You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There can be a potential Cross-Site Scripting (XSS) vulnerability in the 'XBRLReportController.js' file of the develop branch. This vulnerability arises from the extraction of text from a DOM node and its subsequent reinterpretation as HTML without proper sanitization. Detected by CodeQL deployed on forked repository.
Steps to Reproduce
Open the 'XBRLReportController.js' file, located in the 'app/scripts/controllers/reports' directory.
Check out the lines of code where text is being extracted from a DOM node and then reinterpreted as HTML. For instance, check line 17.
Expected Behaviour
When we extract text from a DOM node and then use it as HTML, we should always escape any potential meta-characters to prevent any possibility of XSS attacks.
Actual Behaviour
We're currently not sanitizing or escaping any meta-characters when we convert the extracted text to HTML. This creates a potential XSS vulnerability where an attacker could inject malicious scripts.
Description
There can be a potential Cross-Site Scripting (XSS) vulnerability in the 'XBRLReportController.js' file of the develop branch. This vulnerability arises from the extraction of text from a DOM node and its subsequent reinterpretation as HTML without proper sanitization. Detected by CodeQL deployed on forked repository.
Steps to Reproduce
Expected Behaviour
When we extract text from a DOM node and then use it as HTML, we should always escape any potential meta-characters to prevent any possibility of XSS attacks.
Actual Behaviour
We're currently not sanitizing or escaping any meta-characters when we convert the extracted text to HTML. This creates a potential XSS vulnerability where an attacker could inject malicious scripts.
Settings
Screenshots
References
OWASP: DOM based XSS Prevention Cheat Sheet
OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet
Wikipedia: Cross-site scripting
Common Weakness Enumeration: CWE-79
Common Weakness Enumeration: CWE-116
The text was updated successfully, but these errors were encountered: