🛡️ Sentinel: [HIGH] Fix XSS vulnerability in SyntaxHighlighter#60
Conversation
🚨 Severity: HIGH 💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability due to unescaped highlight.js output in `dangerouslySetInnerHTML`. 🎯 Impact: Attackers could inject arbitrary JavaScript if user input is passed directly to the `SyntaxHighlighter`. 🔧 Fix: Wrapped the HTML string with `DOMPurify.sanitize(html)` to strip malicious scripts. ✅ Verification: Ran `bun run test` and `bun run lint` successfully. Verified that `DOMPurify` prevents the execution of malicious scripts. Co-authored-by: mbayue <70324722+mbayue@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Update max height limit from 35% to 90% of window height in CodeInspectorDock. Allow greater expansion for better code visibility.
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in SyntaxHighlighter
🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability due to unescaped highlight.js output in
dangerouslySetInnerHTML.🎯 Impact: Attackers could inject arbitrary JavaScript if user input is passed directly to the
SyntaxHighlighter.🔧 Fix: Wrapped the HTML string with
DOMPurify.sanitize(html)to strip malicious scripts.✅ Verification: Ran
bun run testandbun run lintsuccessfully. Verified thatDOMPurifyprevents the execution of malicious scripts.PR created automatically by Jules for task 11403326408473596697 started by @mbayue
Summary by cubic
Fixes a high-severity XSS in
SyntaxHighlighterby sanitizinghighlight.jsoutput. Also increases the inspector dock’s max drag height for better code visibility.highlight.jsHTML withDOMPurify.sanitize(html)beforedangerouslySetInnerHTMLinsrc/components/ui/SyntaxHighlighter.tsx.src/components/explorer/CodeInspectorDock.tsx.bun run testandbun run lint; manual checks confirm scripts don’t execute.Written for commit f0ff3d3. Summary will update on new commits.