fix: resolve multiple DOM-based XSS and Electron security vulnerabilities#179
Open
Akshita-2307 wants to merge 1 commit into
Open
fix: resolve multiple DOM-based XSS and Electron security vulnerabilities#179Akshita-2307 wants to merge 1 commit into
Akshita-2307 wants to merge 1 commit into
Conversation
…ties - escapeAttr: escape &, <, > characters to prevent HTML/attribute injection - setWindowOpenHandler: deny non-http URLs (file://, data:) to stop local file disclosure - window.open: add noopener,noreferrer to prevent reverse tabnapping - onclick handlers: sanitize script paths and category names to prevent stored XSS
Author
|
Hi maintainers! This PR resolves multiple DOM-based XSS vulnerabilities and Electron security issues identified in the codebase. Includes proper input sanitization and secure IPC communication patterns. Would appreciate a review. Thank you! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses 4 security vulnerabilities in bashmanager:
1. #168 – Incomplete HTML attribute escaping in escapeAttr()
The escapeAttr() function only escaped
"and'but not&,<, or>, allowing HTML/attribute injection through unescaped special characters.2. #172 – Electron setWindowOpenHandler allows file:// and data: protocol loading
The handler allowed any URL not starting with
http, enabling local file disclosure and arbitrary JS execution viafile://anddata:URLs.3. #169 – window.open missing noopener flag
Server-provided URLs opened with
window.openwithoutnoopener,noreferrer, making the app vulnerable to reverse tabnabbing.4. #167 – Stored XSS via unsanitized onclick injection in sidebar
Script names and
relative_pathvalues were interpolated directly intoonclickhandler strings without proper escaping.Fixes #168, #172, #169, #167