🛡️ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal#51
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in citation add modal#51aicoder2009 wants to merge 2 commits intomainfrom
Conversation
- Wraps `generatedCitation.html` in `src/components/wiki/citation-add-modal.tsx` with `DOMPurify.sanitize()` before passing it to `dangerouslySetInnerHTML`. - This prevents a Cross-Site Scripting (XSS) vulnerability when rendering citations generated from potentially untrusted metadata via the URL/DOI lookup APIs. Co-authored-by: aicoder2009 <127642633+aicoder2009@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Addresses an XSS vector in the wiki “Add Citation” modal by sanitizing generated citation HTML before rendering it via dangerouslySetInnerHTML, aligning this modal with existing sanitization patterns used elsewhere in the app.
Changes:
- Import
DOMPurify(isomorphic-dompurify) inCitationAddModal. - Sanitize
generatedCitation.htmlbefore passing it todangerouslySetInnerHTML. - Document the new finding/fix in
.jules/sentinel.md.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/components/wiki/citation-add-modal.tsx | Sanitizes citation preview HTML to prevent XSS when rendering lookup-generated citation markup. |
| .jules/sentinel.md | Records the vulnerability pattern and prevention guidance for future reference. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
🚨 Severity: HIGH
💡 Vulnerability: Unsanitized HTML (
generatedCitation.html) from URL/DOI metadata lookups was being directly injected into the DOM via React'sdangerouslySetInnerHTMLinsrc/components/wiki/citation-add-modal.tsx.🎯 Impact: An attacker could craft a malicious webpage, DOI, or ISBN metadata payload containing a script tag. When a user looks up that URL/DOI, the malicious script would execute in the user's browser, potentially stealing session tokens or performing actions on their behalf (Cross-Site Scripting).
🔧 Fix: Imported
DOMPurifyfromisomorphic-dompurifyand wrapped thegeneratedCitation.htmloutput inside thedangerouslySetInnerHTMLblock withDOMPurify.sanitize(). This safely strips malicious scripts before rendering.✅ Verification: Run
pnpm testandpnpm lint. Try generating a citation manually using a known benign source and verify the UI preview works.PR created automatically by Jules for task 9822196814946918382 started by @aicoder2009