fix(security): 2 improvements across 1 files#624
Closed
aryanjsingh wants to merge 1 commit intooffa:masterfrom
Closed
fix(security): 2 improvements across 1 files#624aryanjsingh wants to merge 1 commit intooffa:masterfrom
aryanjsingh wants to merge 1 commit intooffa:masterfrom
Conversation
- Security: DOM-based XSS via Markdown Conversion - Security: Missing Subresource Integrity on External Scripts Signed-off-by: Aryan <140542415+aryanjsingh@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The page fetches a Markdown file from GitHub, converts it to HTML using
marked.js, and injects the result directly into the DOM using.innerHTML. Themarked.jslibrary does not sanitize HTML by default. If theREADME.mdfile were compromised to include malicious HTML payloads (e.g.,<script>tags oronerrorevent handlers), the code would be executed in the user's browser, leading to a Cross-Site Scripting (XSS) vulnerability. This could allow an attacker to steal user data, hijack sessions, or perform other malicious actions.Severity:
highFile:
index.htmlSolution
Sanitize the HTML generated by
marked.parse()before assigning it to.innerHTML. Use a trusted and well-maintained HTML sanitization library like DOMPurify. You would first include the DOMPurify library and then change the line to:document.querySelector('main').innerHTML = DOMPurify.sanitize(marked.parse(data));.Changes
index.html(modified)Testing