XSS vulnerability

[htadashi]

The XSS vulnerability reported by @augustozanellato in https://github.com/ahrm/chrome-fastread/issues/10#issuecomment-1140411767 is also present on Jiffy reader.

[X140Yu]

The Chrome Store version does have this issue, but I tried with the latest master on the poc, and the issue has been fixed, need to furder confirm

[Cveinnt]

I have provided a hackish solution in that discussion, which uses a simple htmlescaper to prevent basic XSS. See more here. Let me know if anyone has a better solution!

[Explosion-Scratch]

I have provided a hackish solution in that discussion, which uses a simple htmlescaper to prevent basic XSS. See more here. Let me know if anyone has a better solution!

Hackish would be making a function that sets innertext of a created element then gets its HTML, regex is not hackish

[asieduernest12]

Resources https://gomakethings.com/preventing-cross-site-scripting-attacks-when-using-innerhtml-in-vanilla-javascript/

[HuiiBuh]

I honestly am not even sure if there is a potential for a xss attack. Something like <script>alert("asdf")script> always gets broken up and ends up like this.

In addition to that this regex \p{L} searches for letters. https://github.com/ansh/jiffyreader.com/blob/a265fca2e59df35533fddc3103919886f144f532/src/ContentScript/documentParser.js#L36 And as far as I know there is no way to compose an xss attack with only special characters (But I might be wrong on this account) and not a single letter, because everything else (a mix of both) will be replaced with some custom <br-bold> elements in between.

[ansh]

Closing as not a concern at the moment.

Any proof of a genuine vulnerability will necessitate a re-opening of this issue.