Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes DOM text reinterpreted as HTML vulnerability detected by CodeQL #3527

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

Onyx2406
Copy link

@Onyx2406 Onyx2406 commented Jun 20, 2023

Description

This fix creates jQuery objects for each HTML element and sets their attributes and text content separately, which ensures that no untrusted string can be interpreted as HTML. This way, even if inputId or $(this).text() are controlled by a user and contain malicious script, they will be treated as plain text and not executed as script which prevents injection attacks.

Related issues and discussion

#3526

Screenshots, if any

image

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

  • [] Validate the JS and HTML files with grunt validate to detect errors and potential problems in JavaScript code.
    giving network error "grunt validate" giving network error #3519

  • [] Run the tests by opening test/SpecRunner.html in the browser to make sure you didn't break anything.

  • If you have multiple commits please combine them into one commit by squashing them.

  • Read and understood the contribution guidelines at community-app/Contributing.md.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant