Skip to content

refactor(settings-window.ts): dom xss vulnerability due to unescaped html in template literal#2023

Open
tang-vu wants to merge 1 commit intokoala73:mainfrom
tang-vu:contribai/improve/quality/dom-xss-vulnerability-due-to-unescaped-h
Open

refactor(settings-window.ts): dom xss vulnerability due to unescaped html in template literal#2023
tang-vu wants to merge 1 commit intokoala73:mainfrom
tang-vu:contribai/improve/quality/dom-xss-vulnerability-due-to-unescaped-h

Conversation

@tang-vu
Copy link
Copy Markdown
Contributor

@tang-vu tang-vu commented Mar 21, 2026

✨ Code Quality

Problem

User-controlled data from localStorage (key and panel.name) is interpolated directly into an HTML string and assigned via innerHTML without sanitization. This creates a DOM-based Cross-Site Scripting (XSS) vulnerability. The escapeHtml utility is explicitly imported at the top of the file but mistakenly left unused.

Severity: high
File: src/settings-window.ts

Solution

Wrap the interpolated variables with the imported escapeHtml function:

Changes

  • src/settings-window.ts (modified)

Summary

Type of change

  • Bug fix
  • New feature
  • New data source / feed
  • New map layer
  • Refactor / code cleanup
  • Documentation
  • CI / Build / Infrastructure

Affected areas

  • Map / Globe
  • News panels / RSS feeds
  • AI Insights / World Brief
  • Market Radar / Crypto
  • Desktop app (Tauri)
  • API endpoints (/api/*)
  • Config / Settings
  • Other:

Checklist

  • Tested on worldmonitor.app variant
  • Tested on tech.worldmonitor.app variant (if applicable)
  • New RSS feed domains added to api/rss-proxy.js allowlist (if adding feeds)
  • No API keys or secrets committed
  • TypeScript compiles without errors (npm run typecheck)

Screenshots

🤖 About this PR

This pull request was generated by ContribAI, an AI agent
that helps improve open source projects. The change was:

  1. Discovered by automated code analysis
  2. Generated by AI with context-aware code generation
  3. Self-reviewed by AI quality checks

If you have questions or feedback about this PR, please comment below.
We appreciate your time reviewing this contribution!

Closes #2022

@tang-vu
refactor(settings-window.ts): dom xss vulnerability due to unescaped …
aafc40d 
…html in template literal

User-controlled data from `localStorage` (`key` and `panel.name`) is interpolated directly into an HTML string and assigned via `innerHTML` without sanitization. This creates a DOM-based Cross-Site Scripting (XSS) vulnerability. The `escapeHtml` utility is explicitly imported at the top of the file but mistakenly left unused.

Affected files: settings-window.ts
@vercel
Copy link
Copy Markdown

vercel bot commented Mar 21, 2026

@tang-vu is attempting to deploy a commit to the Elie Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions bot added the trust:caution Brin: contributor trust score caution label Mar 21, 2026
@jrtorrez31337
Copy link
Copy Markdown
Collaborator

jrtorrez31337 commented Mar 21, 2026

Reviewed the diff. The fix is correct and complete.

The two lines changed are the only unescaped interpolations in the file that take user-sourced data. Lines 80-81 already use escapeHtml, and the boolean-driven class/checkbox values are constants, not user input. document.title on line 28 uses a text property, not innerHTML, so it's not a vector.

The attack path is narrow (requires prior localStorage poisoning) but this is a valid defense-in-depth fix consistent with the project's coding standard of escaping all output.

@tang-vu
Copy link
Copy Markdown
Contributor Author

tang-vu commented Mar 22, 2026

Reviewed the diff. The fix is correct and complete.

The two lines changed are the only unescaped interpolations in the file that take user-sourced data. Lines 80-81 already use escapeHtml, and the boolean-driven class/checkbox values are constants, not user input. document.title on line 28 uses a text property, not innerHTML, so it's not a vector.

The attack path is narrow (requires prior localStorage poisoning) but this is a valid defense-in-depth fix consistent with the project's coding standard of escaping all output.

Thanks for the review! Could a maintainer authorize the Vercel deployment so this can be merged?

@koala73 koala73 added High Value Meaningful contribution to the project Ready to Merge PR is mergeable, passes checks, and adds value labels Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

High Value Meaningful contribution to the project Ready to Merge PR is mergeable, passes checks, and adds value trust:caution Brin: contributor trust score caution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(settings-window.ts): dom xss vulnerability due to unescaped html in template literal

3 participants

@tang-vu @jrtorrez31337 @koala73