fix: XSS vulnerability in GraphiQL js_escape function

donleandro · donleandro · commit 23a0d5658d32 · 2026-04-03T16:30:13.000-06:00
The js_escape function only escaped newlines and single quotes but not backslashes. This allowed an attacker to bypass the escaping with a backslash before a quote (e.g. \'), breaking out of the JavaScript string context and executing arbitrary code. The fix escapes backslashes first (before other characters), and also handles carriage returns and </script> injection. Fixes #275
diff --git a/lib/absinthe/plug/graphiql.ex b/lib/absinthe/plug/graphiql.ex
@@ -395,8 +395,11 @@ defmodule Absinthe.Plug.GraphiQL do
 
   defp js_escape(string) do
     string
-    |> String.replace(~r/\n/, "\\n")
-    |> String.replace(~r/'/, "\\'")
+    |> String.replace("\\", "\\\\")
+    |> String.replace("'", "\\'")
+    |> String.replace("\n", "\\n")
+    |> String.replace("\r", "\\r")
+    |> String.replace("</", "<\\/")
   end
 
   defp handle_default_headers(config, conn) do
diff --git a/test/lib/absinthe/graphiql_test.exs b/test/lib/absinthe/graphiql_test.exs
@@ -232,6 +232,27 @@ defmodule Absinthe.Plug.GraphiQLTest do
     assert String.contains?(body, "defaultWebsocketUrl: ''")
   end
 
+  test "query parameter is properly escaped against XSS" do
+    opts = Absinthe.Plug.GraphiQL.init(schema: TestSchema)
+
+    # This payload would break out of a JS string if backslashes aren't escaped.
+    # Without the fix: xxx\');confirm(document.domain);// would close the string.
+    # With the fix: backslashes are escaped so the string stays intact.
+    xss_payload = "xxx\\');confirm(document.domain);//"
+
+    assert %{status: 200, resp_body: body} =
+             conn(:get, "/?query=#{URI.encode(xss_payload)}")
+             |> plug_parser
+             |> put_req_header("accept", "text/html")
+             |> Absinthe.Plug.GraphiQL.call(opts)
+
+    # The payload must NOT appear as unquoted JS code.
+    # With proper escaping, the backslash before the quote is escaped (\\'),
+    # so the quote doesn't close the string and the code never executes.
+    # We check that the escaped version is present (backslash is doubled).
+    assert String.contains?(body, "xxx\\\\\\');confirm")
+  end
+
   defp plug_parser(conn) do
     opts =
       Plug.Parsers.init(
