π‘οΈ Sentinel: [HIGH] Fix XSS in markdown rendering#1252
Conversation
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
π¨ Severity: HIGH
π‘ Vulnerability: Missing HTML sanitization on the
marked.parseoutput insite/app.jswhen rendering user-provided Markdown notes could allow execution of embedded malicious scripts.π― Impact: A cross-site scripting (XSS) attack could execute arbitrary JavaScript in the context of the editor, potentially stealing session information or performing unauthorized actions.
π§ Fix: Wrapped the
marked.parseoutput withwindow.DOMPurify.sanitize(rendered, { ADD_ATTR: ['data-note-node', 'data-node'] })if DOMPurify is available. Also preserved the existing fallback logic of using a safe, regex-escaped string if DOMPurify isn't loaded (preventing a fail-open scenario).β Verification: Tested syntax with
node --check site/app.js. Ran tests viacargo test --workspaceandpnpm testinsidefd-vscode. Journaled the critical learning in.jules/sentinel.md.PR created automatically by Jules for task 1499804241110270739 started by @khangnghiem