Update settings-sync.js #3105
Open
Update settings-sync.js #3105
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A DOM-based XSS vulnerability exists due to the use of .html(message) without proper sanitization. If the message variable can be influenced by an attacker, arbitrary HTML or JavaScript code could be injected and executed in the victim's browser.
Impact:
An attacker could inject malicious scripts that would execute in the context of the victim’s session, leading to potential session hijacking, defacement, or phishing attacks.
Steps to Reproduce:
Find a way to control or inject content into the message variable.
Inject payload like <script>alert('XSS')</script>.
Observe the JavaScript code being executed
Recommendation:
Replace .html(message) with .text(message) to safely display user-provided data without interpreting it as HTML.
Alternatively, sanitize message before using it with .html(), for example using a library like DOMPurify.
$('#sync_progress').show().html(DOMPurify.sanitize(message)).css('color', 'inherit');
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A DOM-based XSS vulnerability exists due to the use of .html(message) without proper sanitization. If the message variable can be influenced by an attacker, arbitrary HTML or JavaScript code could be injected and executed in the victim's browser.
Impact:
An attacker could inject malicious scripts that would execute in the context of the victim’s session, leading to potential session hijacking, defacement, or phishing attacks.
Steps to Reproduce:
Find a way to control or inject content into the message variable.
Inject payload like <script>alert('XSS')</script>.
Observe the JavaScript code being executed
Recommendation:
Replace .html(message) with .text(message) to safely display user-provided data without interpreting it as HTML.
Alternatively, sanitize message before using it with .html(), for example using a library like DOMPurify.
$('#sync_progress').show().html(DOMPurify.sanitize(message)).css('color', 'inherit');
Description
Please include a summary of the changes and the related issue.
Please also include relevant motivation and context.
List any dependencies that are required for this change.
Type of change
Please delete options that are not relevant.
Checklist
Changelog entry
One liner entry to be surfaced in changelog.txt
Test Plan
Please describe the tests that you ran to verify your changes.
Provide instructions so we can reproduce.
Please also list any relevant details for your test configuration.
Screenshots
Please provide screenshots or snapshots of the system/state both before and after implementing the changes, if appropriate
Before
After