Skip to content

fix: XSS through unsanitized app name#134

Merged
WofWca merged 1 commit intomainfrom
wofwca/fix-xss
Mar 2, 2026
Merged

fix: XSS through unsanitized app name#134
WofWca merged 1 commit intomainfrom
wofwca/fix-xss

Conversation

@WofWca
Copy link
Member

@WofWca WofWca commented Mar 2, 2026

The escapeHtml implementation is not adequate
for escaping attribute values.
Let's just not be using innerHTML at all.

The issue has been introduced in
b32a83e
(#119).

Seems that anyone who has an app submitted in the store
can exploit this vulnerability,
by making a release with a malicious app name.

I have tested this. Things seem to be working as before.

@WofWca
fix: XSS through unsanitized app name
a8e7afd 
The `escapeHtml` implementation is not adequate
for escaping attribute values.
Let's just not be using `innerHTML` at all.

The issue has been introduced in
b32a83e
(#119).

Seems that anyone who has an app submitted in the store
can exploit this vulnerability,
by making a release with a malicious app name.

I have tested this. Things seem to be working as before.
@WofWca
Copy link
Member Author

WofWca commented Mar 2, 2026
edited
Loading

This vulnerability has been privately reported on 15th of February. Merging without review so as to not keep it around any longer.

@WofWca WofWca merged commit 0e266f6 into main Mar 2, 2026
2 checks passed
@WofWca WofWca deleted the wofwca/fix-xss branch March 2, 2026 13:10
@WofWca
Copy link
Member Author

WofWca commented Mar 2, 2026

Confirmed deployment document.getElementById('carousel-card-template').

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@WofWca