tweakr icon indicating copy to clipboard operation
tweakr copied to clipboard
verified publisher icon google

Update search.js DOM text reinterpreted as HTML

Open Shivam7-1 opened this issue 1 year ago • 6 comments

By using textContent, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Shivam7-1 avatar Apr 26 '24 16:04 Shivam7-1

Hi @odbol Could You please Review This PR Thanks

Shivam7-1 avatar Apr 26 '24 16:04 Shivam7-1

Hi @odbol or @andreasnilsson Could You Please Review This PR Thanks

Shivam7-1 avatar Apr 29 '24 13:04 Shivam7-1

Hi @odbol or @andreasnilsson Could You Please Review This PR Thanks

Shivam7-1 avatar May 05 '24 12:05 Shivam7-1

Hi @odbol Could You Please Review This PR Thanks

Shivam7-1 avatar May 05 '24 15:05 Shivam7-1

Hi @andreasnilsson Could You Please Review This PR Thanks

Shivam7-1 avatar May 12 '24 16:05 Shivam7-1

Hi Shivam, you still haven't shown how this is a vulnerability. Please show some evidence that this fix is necessary, by showing how an attacker can use the vulnerability to gain access. I'm pretty sure it's not possible with this code, because it is not accepting input from the user.

Also please do not keep spamming the issue with comments to look at the PR. Continued spamming will earn a block.

odbol avatar May 12 '24 16:05 odbol