🔴 3. XSS Vulnerability: Unescaped HTML Injection


**Location:** `templates/add_area.html:474`

```js
document.getElementById("sugestions").innerHTML = `suggested logo: ${prefilledCommunityData.icon}`
```

**Problem:** Directly inserting untrusted data from Gitea issue into `.innerHTML` without sanitization.

**Fix:**

```js
// Option 1: Use textContent
document.getElementById("sugestions").textContent = `suggested logo: ${prefilledCommunityData.icon}`

// Option 2: Sanitize if HTML is needed
function sanitizeHTML(str) {
    const temp = document.createElement('div')
    temp.textContent = str
    return temp.innerHTML
}
document.getElementById("sugestions").innerHTML = `suggested logo: ${sanitizeHTML(prefilledCommunityData.icon)}`
```

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔴 3. XSS Vulnerability: Unescaped HTML Injection #157

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

🔴 3. XSS Vulnerability: Unescaped HTML Injection #157

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions