Skip to content

Potential fix for code scanning alert no. 2: Client-side cross-site scripting#12

Merged
gitricko merged 1 commit into
mainfrom
alert-autofix-2
May 23, 2026
Merged

Potential fix for code scanning alert no. 2: Client-side cross-site scripting#12
gitricko merged 1 commit into
mainfrom
alert-autofix-2

Conversation

@gitricko

@gitricko gitricko commented May 23, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/gitricko/hermes-vscode/security/code-scanning/2

Best fix: stop using innerHTML for dynamic todo item rows and build the DOM with document.createElement, classList, and textContent. This preserves behavior while removing the XSS sink path.

In src/webview/renderers.ts, update renderTodoOverlay (lines around 87–99):

  • Keep the early return and completed calculation.
  • Replace the items HTML string construction and final container.innerHTML = ...${items} with:
    • container.innerHTML only for the static header (or create header element too),
    • per-todo element creation via DOM APIs.
  • Validate status before using it as a class token (allow only known statuses from TODO_ICONS; fallback to 'pending').
  • Set todo text with textContent (not sanitized HTML), since this is plain text display.

No import changes are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@gitricko @github-advanced-security
Potential fix for code scanning alert no. 2: Client-side cross-site s…
e2ec8eb 
…cripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@gitricko gitricko marked this pull request as ready for review May 23, 2026 05:58
Copilot AI review requested due to automatic review settings May 23, 2026 05:58
Copilot AI reviewed May 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a code scanning alert for client-side XSS in renderTodoOverlay by replacing string-based innerHTML construction of todo items with safe DOM API calls (createElement, classList, textContent). Status values are also validated against the known TODO_ICONS keys before being used as a CSS class token.

Changes:

  • Replace innerHTML interpolation of per-todo markup with document.createElement + textContent.
  • Validate t.status against TODO_ICONS keys, falling back to 'pending'.
  • Retain innerHTML only for the static header element.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@gitricko gitricko requested a review from Copilot May 23, 2026 07:07
Copilot AI reviewed May 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@gitricko gitricko merged commit 6572e09 into main May 23, 2026
5 checks passed
@gitricko gitricko deleted the alert-autofix-2 branch May 23, 2026 07:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gitricko