primal-web-app
primal-web-app copied to clipboard
Unsafe use of innerHTML and inadequate HTML sanitization
Security Incident Report
Executive Summary
This report outlines multiple security vulnerabilities found in the Primal Web App repository. The issues are primarily related to Cross-Site Scripting (XSS) vulnerabilities due to the unsafe use of innerHTML
and inadequate HTML sanitization.
Detailed Findings
-
HIGH: Dangerous dynamic HTML insert detected. [CWE-79]
-
File:
primal-web-app/src/components/Toaster/Toaster.tsx
- Line: 21
-
Code:
toaster.innerHTML = message;
- Recommendation: Use React's JSX to dynamically insert content, which automatically escapes HTML.
// Replace toaster.innerHTML = message; // With toaster.textContent = message;
-
File:
-
HIGH: Dangerous dynamic HTML insert detected. [CWE-79]
-
File:
primal-web-app/src/pages/EditProfile.tsx
- Line: 72
-
Code:
banner.innerHTML = <div class="${styles.bannerPlaceholder}"></div>;
- Recommendation: Use React's JSX to create the banner.
// Replace banner.innerHTML = `<div class="${styles.bannerPlaceholder}"></div>`; // With const bannerElement = <div className={styles.bannerPlaceholder}></div>;
-
File:
-
HIGH: Dangerous dynamic HTML insert detected. [CWE-79]
-
File:
primal-web-app/src/pages/Profile.tsx
- Line: 144
-
Code:
banner.innerHTML = <div class="${styles.bannerPlaceholder}"></div>;
- Recommendation: Similar to the above, use React's JSX.
// Replace banner.innerHTML = `<div class="${styles.bannerPlaceholder}"></div>`; // With const bannerElement = <div className={styles.bannerPlaceholder}></div>;
-
File:
-
MEDIUM: Manual HTML sanitization detected. [CWE-79]
-
File:
primal-web-app/src/lib/notes.tsx
- Line: 25
-
Code:
return html.replaceAll('<', '<').replaceAll('>', '>');
- Recommendation: Use a well-tested library for HTML sanitization like DOMPurify.
import DOMPurify from "dompurify"; // Replace return html.replaceAll('<', '<').replaceAll('>', '>'); // With return DOMPurify.sanitize(html);
-
File:
Conclusion
The identified vulnerabilities should be addressed immediately to prevent potential security incidents. Adopting best practices for HTML sanitization and secure coding can mitigate these risks. 🤙🏻