Skip to content

[Security] XSS vulnerability in CLI site export (cli/index.ts) #169

Open
Open
[Security] XSS vulnerability in CLI site export (cli/index.ts)#169
Labels
area: cliCLI toolarea: securitySecurity-relatedbugSomething is not workingduplicateThis issue or pull request already existspriority: criticalCritical, must fix immediatelysecuritySecurity vulnerability
@d-oit

Description

@d-oit
d-oit
opened on May 25, 2026

Description

The CLI exportSite() function builds HTML by string concatenation without escaping entity names, descriptions, or claim statements. This is the same XSS vulnerability as in the browser export, but in the CLI path.

Vulnerable Code

File: cli/index.ts (lines ~193-219)

if (entity.description) {
  html += `\n    <p>${entity.description}</p>\n`;
}

No escaping is applied to entity.description or claim.statement.

Impact

  • Severity: Critical
  • Exported static sites from CLI contain unescaped user content
  • Same XSS risk as the browser export path

Recommended Fix

  1. Reuse escapeHtml() from src/lib/security.ts in CLI export
  2. Consider sharing export logic between browser and CLI (currently duplicated)
  3. Add DOMPurify or equivalent sanitization for rich HTML content

Acceptance Criteria

  • CLI export uses HTML escaping for all user-provided content
  • Shared export utilities extracted to avoid duplication
  • Security test for CLI export XSS prevention

Metadata

Metadata

Assignees

No one assigned

    Labels

    area: cliCLI toolarea: securitySecurity-relatedbugSomething is not workingduplicateThis issue or pull request already existspriority: criticalCritical, must fix immediatelysecuritySecurity vulnerability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions