Skip to content

Fix for code scanning alert no. 1719: Client-side cross-site scripting #19607

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix for code scanning alert no. 1719: Client-side cross-site scripting #19607

wants to merge 3 commits into from

Conversation

iOvergaard
Copy link
Contributor

@iOvergaard iOvergaard commented Jun 25, 2025
edited
Loading

Potential fix for https://github.com/umbraco/Umbraco-CMS/security/code-scanning/1719

To fix the issue, we need to sanitize or encode the window.location.href value before including it in the html string. The best approach is to use a library like DOMPurify to sanitize the value or encode it using a utility function to ensure it is safe for inclusion in HTML. This will prevent any malicious scripts from being executed.

Steps to fix:

  1. Import a library like DOMPurify or use a built-in encoding function to sanitize or encode the window.location.href value.
  2. Replace the direct usage of window.location.href in the html string with its sanitized or encoded version.
  3. Ensure that the rest of the functionality remains unchanged.

@iOvergaard iOvergaard marked this pull request as ready for review June 26, 2025 11:17
Copilot
Copilot AI reviewed Jun 26, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a potential cross-site scripting vulnerability by sanitizing the URL passed to history.pushState within the media links workspace info app. The key changes include importing a sanitizeHTML utility, replacing the direct use of window.location.href with its sanitized version, and ensuring the security of the generated HTML.

Comments suppressed due to low confidence (1)

src/Umbraco.Web.UI.Client/src/packages/media/media/url/info-app/media-links-workspace-info-app.element.ts:114

  • Ensure that the sanitizeHTML function robustly handles and escapes all potentially malicious input from window.location.href. Consider adding unit tests to verify that the sanitization is effective against various XSS attack vectors.
	<script>history.pushState(null, null, "${sanitizeHTML(window.location.href)}");</script>

@iOvergaard iOvergaard changed the title Potential fix for code scanning alert no. 1719: Client-side cross-site scripting Fix for code scanning alert no. 1719: Client-side cross-site scripting Jun 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@leekelleher leekelleher Awaiting requested review from leekelleher

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/frontend release/16.1.0 type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@iOvergaard