[feature] 7 #130
[feature] 7 #130
Conversation
…date notification center to handle persistent message types.
…inRoomMembers service, introduce MaintainRoomMembersJob, and update notification handling in Loco module.
…t JSON data handling for room list in the frontend.
…a handling in frontend, and streamline room rendering logic, fixes
…entries for users already in the room.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| const renderRoom = (room) => { | ||
| const tbody = document.querySelector("#rooms_list tbody"); | ||
| tbody.insertAdjacentHTML("beforeend", roomTmpl(room)); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 16 days ago
To fix the issue, we need to ensure that any data used to generate HTML is properly sanitized or escaped to prevent XSS vulnerabilities. The best approach is to escape the dynamic content in the roomTmpl function before it is inserted into the DOM. This can be achieved by creating a utility function to escape HTML special characters (<, >, &, ", ') and applying it to all dynamic values in the template.
Changes to be made:
- Add a utility function to escape HTML special characters.
- Update the
roomTmplfunction to use the escape function for all dynamic content.
| @@ -7,7 +7,16 @@ | ||
|
|
||
| const escapeHTML = (str) => { | ||
| return String(str) | ||
| .replace(/&/g, "&") | ||
| .replace(/</g, "<") | ||
| .replace(/>/g, ">") | ||
| .replace(/"/g, """) | ||
| .replace(/'/g, "'"); | ||
| }; | ||
|
|
||
| const roomTmpl = ({ id, name, members_count, joined }) => { | ||
| return ` | ||
| <tr id="room_${id}"> | ||
| <td>${name}</td> | ||
| <td class="members">${members_count}</td> | ||
| <tr id="room_${escapeHTML(id)}"> | ||
| <td>${escapeHTML(name)}</td> | ||
| <td class="members">${escapeHTML(members_count)}</td> | ||
| <td> | ||
| @@ -16,3 +25,3 @@ | ||
| data-method="patch" | ||
| href="${joined ? `/user/rooms/${id}/leave` : `/user/rooms/${id}/join`}" | ||
| href="${joined ? `/user/rooms/${escapeHTML(id)}/leave` : `/user/rooms/${escapeHTML(id)}/join`}" | ||
| > | ||
| @@ -25,3 +34,3 @@ | ||
| data-confirm="R U sure?" | ||
| href="/user/rooms/${id}" | ||
| href="/user/rooms/${escapeHTML(id)}" | ||
| > |
| const reRenderRoom = (roomId) => { | ||
| const room = rooms.find(r => r.id === roomId); | ||
| const node = document.getElementById(`room_${roomId}`); | ||
| node.innerHTML = roomTmpl(room); |
Check warning
Code scanning / CodeQL
DOM text reinterpreted as HTML Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 16 days ago
To fix the issue, we need to ensure that any data inserted into the DOM is properly sanitized or escaped to prevent XSS attacks. Instead of using innerHTML to insert the HTML string generated by roomTmpl, we can use DOM manipulation methods to create and append elements safely. This approach avoids interpreting the data as HTML and ensures that any special characters are treated as plain text.
The changes involve:
- Refactoring the
roomTmplfunction to return a DOM element instead of an HTML string. - Updating the
renderRoomandreRenderRoomfunctions to use the newroomTmplimplementation.
No description provided.