Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: DOM text reinterpreted as HTML leading to self-XSS #633

Merged
merged 4 commits into from
Jan 3, 2025
Merged

fix: DOM text reinterpreted as HTML leading to self-XSS #633

merged 4 commits into from
Jan 3, 2025

Conversation

devanshbatham
Copy link
Contributor

@devanshbatham devanshbatham commented Jan 2, 2025
edited
Loading

Checklist:

Please also see an email I sent to possible-security-issue at freecodecamp dot org.

To fix this issue, we need to ensure that any user input is properly sanitized or escaped before being used in a context where it can be interpreted as HTML. In this case, we should use textContent instead of innerHTML to avoid interpreting the text as HTML. Additionally, we should ensure that the URL is properly encoded.

  • Replace urlDiv.innerHTML = url; with urlDiv.textContent = url; to prevent the text from being interpreted as HTML.
  • Ensure that the URL is properly encoded using encodeURIComponent for the query parameters.

devanshbatham and others added 2 commits January 2, 2025 14:55
@devanshbatham @github-advanced-security
fix: DOM text reinterpreted as HTML
20c7339 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@devanshbatham
Merge pull request #1 from devanshbatham/xss-fix
1187848 
Fix code scanning alert no. 9: DOM text reinterpreted as HTML
@devanshbatham devanshbatham requested a review from a team as a code owner January 2, 2025 09:34
ojeytonwilliams
ojeytonwilliams requested changes Jan 3, 2025
View reviewed changes
Copy link
Contributor

@ojeytonwilliams ojeytonwilliams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @devanshbatham, thanks for addressing this issue. Could you take a look at the errors? Then we should be able to get this in.

devanshbatham
devanshbatham commented Jan 3, 2025
View reviewed changes
Copy link
Contributor Author

@devanshbatham devanshbatham left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it looks good to me!

@ojeytonwilliams
Copy link
Contributor

Sorry, I meant: could you fix the lint error? It should be enough to run prettier.

ojeytonwilliams
ojeytonwilliams approved these changes Jan 3, 2025
View reviewed changes
Copy link
Contributor

@ojeytonwilliams ojeytonwilliams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went ahead and formatted it and it seems fine now.

Thanks for the PR 👍

@ojeytonwilliams ojeytonwilliams merged commit 29ac0f2 into freeCodeCamp:main Jan 3, 2025
2 checks passed
@raisedadead raisedadead mentioned this pull request Jan 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ojeytonwilliams ojeytonwilliams ojeytonwilliams approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@devanshbatham @ojeytonwilliams