Skip to content

🛡️ Sentinel: [HIGH] Fix XSS vulnerability in SyntaxHighlighter#60

Merged
mbayue merged 2 commits into
masterfrom
jules-11403326408473596697-4da13063
Jun 30, 2026
Merged

🛡️ Sentinel: [HIGH] Fix XSS vulnerability in SyntaxHighlighter#60
mbayue merged 2 commits into
masterfrom
jules-11403326408473596697-4da13063

Conversation

@mbayue

@mbayue mbayue commented Jun 30, 2026

Copy link
Copy Markdown
Owner

🛡️ Sentinel: [HIGH] Fix XSS vulnerability in SyntaxHighlighter

🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability due to unescaped highlight.js output in dangerouslySetInnerHTML.
🎯 Impact: Attackers could inject arbitrary JavaScript if user input is passed directly to the SyntaxHighlighter.
🔧 Fix: Wrapped the HTML string with DOMPurify.sanitize(html) to strip malicious scripts.
✅ Verification: Ran bun run test and bun run lint successfully. Verified that DOMPurify prevents the execution of malicious scripts.


PR created automatically by Jules for task 11403326408473596697 started by @mbayue


Summary by cubic

Fixes a high-severity XSS in SyntaxHighlighter by sanitizing highlight.js output. Also increases the inspector dock’s max drag height for better code visibility.

  • Bug Fixes
    • Sanitize highlight.js HTML with DOMPurify.sanitize(html) before dangerouslySetInnerHTML in src/components/ui/SyntaxHighlighter.tsx.
    • Raise inspector dock max drag limit from 35% to 90% of window height in src/components/explorer/CodeInspectorDock.tsx.
    • Verified via bun run test and bun run lint; manual checks confirm scripts don’t execute.

Written for commit f0ff3d3. Summary will update on new commits.

Review in cubic

🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability due to unescaped highlight.js output in `dangerouslySetInnerHTML`.
🎯 Impact: Attackers could inject arbitrary JavaScript if user input is passed directly to the `SyntaxHighlighter`.
🔧 Fix: Wrapped the HTML string with `DOMPurify.sanitize(html)` to strip malicious scripts.
✅ Verification: Ran `bun run test` and `bun run lint` successfully. Verified that `DOMPurify` prevents the execution of malicious scripts.

Co-authored-by: mbayue <70324722+mbayue@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

Update max height limit from 35% to 90% of window height in CodeInspectorDock. Allow greater expansion for better code visibility.
@mbayue mbayue merged commit a61111c into master Jun 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant