Skip to content

Fix typos in index.html #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
zutshisunakshi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix typos in index.html #46

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
<!doctype html>
<html>
<head>
<meta charset="utf-8" />
<title>Vulnerable XSS Test Page (Local test)</title>
</head>
<body>
<h1>Vulnerable Testt</h1>
Copy link

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a typo in the heading text. 'Testt' should be 'Test'.

Suggested change
<h1>Vulnerable Testt</h1>
<h1>Vulnerable Test</h1>

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The word "Testt" contains a spelling error with an extra 't' at the end. It should be "Test".

Suggested change
<h1>Vulnerable Testt</h1>
<h1>Vulnerable Test</h1>

Copilot uses AI. Check for mistakes.

<form id="f">
<label>Enter...:</label>
<input id="input" name="q" />
<button type="submit">dcdcdcd</button>
</form>

<div id="out"></div>

<script>
const form = document.getElementById('f');
form.addEventListener('submit', (ev) => {
ev.preventDefault();
const q = document.getElementById('input').value;
Copy link

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is vulnerable to XSS attacks as it directly inserts user input into innerHTML without sanitization. For a test page demonstrating vulnerabilities, this is intentional, but consider adding a comment explaining this is the vulnerable behavior being demonstrated.

Suggested change
const q = document.getElementById('input').value;
const q = document.getElementById('input').value;
// WARNING: This is intentionally vulnerable code for XSS demonstration purposes.
// Do NOT use this pattern in production. Always sanitize user input before inserting into innerHTML.

Copilot uses AI. Check for mistakes.
document.getElementById('out').innerHTML = q;

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI 4 months ago

To prevent DOM-based XSS, you should never assign untrusted user input directly to innerHTML. Instead, use a method that treats the input as plain text. In the case of this example, replacing innerHTML with either textContent or ensuring output is properly escaped before assignment is safest.
The best way to fix this specific issue:

  • Change line 23 from document.getElementById('out').innerHTML = q; to document.getElementById('out').textContent = q;.

This change ensures that any characters in q with HTML significance (such as <, >, &) will be rendered as text, not interpreted as markup or script.

No new imports or library dependencies are required for this fix.

Suggested changeset 1
index.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/index.html b/index.html
--- a/index.html
+++ b/index.html
@@ -20,7 +20,7 @@
     form.addEventListener('submit', (ev) => {
       ev.preventDefault();
       const q = document.getElementById('input').value;
-      document.getElementById('out').innerHTML = q;
+      document.getElementById('out').textContent = q;
     });
   </script>
 </body>
EOF
@@ -20,7 +20,7 @@
form.addEventListener('submit', (ev) => {
ev.preventDefault();
const q = document.getElementById('input').value;
document.getElementById('out').innerHTML = q;
document.getElementById('out').textContent = q;
});
</script>
</body>
Copilot is powered by AI and may make mistakes. Always verify output.
Copy link

Copilot AI Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code is vulnerable to Cross-Site Scripting (XSS) attacks. User input is directly inserted into the DOM via innerHTML without any sanitization. An attacker could inject malicious scripts by entering HTML/JavaScript code. Use textContent instead of innerHTML, or implement proper input sanitization if HTML content is genuinely needed.

Suggested change
document.getElementById('out').innerHTML = q;
document.getElementById('out').textContent = q;

Copilot uses AI. Check for mistakes.
});
</script>
</body>
</html>