fix for issue #111

Sachin Maheshwari · Sachin Maheshwari · commit 8517705edf28 · 2021-03-10T18:46:50.000+05:30
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -11,7 +11,7 @@ install_dependency: &install_dependency
 install_deploysuite: &install_deploysuite
   name: Installation of install_deploysuite.
   command: |
-    git clone --branch v1.4.4 https://github.com/topcoder-platform/tc-deploy-scripts ../buildscript
+    git clone --branch v1.4.5 https://github.com/topcoder-platform/tc-deploy-scripts ../buildscript
     cp ./../buildscript/master_deploy.sh .
     cp ./../buildscript/buildenv.sh .
     cp ./../buildscript/awsconfiguration.sh .
diff --git a/build.sh b/build.sh
@@ -9,6 +9,7 @@ perl -pi -e "s/\{\{AUTH0DOMAIN\}\}/$AUTH0DOMAIN/g" $CONFFILENAME
 
 SIGNUPFILENAME="./web-assets/js/signup.js"
 perl -pi -e "s/\{\{DOMAIN\}\}/$DOMAIN/g" $SIGNUPFILENAME
+perl -pi -e "s/\{\{AUTH0DOMAIN\}\}/$AUTH0DOMAIN/g" $SIGNUPFILENAME
 
 
 mkdir dist
diff --git a/web-assets/js/signup.js b/web-assets/js/signup.js
@@ -46,7 +46,14 @@ $(document).ready(function () {
         if (result.result.status === 200 && result.result.content.valid) {
           $("#error").closest(".message").fadeOut();
           $("#error").html("");
-          $('#signup').attr('action', qs["formAction"]);
+          let formAction = qs["formAction"];
+          const opt1 = 'https://auth.{{DOMAIN}}/continue';
+          const opt2 = 'https://{{AUTH0DOMAIN}}/continue';
+          if (!formAction.startWith(opt1) && !formAction(opt2)) {
+            // looks like XSS attack
+            formAction = "#";
+          }
+          $('#signup').attr('action', formAction);
           $("#state").val(qs["state"]);
           $("#regSource").val(qs["regSource"]);
           $("#utmSource").val(qs["utmSource"]);
