saulteafarmer/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Stirling-Tools/Stirling-PDF.git synced 2025-05-13 09:45:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

Potential fix for code scanning alert no. 224: DOM text reinterpreted as HTML (#3499)

Browse Source 
Potential fix for
[https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/224](https://github.com/Stirling-Tools/Stirling-PDF/security/code-scanning/224)

To fix the issue, we should avoid assigning untrusted data directly to
`innerHTML`. Instead, we can use `textContent`, which safely sets the
text content of an element without interpreting it as HTML. This ensures
that any special characters in the `data-title` attribute are treated as
plain text, preventing XSS attacks.

The fix involves replacing `tabButton.innerHTML = title;` on line 12
with `tabButton.textContent = title;`. This change ensures that the
`title` is safely rendered as text.

---


_Suggested fixes powered by Copilot Autofix. Review carefully before
merging._

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This commit is contained in:
Anthony Stirling 2025-05-08 18:19:55 +01:00 committed by GitHub
parent c4b8df2a1e
commit fd1e854778
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/resources/static/js/tab-container.js
View File

@ -9,7 +9,7 @@ TabContainer = {
tabList.classList.add('tab-buttons'); tabList.classList.add('tab-buttons');
tabTitles.forEach((title) => { tabTitles.forEach((title) => {
const tabButton = document.createElement('button'); const tabButton = document.createElement('button');
tabButton.innerHTML = title; tabButton.textContent = title;
tabButton.onclick = (e) => { tabButton.onclick = (e) => {
this.setActiveTab(e.target); this.setActiveTab(e.target);
}; };