Skip to content

fix(security): prevent XSS injection in chatbot via unsafe innerHTML#21

Open
KGFCH2 wants to merge 1 commit into
omroy07:mainfrom
KGFCH2:fix/xss-chatbot-innerhtml-injection
Open

fix(security): prevent XSS injection in chatbot via unsafe innerHTML#21
KGFCH2 wants to merge 1 commit into
omroy07:mainfrom
KGFCH2:fix/xss-chatbot-innerhtml-injection

Conversation

@KGFCH2
Copy link
Copy Markdown
Contributor

@KGFCH2 KGFCH2 commented Jun 2, 2026

Related Issue

Closes #20

Summary

Replaces unsafe innerHTML += string concatenation in the chatbot with DOM node construction. User input is now rendered exclusively via textContent, making it immune to XSS injection.

Changes Made

  • Add escapeHTML() helper using createTextNode() for safe encoding
  • Refactor appendMessage() to build DOM nodes (no string HTML)
  • User messages: textContent only (never innerHTML)
  • Bot responses: innerHTML only for server-controlled content
  • Add typing indicator ("Bot is typing...") while awaiting response
  • Add Enter key keyboard shortcut for sending messages
  • Clean up logout: use localStorage.removeItem() instead of alert() + redirect

Testing

  • Tested: Typing <img src=x onerror=alert(1)> renders as text, not executes
  • Tested: Typing <script>alert(1)</script> renders as literal text
  • Tested: Enter key sends message correctly
  • Tested: Typing indicator appears and disappears correctly

Impact

Eliminates an XSS vulnerability that could allow session token theft via the chat interface.

Checklist

  • Code follows project standards
  • Tested locally — XSS payloads render as safe text
  • No unrelated changes included
  • Security improvement verified

@KGFCH2
fix(security): prevent XSS injection in chatbot via unsafe innerHTML
f0a8c18 
The previous implementation used:
  chatBox.innerHTML += '<p><strong>You:</strong> ' + userInput + '</p>';

This allowed any user-typed HTML/script to execute directly in the DOM,
creating a stored-like XSS vector within the session.

Changes:
- Add escapeHTML() helper using DOM's createTextNode() for safe encoding
- Refactor appendMessage() to build DOM nodes instead of string concat
- User messages rendered exclusively with textContent (no HTML execution)
- Bot responses use innerHTML only for our own server-controlled content
- Replace alert()/hard redirect on logout with clean localStorage.removeItem()
- Add typing indicator while awaiting bot response (better UX)
- Add Enter key support for submitting chat messages
- Improve error messages with actionable guidance for users
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 2, 2026

@KGFCH2 is attempting to deploy a commit to the Om Roy's projects Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🔒 [Security] XSS vulnerability in chatbot — user input inserted via innerHTML

1 participant

@KGFCH2