🛡️ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal#24
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal#24aicoder2009 wants to merge 2 commits intomainfrom
Conversation
Sanitized the generated citation HTML in `src/components/wiki/citation-add-modal.tsx` using `isomorphic-dompurify` before passing it to `dangerouslySetInnerHTML`. This prevents a Cross-Site Scripting (XSS) vulnerability. Co-authored-by: aicoder2009 <[email protected]>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
This PR addresses a high-severity XSS risk in the wiki “Add Citation” modal by sanitizing dynamically generated citation HTML before rendering it via dangerouslySetInnerHTML, aligning the modal’s behavior with existing sanitization patterns used elsewhere in the app.
Changes:
- Add
isomorphic-dompurifyusage to sanitizegeneratedCitation.htmlbefore rendering inCitationAddModal. - Update
.jules/sentinel.mdto document the vulnerability and the prevention approach.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/components/wiki/citation-add-modal.tsx | Sanitizes the citation preview HTML with DOMPurify before injecting into the DOM. |
| .jules/sentinel.md | Updates internal security log entry describing the issue and prevention guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) was possible because
dangerouslySetInnerHTMLwas rendering dynamically generated HTML without sanitizing it first in theCitationAddModal.🎯 Impact: If an attacker crafted a malicious URL, DOI, or manual citation that returned malicious script tags in the generated HTML, it would execute in the user's browser, potentially leading to session hijacking, data theft, or unauthorized actions.
🔧 Fix: Imported
DOMPurifyfromisomorphic-dompurifyand usedDOMPurify.sanitize(generatedCitation.html)to strip any potentially dangerous script tags before it is rendered to the DOM, effectively preventing the XSS payload from executing. This matches the patterns already used in other components likeSortableCitation.✅ Verification:
pnpm lintandpnpm test:run- all pass.DOMPurify.sanitize()is correctly applied indangerouslySetInnerHTML.PR created automatically by Jules for task 9143635708794283471 started by @aicoder2009