-
-
Notifications
You must be signed in to change notification settings - Fork 863
ER: Potential XSS Vulnerability in wins.js #5654
Copy link
Copy link
Open
Labels
Complexity: MediumComplexity: See issue making labelSee the Issue Making label to understand the issue writing difficulty levelSee the Issue Making label to understand the issue writing difficulty levelDraftIssue is still in the process of being createdIssue is still in the process of being createdEREmergent RequestEmergent RequestFeature: Refactor JS / LiquidPage is working fine - JS / Liquid needs changes to become consistent with other pagesPage is working fine - JS / Liquid needs changes to become consistent with other pagesIssue Making: Level 2Make issue(s) from an ER or EpicMake issue(s) from an ER or Epicready for dev leadIssues that tech leads or merge team members need to follow up onIssues that tech leads or merge team members need to follow up onrole: front endTasks for front end developersTasks for front end developerssize: 1ptCan be done in 4-6 hoursCan be done in 4-6 hours
Milestone
Description
Metadata
Metadata
Assignees
Labels
Complexity: MediumComplexity: See issue making labelSee the Issue Making label to understand the issue writing difficulty levelSee the Issue Making label to understand the issue writing difficulty levelDraftIssue is still in the process of being createdIssue is still in the process of being createdEREmergent RequestEmergent RequestFeature: Refactor JS / LiquidPage is working fine - JS / Liquid needs changes to become consistent with other pagesPage is working fine - JS / Liquid needs changes to become consistent with other pagesIssue Making: Level 2Make issue(s) from an ER or EpicMake issue(s) from an ER or Epicready for dev leadIssues that tech leads or merge team members need to follow up onIssues that tech leads or merge team members need to follow up onrole: front endTasks for front end developersTasks for front end developerssize: 1ptCan be done in 4-6 hoursCan be done in 4-6 hours
Type
Projects
Status
New Issue Approval
Emergent Requirement - Problem
I originally submitted this as a security advisory, but @roslynwythe said there isn't a way to convert it to an issue so I'm reposting it here
Original text:
Issue you discovered this emergent requirement in
Date discovered
10/1/2023
Did you have to do something temporarily
Who was involved
@
What happens if this is not addressed
Resources
https://developer.mozilla.org/en-US/docs/Web/API/Document/createElement
https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent
https://medium.com/front-end-weekly/javascript-innerhtml-innertext-and-textcontent-b75ec895cbe3
https://jekyllrb.com/docs/datafiles/
Recommended Action Items
Potential solutions [draft]
option 1
option 2
Alternatively, I noticed a lot of the data on the website is loaded in on page load with javascript rather than at build time. Seeing as we already use Jekyll, I suggest using its built-in functionality with the strip_html filter to load data into the HTML at build time statically, as this has benefits to both page load times and accessibility benefits to visitors to the site that have javascript disabled