Build the library browser alert toast with DOM methods to avoid DOM XSS#3054
Open
xcompass wants to merge 1 commit into
Open
Build the library browser alert toast with DOM methods to avoid DOM XSS#3054xcompass wants to merge 1 commit into
xcompass wants to merge 1 commit into
Conversation
drgrice1
reviewed
Jul 13, 2026
drgrice1
left a comment
Member
There was a problem hiding this comment.
I was a bit lazy when I implemented this and used innterHTML. It would be better to remove that entirely and build the HTML with document.createElement rather than using innterHTML and then querySelector to find the contents.
The alertToast helper in the library browser interpolated its title and msg arguments directly into an innerHTML template, letting DOM text be reinterpreted as HTML (CodeQL js/xss-through-dom). Build the toast with document.createElement instead and assign the title and message with textContent, so caller-supplied strings are always treated as text. This matches the toast construction already used in htdocs/js/TagWidget.
309af66 to
9b7c626
Compare
Member
Author
|
Done — removed the |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
alertToasthelper inhtdocs/js/SetMaker/setmaker.js(the library browser) interpolated itstitleandmsgarguments directly into aninnerHTMLtemplate. All current callers pass plain text, but several of those strings incorporate server-provided content (e.g. RPC error messages), and interpolating DOM text intoinnerHTMLlets it be reinterpreted as HTML. CodeQL flags this pattern as ajs/xss-through-domalert.Per review, this now removes the
innerHTMLusage entirely: the toast is built withdocument.createElementand the title and message are assigned withtextContent, so caller-supplied strings are always treated as text and can never be parsed as markup. The construction mirrors the toast already built this way inhtdocs/js/TagWidget/tagwidget.js.The separate
alertToastinhtdocs/js/GatewayQuiz/gateway.jsis intentionally left alone — it renders HTML from server-controlled data attributes by design.Testing
node --check htdocs/js/SetMaker/setmaker.jspasses (Node 20).prettier --checkon the modified file passes (matches the check-formats CI workflow).