🛡️ Sentinel: [HIGH] Fix XSS vulnerability in DescriptionPreview#28
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in DescriptionPreview#28
Conversation
Fixes an XSS vulnerability where HTML rendered from the backend (or generated locally via BBCode conversion) was injected directly into the DOM via \`dangerouslySetInnerHTML\` without being sanitized. Now correctly uses \`isomorphic-dompurify\` to sanitize the HTML before rendering. Co-authored-by: bobdivx <6737167+bobdivx@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request delivers a critical security enhancement by resolving a high-severity Cross-Site Scripting (XSS) vulnerability within the Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request addresses a Cross-Site Scripting (XSS) vulnerability in the DescriptionPreview component by integrating isomorphic-dompurify to sanitize HTML content. The sanitizePreviewHtml function now uses DOMPurify.sanitize() after removing residual placeholder sequences. The package.json and package-lock.json files have been updated to include the new dependency and reflect other dependency changes. A new markdown file, .jules/sentinel.md, documents the vulnerability, lessons learned, and prevention strategies. A review comment suggests explicitly configuring DOMPurify options for improved security and clarity.
| function sanitizePreviewHtml(html: string): string { | ||
| return html.replace(/\{\}/g, ''); | ||
| const cleaned = html.replace(/\{\}/g, ''); | ||
| return DOMPurify.sanitize(cleaned); |
There was a problem hiding this comment.
While DOMPurify.sanitize() provides robust protection against XSS by default, it's good practice to explicitly configure its options (e.g., ALLOWED_TAGS, ALLOWED_ATTR) to precisely match the expected and allowed HTML content. This provides an additional layer of defense and makes the security policy explicit, preventing unintended allowances if DOMPurify's defaults change or if specific application requirements are stricter.
1 participant
🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability was found in
src/components/upload/DescriptionPreview.tsx. The component useddangerouslySetInnerHTMLto render HTML provided directly from an API endpoint, removing only{}sequences, meaning malicious<script>tags orjavascript:links could bypass validation.🎯 Impact: An attacker could craft a malicious tracker description containing XSS payloads which would execute code in the context of the frontend app when viewed by the user.
🔧 Fix: Installed and imported
isomorphic-dompurify, which is applied to sanitize the input strings before they are injected intodangerouslySetInnerHTML.✅ Verification: Verified that XSS vectors like
<img src="javascript:alert(1)">are successfully stripped without breaking formatting. Build and test suite pass successfully. Added a note to.jules/sentinel.md.PR created automatically by Jules for task 6447510616318228540 started by @bobdivx