Skip to content

Security: Use of document.write in browser-sync.js#253

Open
tomaioo wants to merge 1 commit into
devpunks:mainfrom
tomaioo:fix/security/use-of-document-write-in-browser-sync-js
Open

Security: Use of document.write in browser-sync.js#253
tomaioo wants to merge 1 commit into
devpunks:mainfrom
tomaioo:fix/security/use-of-document-write-in-browser-sync-js

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Security: Use of document.write in browser-sync.js

Problem

Severity: Medium | File: browser-sync.js:L10

The browser-sync.js file uses document.write() to inject a script tag. document.write is dangerous as it can overwrite the entire document if called after the document has finished loading, and it is a known vector for XSS attacks. Additionally, the script source is hardcoded to a local browser-sync endpoint.

Solution

Replace document.write with safer DOM manipulation methods like document.createElement('script') and document.head.appendChild(). Consider removing this file from production builds entirely as browser-sync is a development tool.

Changes

  • browser-sync.js (modified)

The browser-sync.js file uses document.write() to inject a script tag. document.write is dangerous as it can overwrite the entire document if called after the document has finished loading, and it is a known vector for XSS attacks. Additionally, the script source is hardcoded to a local browser-sync endpoint.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@tomaioo tomaioo requested a review from snuggs as a code owner June 28, 2026 06:26
@vercel

vercel Bot commented Jun 28, 2026

Copy link
Copy Markdown

@tomaioo is attempting to deploy a commit to the sneakyhead's projects Team on Vercel.

A member of the Team first needs to authorize it.

@snuggs

snuggs commented Jul 1, 2026

Copy link
Copy Markdown
Member

@tomaioo GREAT STUFF!

Also need to check out your other PR #252.

Thanks SOO MUCH!

P.S. Check your notifications for team add 😎

May need your help on a few other things as we spin this project up.
Is now being used in a few mission critical systems and want to make sure everything is buttoned up.
At least the minimum features.

@snuggs snuggs left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PERFECT @tomaioo.

Please rebase & merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants