Skip to content

Security-fix: Remove XSS in appendTo in Magnific Popup #2266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
NoumaanAhamed wants to merge 5 commits into
base: develop
Choose a base branch
from
Open

Security-fix: Remove XSS in appendTo in Magnific Popup #2266

NoumaanAhamed wants to merge 5 commits into from

Conversation

@NoumaanAhamed
Copy link
Collaborator

@NoumaanAhamed NoumaanAhamed commented Jan 6, 2026

Copilot AI review requested due to automatic review settings January 6, 2026 07:03
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to fix an XSS vulnerability in the Magnific Popup library by changing how the prependTo configuration option is handled. However, the implementation contains critical issues that prevent it from achieving its security goal.

Key Changes

  • Replaced document.querySelector() approach with jQuery .find() method for element selection
  • Simplified error handling by removing try-catch block
  • Added inline comment explaining the security intent

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@NoumaanAhamed NoumaanAhamed requested a review from Copilot January 6, 2026 07:12
Copilot AI reviewed Jan 6, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@rtBot
Copy link
Contributor

rtBot commented Jan 6, 2026

Unable to PHPCS or SVG scan one or more files due to error running PHPCS/SVG scanner:

  • app/assets/js/vendors/magnific-popup.js

The error may be temporary. If the error persists, please contact a human (commit-ID: 6da3f99).

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 6, 2026
View reviewed changes
app/assets/js/vendors/magnific-popup.js

// Only allow DOM elements or jQuery objects
if (appendToEl instanceof HTMLElement) {
$appendToEl = $(appendToEl);

Check warning

Code scanning / CodeQL

Unsafe jQuery plugin Medium

Potential XSS vulnerability in the
'$.fn.magnificPopup' plugin
Loading
.

Copilot Autofix

AI 10 days ago

Copilot could not generate an autofix suggestion

Copilot could not generate an autofix suggestion for this alert. Try pushing a new commit or if the problem persists contact support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@NoumaanAhamed @rtBot