" markup in a page title (on GitHub or elsewhere), link to it on Mastodon, and see it appear unescaped on a Bridgy page.
Maybe you do some filtering an "bad" tags are removed; I didn't check. Still, in this case, the
<br />probably should remain encoded?PoC
One would have to create a page with some (escaped) HTML in its title. Mastodon might then generate a preview card with that HTML in, still encoded. Bridgy, it seems, will decode this markup and not escape it when it is displayed.
Impact
Bridgy has no user logins and nothing sensitive or confidential in cookies or anything else scoped to the brid.gy origin,. Due to this, XSS impact is somewhere between low and nothing. Regardless, still worth fixing!
Not a huge issue as no one will (?) normally visit these pages, and if they do, they should get redirected. Plus, Bridgy may already be stripping actually "dangerous" HTML, like
scripttags. But again, better safe than sorry?