Update trends.js DOM text reinterpreted as HTML

npm / statusboard

Public monitor/status/health board for @npm/cli-team's maintained projects

https://npm.github.io/statusboard

Other

152 stars 50 forks source link

Update trends.js DOM text reinterpreted as HTML #852

Closed Shivam7-1 closed 3 months ago

Shivam7-1 commented 4 months ago

By using textContent, it will avoid the risk of HTML injection, as these properties automatically escape any HTML special characters in the provided text. This helps prevent cross-site scripting (XSS) vulnerabilities by treating the input as plain text rather than interpreted HTML.

Shivam7-1 commented 3 months ago

Hi @lukekarrys Could You Please Review This PR Thanks

wraithgar commented 3 months ago

These are coming from parsed date objects

https://github.com/npm/statusboard/blob/dfa6b6ad4abb08c83eb0a00876787e10cb3b32e0/workspaces/www/lib/js/util.js#L32

which are formatted

https://github.com/npm/statusboard/blob/dfa6b6ad4abb08c83eb0a00876787e10cb3b32e0/workspaces/www/lib/js/util.js#L25

and are not generally an xss concern.