Description:
The Buy1Get1.js script dynamically renders product data (name, brand, image) directly into the DOM using innerHTML without properly escaping the input. An attacker with the ability to inject malicious HTML into product fields via the admin panel or database can execute arbitrary JavaScript in the browsers of users viewing the Deal's Collection.
Actual Behavior:
Product attributes like product.name and product.brand are embedded directly into a template literal assigned to div.innerHTML, causing the browser to parse and execute any HTML/JS payloads contained within them.
Expected Behavior:
All untrusted data rendered into the DOM must be sanitized or safely escaped (e.g., using AppUtils.escapeHTML()) before being assigned to innerHTML, or safe DOM APIs like textContent should be used.
Steps to Reproduce:
- Insert a product into the database with the name:
<img src=x onerror=alert('XSS_BOGO')>.
- Navigate to the Buy 1 Get 1 Deals page.
- The malicious script executes automatically as the product cards are loaded and appended to
elements.productContainer.
File(s):
frontend/scripts/Buy1Get1.js
Description:
The
Buy1Get1.jsscript dynamically renders product data (name, brand, image) directly into the DOM usinginnerHTMLwithout properly escaping the input. An attacker with the ability to inject malicious HTML into product fields via the admin panel or database can execute arbitrary JavaScript in the browsers of users viewing the Deal's Collection.Actual Behavior:
Product attributes like
product.nameandproduct.brandare embedded directly into a template literal assigned todiv.innerHTML, causing the browser to parse and execute any HTML/JS payloads contained within them.Expected Behavior:
All untrusted data rendered into the DOM must be sanitized or safely escaped (e.g., using
AppUtils.escapeHTML()) before being assigned toinnerHTML, or safe DOM APIs liketextContentshould be used.Steps to Reproduce:
<img src=x onerror=alert('XSS_BOGO')>.elements.productContainer.File(s):
frontend/scripts/Buy1Get1.js