Modernized help UI prototype: Fix DOM-based XSS vulnerability#2677
Open
howlger wants to merge 1 commit into
Open
Modernized help UI prototype: Fix DOM-based XSS vulnerability#2677howlger wants to merge 1 commit into
howlger wants to merge 1 commit into
Conversation
Contributor
This vulnerability can be reproduced by creating a search scope with the following name:
scope1<video src=0 onloadstart=alert('XSS')>
This will cause an alert box to pop up, proving that the JavaScript code within the scope name will be executed.
Caused by:
The search scope configuration page is created dynamically via JavaScript: A button element is inserted into the DOM for each scope. However, the scope name is incorrectly set to the button as `innerHTML` rather than `textContent` or a child text node.
Type of vulnerability:
DOM-based or type-0 cross-site scripting (XSS)
See: https://owasp.org/www-community/attacks/DOM_Based_XSS
Attack vector:
The attacker tricks the user into entering a scope name, containing the malicious JavaScript code.
There was a problem hiding this comment.
Pull request overview
Fixes a DOM-based XSS in the modernized help UI’s search scope configuration by ensuring user-controlled scope names are inserted into the DOM as text rather than HTML.
Changes:
- Stop rendering custom scope names via
innerHTMLwhen building the scope list. - Render scope names via a text node (through the
createButton(..., text)path) to prevent script execution.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When the modernized help UI is activated, this vulnerability can be reproduced by creating a search scope with the following name:
scope1<video src=0 onloadstart=alert('XSS')>This will cause an alert box to pop up, proving that the JavaScript code within the scope name will be executed.
Caused by:
The search scope configuration page is created dynamically via JavaScript: A button element is inserted into the DOM for each scope. However, the scope name is incorrectly set to the button as
innerHTMLrather thantextContentor a child text node.Type of vulnerability:
DOM-based or type-0 cross-site scripting (XSS)
See: https://owasp.org/www-community/attacks/DOM_Based_XSS
Attack vector:
The attacker tricks the user into entering a scope name, containing the malicious JavaScript code.