tweakr icon indicating copy to clipboard operation
tweakr copied to clipboard

Published 20 hours ago verified publisher icon google

Update navtree.js DOM text reinterpreted as HTML

Open Shivam7-1 opened this issue 9 months ago • 5 comments

By using textContent, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Shivam7-1 avatar Apr 26 '24 16:04 Shivam7-1

Hi @odbol Could You Please Review This PR Thanks

Shivam7-1 avatar Apr 26 '24 16:04 Shivam7-1

Hi @odbol or @andreasnilsson Could You Please Review This PR Thanks

Shivam7-1 avatar Apr 29 '24 13:04 Shivam7-1

Hi @odbol or @andreasnilsson Could You Please Review This PR Thanks

Shivam7-1 avatar May 05 '24 12:05 Shivam7-1

I'm not convinced this is actually a vulnerability. Can you please provide an example of how someone could inject XSS using this?

odbol avatar May 05 '24 15:05 odbol

Hi @odbol Thanks For Reviewing PR As Google bans use of assignment to innerHTML - with the exception of the empty string. That said, there's no harm in changing this.

However, textContent is vastly preferred over innerText OR Innerhtml https://kellegous.com/j/2013/02/27/innertext-vs-textcontent/

https://builtin.com/software-engineering-perspectives/innerhtml-vs-innertext

Thanks

Shivam7-1 avatar May 05 '24 15:05 Shivam7-1