Fix: sanitize innerHTML to prevent stored DOM-based XSS#312
Open
namann5 wants to merge 1 commit into
Open
Conversation
Apply escapeHTML() to all user-influenced data (item.image, item.name, item.description, item.category) before rendering via innerHTML. The escapeHTML() function was already defined in sanitization.js but never used. Fixes Stored XSS where localStorage data (chaatRecentlyViewed, chaatCart, chaatOrders) is rendered unsanitized through createCard(), renderCart(), renderOrdersList(), and search suggestions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Applies
escapeHTML()to all user-influenced data before rendering throughinnerHTML.The
escapeHTML()utility already existed injs/sanitization.jsbut was never used throughout the application, leaving multiple persistent XSS injection points.Vulnerabilities Fixed
Location | Field | Source -- | -- | -- createCard() (line 102) | item.image, item.name, item.description | localStorage (chaatRecentlyViewed), menu.json renderCart() (line 284) | item.image, item.name | localStorage (chaatCart) renderOrdersList() (line 428) | ci.item.name | localStorage (chaatOrders) Search suggestions (line 719) | item.category | menu.jsonAttack Scenario
An attacker capable of writing to
localStorage(e.g. via malicious browser extensions, shared/public systems, or supply-chain compromise) can inject arbitrary HTML/JavaScript into item fields that are later rendered unsafely throughinnerHTML.This results in persistent XSS across multiple pages of the application.
Proof of Concept
Fixes Applied
Escaped all user-influenced values using
escapeHTML()Sanitized:
item.imageitem.nameitem.descriptionitem.categoryEscaped
item.nameanditem.descriptionbefore passing them intohighlightText()to prevent HTML injection through search highlightingSanitized dynamic
aria-labelattributes used in cart action buttonsSecurity Impact
Prevents persistent DOM-based XSS through:
localStorageJSON-fed UI rendering
Search suggestion rendering
Dynamic attribute injection
Relates to #311