Skip to content

Fix XSS vulnerability in inline scripts (Issue #218) #221

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix XSS vulnerability in inline scripts (Issue #218) #221

wants to merge 3 commits into from

Conversation

garland3
Copy link

Summary

  • escape literal </script> sequences in generated inline JavaScript to block injection
  • add a unittest-based test suite with coverage for the escaping behavior
  • hook the new tests into CI via the existing GitHub Actions workflow

Testing

  • ./tests/run_tests.sh

@garland3
Fix XSS vulnerability in inline scripts (Issue sandialabs#218)
6af3ced 
- Escape </script> sequences in generated JavaScript to prevent injection.
- Add unit test suite with test for script escaping.
- Integrate unit tests into CI/CD workflow.

Addresses security issue where user-controlled data could inject arbitrary script.
@garland3
Fix: validate hyperlink schemes to block unsafe URIs (Issue sandialab…
aff757c 
…s#219)

- Only allow http, https, mailto, ftp, or relative URLs in require.hyperlink
- Add unit tests for safe and unsafe schemes

Addresses security issue where javascript: and data: URIs could be used for injection.
@garland3
added the test file
9782e6c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@garland3