DOM text reinterpreted as HTML Update background.js

google / tamperchrome

Tamper Dev is an extension that allows you to intercept and edit HTTP/HTTPS requests and responses as they happen without the need of a proxy. Works across all operating systems (including Chrome OS).

https://tamper.dev

Apache License 2.0

4.18k stars 214 forks source link

DOM text reinterpreted as HTML Update background.js #263

Open Shivam7-1 opened 5 months ago

Shivam7-1 commented 5 months ago

By using innerText, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML. Always be cautious when dealing with user input or dynamic content to prevent security risks.

Shivam7-1 commented 4 months ago

Hi @sirdarckcat Could You Please Review this PR Thanks

Shivam7-1 commented 4 months ago

Hi @sirdarckcat Could You Please Review this PR

Thanks

NeilFraser commented 4 months ago

I'm not on this project's team, but this PR would result in raw HTML being printed on the user's screen. Here innerHTML is being used intentionally since there's an <H1> tag.