Update search.js DOM text reinterpreted as HTML

chromeos / chromeos.dev

chromeOS.dev is the digital home for all things ChromeOS. Learn how to adapt and optimize your existing apps to work on ChromeOS, the success other companies have had doing so, how to use ChromeOS as your developer machine, and keep up-to-date with the latest on ChromeOS.

https://chromeos.dev

Apache License 2.0

240 stars 80 forks source link

Update search.js DOM text reinterpreted as HTML #742

Closed Shivam7-1 closed 2 months ago

Shivam7-1 commented 2 months ago

Please describe what your Pull Request does

By using innerText, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Snugug commented 2 months ago

Hey @Shivam7-1, thank you for your enthusiasm and your feedback here! You've opened a number of PRs against a number of our repositories with the same description fixing the same non-issue; while innerHTML can be an XSS issue when inserting untrusted content, that is not the case here or in the other PRs you've created. I'm going to close this, and the other similar PRs you've created, and ask you to refrain from filing any more similar PRs against our repositories.

Thank you.

Shivam7-1 commented 2 months ago

Hi @Snugug Thanks For Reviewing This PR and Feedback

Thanks