CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-02 03:35:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix(ui): use textContent for security banner layer labels

Browse Source 
Was `div.innerHTML = \`<span>\${label}</span>...\`` with label coming
from an event field. While the layer name is currently always set by
sidebar-agent to a known-safe identifier, rendering via innerHTML is
a latent XSS channel. Switch to document.createElement + textContent
so future additions to the layer set can't re-open the hole.

Caught by pre-landing review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-20 07:17:07 +08:00
parent 9bbfa26597
commit 461a6e6b18
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
extension/sidepanel.js
+8 -1
View File
@@ -156,7 +156,14 @@ function showSecurityBanner(event) {
const score = Number(row.confidence).toFixed(2);
const div = document.createElement('div');
div.className = 'security-banner-layer';
div.innerHTML = `<span class="security-banner-layer-name">${label}</span><span class="security-banner-layer-score">${score}</span>`;
const nameSpan = document.createElement('span');
nameSpan.className = 'security-banner-layer-name';
nameSpan.textContent = label;
const scoreSpan = document.createElement('span');
scoreSpan.className = 'security-banner-layer-score';
scoreSpan.textContent = score;
div.appendChild(nameSpan);
div.appendChild(scoreSpan);
layersEl.appendChild(div);
}
}