From 67a2cfa0193a80c76eaf59e06c472e52cbefb3cc Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sat, 27 Jun 2026 23:26:11 -0700 Subject: [PATCH] fix(security): use of document.write in browser-sync.js The browser-sync.js file uses document.write() to inject a script tag. document.write is dangerous as it can overwrite the entire document if called after the document has finished loading, and it is a known vector for XSS attacks. Additionally, the script source is hardcoded to a local browser-sync endpoint. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- browser-sync.js | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/browser-sync.js b/browser-sync.js index 750b7d811b..b402852a32 100644 --- a/browser-sync.js +++ b/browser-sync.js @@ -1,12 +1,14 @@ void function () { - let script = '