Potential fix for code scanning alert no. 22: Client-side cross-site scripting#86
Potential fix for code scanning alert no. 22: Client-side cross-site scripting#86EthanThePhoenix38 merged 1 commit intomainfrom
Conversation
…scripting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR addresses a client-side XSS vulnerability (code scanning alert #22) by implementing HTML escaping for user-controlled filename values before they are inserted into the DOM via innerHTML. The vulnerability exists because filenames derived from window.location.hash were being used directly in HTML templates without sanitization.
Changes:
- Added an
escapeHtml()function to sanitize strings by escaping HTML special characters (&, <, >, ", ', /) - Applied HTML escaping to the
filenameparameter in the loading message and error templates - Used the sanitized filename in both text content and href attributes to prevent XSS injection
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| async function loadDoc(filename) { | ||
| const safeFilename = escapeHtml(filename); |
There was a problem hiding this comment.
While HTML escaping prevents XSS in the displayed content, the filename parameter still comes from user-controlled input (window.location.hash via init()) without validation. Consider adding explicit validation at the start of this function to ensure the filename matches one of the allowed documents. For example, you could define an allowlist of valid filenames (TECHNIQUE.md, READER_MODE_PLAN.md, SUPABASE_MIGRATION.md, ACTION_README.md) and reject any filename that's not in the list. This would provide defense in depth against potential SSRF or path traversal issues when constructing the GitHub API URL on line 413.
Potential fix for https://github.com/ThePhoenixAgency/AI-Pulse/security/code-scanning/22
In general, to fix this kind of issue you must ensure that any value deriving from user input (like
window.location.hash) is either strictly validated against an allowlist of expected values or properly escaped before being written into HTML viainnerHTML,document.write, or similar sinks. Here, the vulnerable usage is in the error template where${filename}is inserted into HTML.The minimal, behavior‑preserving fix is:
&,<,>,",', and/at least).filenameat the point where it is interpolated into the error message HTML (line 418–422).filenamefor non‑HTML contexts (like building the GitHub URL path), because the URL path is constrained by the existing logic viadocsNav. However, to be extra defensive, we can also use the escaped version in the GitHub URL; escaping<,>, etc. is safe for URLs in HTML attributes.Concretely:
escapeHtml(str)aboveloadDoc.loadDoc, computeconst safeFilename = escapeHtml(filename);.safeFilenameinstead offilenamein the error HTML template literal (both in the visible text and thehrefattribute).No external libraries are needed; the escaping function is simple and self‑contained. All changes are within
docs.htmlin the shown script block.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Continue Tasks:▶️ 1 queued — View all