Zt/launch updates#4
Conversation
|
![boostsecurity-io-ai[bot]](https://avatars.githubusercontent.com/u/77755945?s=60&v=4){kind=small}
There was a problem hiding this comment.
⚠️ 2 New Security Findings
The latest commit contains 2 new security findings.
Findings Note: 2 findings are displayed as inline comments.
Not a finding? Ignore it by adding a comment on the line with just the word noboost.
Scanner: boostsecurity - Semgrep
| btn.type = 'button'; | ||
| btn.className = 'copy-btn'; | ||
| btn.setAttribute('aria-label', 'Copy to clipboard'); | ||
| btn.innerHTML = COPY_SVG + '<span>Copy</span>'; |
There was a problem hiding this comment.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Original Rule ID: html_generic_rule_reflected_xss
Details
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
The HTML template contains potentially dangerous patterns where user-controlled variables
may be executed in unsafe contexts. This includes: (1)
document.write() or eval()calls within
<script> blocks that process unescaped template variables, (2) DOMmanipulation via
.innerHTML or .outerHTML properties which can execute embedded scripts,(3) CSS
<style> blocks using legacy :expression() syntax or template interpolation,(4) template variables in backticks which enable template literal injection, and (5)
unescaped template variables in URL attributes (href, src, action, data, http-equiv, style,
background-image) which can enable
javascript: protocol handlers or data URIs containingscripts. These patterns bypass template auto-escaping and create Cross-Site Scripting (XSS)
vulnerabilities where attackers can execute arbitrary JavaScript in victims' browsers.
📘 Learn More
AI Remediation
The vulnerability was a real XSS risk due to the use of innerHTML to inject SVG markup. The fix replaces innerHTML with safe DOM construction methods (createElementNS, createElement, setAttribute, appendChild, and textContent), which ensure that content is treated as DOM structure rather than parsed HTML, eliminating any possibility of script injection. The now-unused COPY_SVG HTML string variable was also removed.
At line 1358, do the following changes:
// Copy-to-clipboard on every code block
(function () {
- var COPY_SVG = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="9" y="9" width="11" height="11" rx="2"/><path d="M5 15V5a2 2 0 0 1 2-2h10"/></svg>';
-
function extract(block) {
var lines = [''];
block.childNodes.forEach(function (node) {At line 1389, do the following changes:
btn.type = 'button';
btn.className = 'copy-btn';
btn.setAttribute('aria-label', 'Copy to clipboard');
- btn.innerHTML = COPY_SVG + '<span>Copy</span>';
+ var iconNS = 'http://www.w3.org/2000/svg';
+ var svg = document.createElementNS(iconNS, 'svg');
+ svg.setAttribute('viewBox', '0 0 24 24');
+ svg.setAttribute('fill', 'none');
+ svg.setAttribute('stroke', 'currentColor');
+ svg.setAttribute('stroke-width', '2');
+ svg.setAttribute('stroke-linecap', 'round');
+ svg.setAttribute('stroke-linejoin', 'round');
+ var rect = document.createElementNS(iconNS, 'rect');
+ rect.setAttribute('x', '9');
+ rect.setAttribute('y', '9');
+ rect.setAttribute('width', '11');
+ rect.setAttribute('height', '11');
+ rect.setAttribute('rx', '2');
+ svg.appendChild(rect);
+ var path = document.createElementNS(iconNS, 'path');
+ path.setAttribute('d', 'M5 15V5a2 2 0 0 1 2-2h10');
+ svg.appendChild(path);
+ btn.appendChild(svg);
+ var labelSpan = document.createElement('span');
+ labelSpan.textContent = 'Copy';
+ btn.appendChild(labelSpan);
wrap.appendChild(btn);
btn.addEventListener('click', function () {| btn.type = 'button'; | ||
| btn.className = 'copy-btn'; | ||
| btn.setAttribute('aria-label', 'Copy to clipboard'); | ||
| btn.innerHTML = COPY_SVG + '<span>Copy</span>'; |
There was a problem hiding this comment.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Original Rule ID: html_generic_rule_reflected_xss
Details
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
The HTML template contains potentially dangerous patterns where user-controlled variables
may be executed in unsafe contexts. This includes: (1)
document.write() or eval()calls within
<script> blocks that process unescaped template variables, (2) DOMmanipulation via
.innerHTML or .outerHTML properties which can execute embedded scripts,(3) CSS
<style> blocks using legacy :expression() syntax or template interpolation,(4) template variables in backticks which enable template literal injection, and (5)
unescaped template variables in URL attributes (href, src, action, data, http-equiv, style,
background-image) which can enable
javascript: protocol handlers or data URIs containingscripts. These patterns bypass template auto-escaping and create Cross-Site Scripting (XSS)
vulnerabilities where attackers can execute arbitrary JavaScript in victims' browsers.
📘 Learn More
AI Remediation
The fix replaces the innerHTML assignment with safe DOM construction methods (createElement, createElementNS, appendChild, and textContent). Although the original innerHTML used only hardcoded string constants (making it technically a false positive), replacing it with DOM APIs eliminates the innerHTML sink entirely, which is a security best practice that prevents any future risk if the code evolves. The SVG icon is now built programmatically via createElementNS and the label text via textContent, preserving identical visual behavior.
At line 750, do the following changes:
// Copy-to-clipboard on every code block (mirrors index.html behavior)
(function () {
- var COPY_SVG = '<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><rect x="9" y="9" width="11" height="11" rx="2"/><path d="M5 15V5a2 2 0 0 1 2-2h10"/></svg>';
+ function createCopySvg() {
+ var svgNS = 'http://www.w3.org/2000/svg';
+ var svg = document.createElementNS(svgNS, 'svg');
+ svg.setAttribute('viewBox', '0 0 24 24');
+ svg.setAttribute('fill', 'none');
+ svg.setAttribute('stroke', 'currentColor');
+ svg.setAttribute('stroke-width', '2');
+ svg.setAttribute('stroke-linecap', 'round');
+ svg.setAttribute('stroke-linejoin', 'round');
+ var rect = document.createElementNS(svgNS, 'rect');
+ rect.setAttribute('x', '9'); rect.setAttribute('y', '9');
+ rect.setAttribute('width', '11'); rect.setAttribute('height', '11');
+ rect.setAttribute('rx', '2');
+ svg.appendChild(rect);
+ var path = document.createElementNS(svgNS, 'path');
+ path.setAttribute('d', 'M5 15V5a2 2 0 0 1 2-2h10');
+ svg.appendChild(path);
+ return svg;
+ }
function extract(block) {
var lines = [''];At line 774, do the following changes:
btn.type = 'button';
btn.className = 'copy-btn';
btn.setAttribute('aria-label', 'Copy to clipboard');
- btn.innerHTML = COPY_SVG + '<span>Copy</span>';
+ btn.appendChild(createCopySvg());
+ var labelSpan = document.createElement('span');
+ labelSpan.textContent = 'Copy';
+ btn.appendChild(labelSpan);
wrap.appendChild(btn);
btn.addEventListener('click', function () {1 participant
Staging changes for public release