π‘οΈ Sentinel: [CRITICAL] Fix attribute-based XSS in HTML escaping#1237
π‘οΈ Sentinel: [CRITICAL] Fix attribute-based XSS in HTML escaping#1237khangnghiem wants to merge 1 commit into
Conversation
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
π¨ Severity: CRITICAL
π‘ Vulnerability: The custom HTML escaping function (
escHtml) insite/layers.jsfailed to cast inputs correctly usingString()and entirely missed escaping single quotes (').π― Impact: This allowed attribute-based Cross-Site Scripting (XSS). If user-controlled input containing a single quote was fed into this function and rendered inside an HTML attribute (e.g.
data-node-id='@userInput'), the attacker could break out of the attribute and inject malicious event handlers or structural elements, leading to arbitrary JavaScript execution.π§ Fix: Added
String()casting to ensure inputs are handled correctly, and added string replacement to escape single quotes (') as'within theescHtmlfunction. Appended a journal entry logging the pattern.β Verification: Ran
grepto verify the patch andnode --checkto confirm syntax correctness. Ranvitestinfd-vscodewhere similar fixes were made to ensure no regressions. Code review returned#Correct#.PR created automatically by Jules for task 4045965761129508026 started by @khangnghiem