model-viewer icon indicating copy to clipboard operation
model-viewer copied to clipboard

Published 20 hours ago verified publisher icon google

Update create-html.ts DOM text reinterpreted as HTML

Open Shivam7-1 opened this issue 1 year ago • 7 comments

By using innerText, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML. Always be cautious when dealing with user input or dynamic content to prevent security risks.

Shivam7-1 avatar Apr 17 '24 06:04 Shivam7-1

Hi @elalish Could You Please Review This PR Regards

Shivam7-1 avatar Apr 18 '24 13:04 Shivam7-1

Have you tested the docs pages with this change to verify nothing has regressed?

elalish avatar Apr 18 '24 16:04 elalish

Hi @elalish Thanks For Replying I think it shouldn't cause any issue Regards

Shivam7-1 avatar Apr 18 '24 16:04 Shivam7-1

I think it shouldn't cause any issue

This kind of sentiment makes me very nervous. Please provide screenshots.

elalish avatar Apr 18 '24 16:04 elalish

Hi @elalish Thanks For Reviewing It Passes All Test As i check Here Unit test and fidelity test also Regards image image

Shivam7-1 avatar Apr 19 '24 15:04 Shivam7-1

Sorry, I may have been imprecise - the docs pages don't have automated tests - you have to manually look at them. What I mean is npm run serve and look at them to ensure they aren't broken. e.g. image

elalish avatar Apr 19 '24 16:04 elalish

This PR would break this product since raw HTML would be printed on the user's screen.

NeilFraser avatar Apr 19 '24 18:04 NeilFraser