Skip to content

Fix: prevent XSS in createModal by building modal via DOM APIs (avoid… #138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rabail-aamir wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: prevent XSS in createModal by building modal via DOM APIs (avoid… #138

rabail-aamir wants to merge 1 commit into from

Conversation

@rabail-aamir
Copy link

@rabail-aamir rabail-aamir commented Sep 23, 2025

Description

Fixes a cross-site scripting (XSS) vulnerability in the modal helper. The modal was previously constructed
using string templates and innerHTML, which allowed injected HTML (for example <script> tags or
onerror attributes) to execute. This change refactors the modal to build its DOM using the existing
elem() helper and document.createTextNode, so user-supplied strings are inserted as plain text and
cannot execute as HTML.

Files changed:

  • javascript/UI/modal.js — refactored to remove innerHTML and build modal via DOM APIs.

Motivation and context:
Using innerHTML with untrusted input opened the app to XSS when titles or content included malicious
markup. The refactor eliminates that attack vector while preserving the modal API. If callers require
rich HTML rendering, they should sanitize input first (e.g. DOMPurify) and pass a trusted DOM node.

Dependencies:

  • No new runtime dependencies were added. (If sanitized HTML is later required, consider adding DOMPurify.)

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation (update or new)

How Has This Been Tested?

Manual testing on the local development server (npm run server) at http://localhost:8000.
Verification performed by creating modals with safe strings and with known malicious payloads; observed that
malicious markup is rendered as inert text and no injected scripts or event handlers executed.

Before test
image

After test
image

Testing Checklist

  • Tested in latest Chrome (manual)
  • Tested in latest Safari (manual)
  • Tested in latest Firefox

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code in hard-to-understand areas
  • I have made corresponding changes to the documentation (if required)
  • My changes generate no new warnings
  • I have requested a review from ... on the Pull Request

Oliver-Quail
Oliver-Quail approved these changes Sep 28, 2025
View reviewed changes
Copy link
Collaborator

@Oliver-Quail Oliver-Quail left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @rabail-aamir,
Great PR. I tested and see that it works
I approve this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Oliver-Quail Oliver-Quail Oliver-Quail approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rabail-aamir @Oliver-Quail