From accf6efdf38a3c339a7a240b642bd67f9c118871 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 30 Apr 2026 12:25:11 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?= =?UTF-8?q?x=20XSS=20vulnerability=20in=20CitationAddModal?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added `isomorphic-dompurify` to `CitationAddModal`. - Wrapped `dangerouslySetInnerHTML` output with `DOMPurify.sanitize()` to mitigate Cross-Site Scripting (XSS). - Documented findings in `.jules/sentinel.md`. Co-authored-by: aicoder2009 <127642633+aicoder2009@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ src/components/wiki/citation-add-modal.tsx | 3 ++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index a5eb1dd..91a2bd0 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -2,3 +2,8 @@ **Vulnerability:** The application was passing unvalidated HTML variables, specifically `citation.formattedHtml`, to React's `dangerouslySetInnerHTML` prop in multiple components (`src/components/wiki/sortable-citation.tsx`, `src/app/cite/page.tsx`, `src/app/share/[code]/page.tsx`). **Learning:** This is a classic pattern for Cross-Site Scripting (XSS). If a citation's contents originated from an untrusted source or were maliciously formatted, an attacker could execute arbitrary scripts in a user's session when the citation is rendered. **Prevention:** Always sanitize any untrusted or dynamic HTML before rendering it in React. In a Next.js (SSR) application, use a library like `isomorphic-dompurify` to safely strip malicious scripts from the HTML payload on both the client and server side without hydration errors. + +## 2026-04-30 - [XSS via unsanitized dangerouslySetInnerHTML in CitationAddModal] +**Vulnerability:** The `CitationAddModal` component in `src/components/wiki/citation-add-modal.tsx` was passing `generatedCitation.html` to React's `dangerouslySetInnerHTML` prop without sanitization. +**Learning:** This is an ongoing pattern in this codebase where dynamic HTML (e.g., formatted citations) is rendered unsanitized, posing a significant Cross-Site Scripting (XSS) risk if the source data is ever maliciously manipulated or derived from untrusted inputs. +**Prevention:** All instances of `dangerouslySetInnerHTML` in the application must be explicitly wrapped with `DOMPurify.sanitize()` (via `isomorphic-dompurify`), even for preview components. This ensures defense-in-depth against XSS. diff --git a/src/components/wiki/citation-add-modal.tsx b/src/components/wiki/citation-add-modal.tsx index 1088f01..3ed526c 100644 --- a/src/components/wiki/citation-add-modal.tsx +++ b/src/components/wiki/citation-add-modal.tsx @@ -1,6 +1,7 @@ "use client"; import { useEffect, useRef, useState } from "react"; +import DOMPurify from "isomorphic-dompurify"; import { WikiButton } from "./wiki-button"; import { formatCitation } from "@/lib/citation"; import { buildCitationFields } from "@/lib/citation/build-fields"; @@ -266,7 +267,7 @@ export function CitationAddModal({

)}