Problem
The addHeader() method validates that the name is a non-empty string and that the value is a string, but does not check for CRLF characters (\r\n) in either the header name or value. Malicious or malformed input could potentially inject additional headers.
Current Validation
if (typeof name === "string") {
name = name.trim();
if (name.length > 0) {
if (typeof value === "string") {
this.customHeaders[name] = value;
}
}
}
Suggested Fix
Reject header names and values that contain \r, \n, or \0:
function isValidHeaderValue(str) {
return !/[\r\n\0]/.test(str);
}
Expected Outcome
addHeader("X-Custom\r\nEvil: injected", "value") should return false and log a warning
addHeader("X-Custom", "value\r\nEvil: injected") should return false and log a warning
Note
Modern browsers block this at the XHR level, but defense-in-depth is appropriate for a library.
Problem
The
addHeader()method validates that the name is a non-empty string and that the value is a string, but does not check for CRLF characters (\r\n) in either the header name or value. Malicious or malformed input could potentially inject additional headers.Current Validation
Suggested Fix
Reject header names and values that contain
\r,\n, or\0:Expected Outcome
addHeader("X-Custom\r\nEvil: injected", "value")should returnfalseand log a warningaddHeader("X-Custom", "value\r\nEvil: injected")should returnfalseand log a warningNote
Modern browsers block this at the XHR level, but defense-in-depth is appropriate for a library.