Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
aicoder2009 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal #24

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9aef646
πŸ›‘οΈ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal
google-labs-jules[bot] Apr 27, 2026
ad0601e
Merge branch 'main' into fix-xss-citation-modal-9143635708794283471
aicoder2009 May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
## 2025-02-28 - [XSS via unsanitized dangerouslySetInnerHTML]
**Vulnerability:** The application was passing unvalidated HTML variables, specifically `citation.formattedHtml`, to React's `dangerouslySetInnerHTML` prop in multiple components (`src/components/wiki/sortable-citation.tsx`, `src/app/cite/page.tsx`, `src/app/share/[code]/page.tsx`).
**Learning:** This is a classic pattern for Cross-Site Scripting (XSS). If a citation's contents originated from an untrusted source or were maliciously formatted, an attacker could execute arbitrary scripts in a user's session when the citation is rendered.
**Prevention:** Always sanitize any untrusted or dynamic HTML before rendering it in React. In a Next.js (SSR) application, use a library like `isomorphic-dompurify` to safely strip malicious scripts from the HTML payload on both the client and server side without hydration errors.
## 2024-05-18 - [Fix XSS Vulnerability in Citation Add Modal]
**Vulnerability:** A Cross-Site Scripting (XSS) vulnerability was found in `src/components/wiki/citation-add-modal.tsx` where user-controlled HTML (`generatedCitation.html`) was rendered directly via React's `dangerouslySetInnerHTML` without sanitization.
**Learning:** Even when generating HTML from an internal process, it's critical to sanitize the output, particularly when the underlying text fields are populated from external user inputs (like citation fields which originate from user-submitted URLs or manual entry). The application already had `isomorphic-dompurify` available for this purpose but missed applying it in this one specific modal.
**Prevention:** Always use a standard sanitization library (like DOMPurify) when setting `__html` in `dangerouslySetInnerHTML`. Ensure UI components handling potentially untrusted or dynamically generated HTML are audited regularly for missing sanitization steps.
3 changes: 2 additions & 1 deletion src/components/wiki/citation-add-modal.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
"use client";

import { useEffect, useRef, useState } from "react";
import DOMPurify from "isomorphic-dompurify";
import { WikiButton } from "./wiki-button";
import { formatCitation } from "@/lib/citation";
import { buildCitationFields } from "@/lib/citation/build-fields";
Expand Down Expand Up @@ -266,7 +267,7 @@ export function CitationAddModal({
</p>
<p
className="text-wiki-text leading-relaxed"
dangerouslySetInnerHTML={{ __html: generatedCitation.html }}
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(generatedCitation.html) }}
/>
</div>
)}
Expand Down
Loading