Security Issue
`DOMUtils.parseHTML()` (lines 153-156 in `src/utils/DOMUtils.js`) accepts raw HTML and creates DOM nodes without sanitization:
```js
static parseHTML(htmlString) {
const template = document.createElement('template');
template.innerHTML = htmlString.trim();
return template.content.firstChild;
}
```
While the template element prevents script execution during parsing, the returned DOM node can contain event handlers (`onerror`, `onload`) or other XSS payloads that execute when inserted into the document.
Current Mitigations
The renderers currently use `escapeHTML()` before generating HTML strings, which is good. However, `parseHTML()` is a public utility method that any consumer could call with unescaped input.
Impact
- Any future code that passes user-controlled data through `parseHTML()` would create an XSS vulnerability
- The method name implies safety (`parseHTML`) but provides none
Expected Fix
Either:
- Add a warning comment/JSDoc that input must be pre-sanitized
- Add basic sanitization (strip event handlers, dangerous tags)
- Mark as `@private` / `@internal` if not intended for public use
Files
- `src/utils/DOMUtils.js:153-156`
Security Issue
`DOMUtils.parseHTML()` (lines 153-156 in `src/utils/DOMUtils.js`) accepts raw HTML and creates DOM nodes without sanitization:
```js
static parseHTML(htmlString) {
const template = document.createElement('template');
template.innerHTML = htmlString.trim();
return template.content.firstChild;
}
```
While the template element prevents script execution during parsing, the returned DOM node can contain event handlers (`onerror`, `onload`) or other XSS payloads that execute when inserted into the document.
Current Mitigations
The renderers currently use `escapeHTML()` before generating HTML strings, which is good. However, `parseHTML()` is a public utility method that any consumer could call with unescaped input.
Impact
Expected Fix
Either:
Files