Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .jules/sentinel.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,3 +14,8 @@
**Vulnerability:** Several `escapeHtml` implementations used DOM manipulation (`document.createElement('div').innerHTML`) or incomplete string replacement, failing to escape single and double quotes.
**Learning:** Incomplete escaping allows XSS payloads to break out of HTML attributes (e.g., `<input value="${escapeHtml(userInput)}">`).
**Prevention:** Always use `String(text)` cast combined with a comprehensive replace chain for `&`, `<`, `>`, `"`, and `'` (e.g., `&#039;`) in custom string escaping functions.

## 2026-07-06 - XSS vulnerability in Markdown rendering fallback
**Vulnerability:** The application was vulnerable to Cross-Site Scripting (XSS) when rendering user-provided Markdown notes due to missing HTML sanitization on the `marked.parse` output. A 'fail open' state could exist if fallback mechanisms returned unsanitized raw HTML.
**Learning:** When using external parsers like `marked.parse`, their raw output is inherently unsafe and requires sanitization. Furthermore, conditional sanitization (e.g. `window.DOMPurify ? sanitize(...) : fallback(...)`) MUST use a secure fallback mechanism such as regex-based HTML escaping rather than falling back to the raw unsanitized HTML.
**Prevention:** Always wrap dynamically rendered content with `DOMPurify.sanitize()` using required attribute allowlists. Ensure any fallback logic provides escaped text rather than unsanitized raw data to prevent 'fail open' scenarios.
2 changes: 1 addition & 1 deletion site/app.js
Original file line number Diff line number Diff line change
Expand Up @@ -2724,7 +2724,7 @@ function renderSpecsPanel() {

if (typeof marked !== 'undefined') {
const rendered = marked.parse(processedNote);
html += rendered;
html += window.DOMPurify ? window.DOMPurify.sanitize(rendered, { ADD_ATTR: ['data-note-node', 'data-node'] }) : `<pre>${processedNote.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</pre>`;
} else {
html += `<pre>${processedNote.replace(/</g, '&lt;').replace(/>/g, '&gt;')}</pre>`;
}
Expand Down
Loading