[Security] DOM-Based XSS Risk in Semantic Search Widget

[mrlesmithjr]

Summary

The semantic search widget uses innerHTML to render API response data without sanitization, creating a potential DOM-based XSS vulnerability.

Location

assets/js/esbv-semantic-search.js (lines 280-297)

Description

The code directly inserts API response data into the DOM using innerHTML:

resultsContainer.innerHTML = /* API response data */

If the API returns malicious content (either through compromise or injection), this could execute arbitrary JavaScript in the context of the page.

Impact

• XSS Exploitation: Malicious scripts could steal session data, perform actions on behalf of users, or redirect to phishing sites
• Session Hijacking: Access to cookies and localStorage
• Data Theft: Access to page content and user interactions

Remediation

Use one of the following approaches:

Option 1: Use textContent and createElement

const resultItem = document.createElement('div');
resultItem.textContent = result.title; // Safe - no HTML interpretation
resultsContainer.appendChild(resultItem);

Option 2: Use DOMPurify library

import DOMPurify from 'dompurify';
resultsContainer.innerHTML = DOMPurify.sanitize(apiResponse);

Option 3: Validate and escape HTML

• Implement strict validation of API response structure
• Escape HTML entities before rendering
• Use CSP to prevent inline script execution

Priority

P2 (Medium) - Depends on API trustworthiness, but should be hardened

References

• OWASP DOM-based XSS
• CWE-79: Cross-site Scripting
• DOMPurify