Skip to content

Security: Potential XSS via unsanitized highlighted content rendered with dangerouslySetInnerHTML#341

Open
tuanaiseo wants to merge 19 commits intomksglu:nextfrom
tuanaiseo:contribai/fix/security/potential-xss-via-unsanitized-highlighte
Open

Security: Potential XSS via unsanitized highlighted content rendered with dangerouslySetInnerHTML#341
tuanaiseo wants to merge 19 commits intomksglu:nextfrom
tuanaiseo:contribai/fix/security/potential-xss-via-unsanitized-highlighte

Conversation

@tuanaiseo
Copy link
Copy Markdown

@tuanaiseo tuanaiseo commented Apr 24, 2026

Problem

The search results view renders HTML using dangerouslySetInnerHTML and prefers r.highlighted when present. While r.content is escaped via esc(), r.highlighted is inserted without sanitization. If highlighted can be influenced by user-controlled indexed content or backend responses, an attacker could inject arbitrary HTML/JS (stored or reflected XSS).

Severity: high
File: insight/src/routes/search.tsx

Solution

Avoid dangerouslySetInnerHTML for search highlights. Return structured highlight spans from the backend or sanitize r.highlighted with a robust HTML sanitizer (e.g., DOMPurify) before rendering. Prefer rendering text nodes and explicit <mark> elements instead of raw HTML.

Changes

  • insight/src/routes/search.tsx (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

github-actions Bot and others added 19 commits April 15, 2026 18:22
@github-actions
ci: update install stats
3a8384e
@github-actions
ci: update install stats
72eacf5
@github-actions
ci: update install stats
ffb1382
@github-actions
ci: update install stats
33f57d5
@github-actions
ci: update install stats
2e1ac30
@github-actions
ci: update install stats
e43c788
@github-actions
ci: update install stats
56eeb03
@github-actions
ci: update install stats
f714460
@github-actions
ci: update install stats
1f54a3f
@github-actions
ci: update install stats
a2f1082
@github-actions
ci: update install stats
e4cccb2
@github-actions
ci: update install stats
d5e3b0e
@github-actions
ci: update install stats
b2b8e73
@github-actions
ci: update install stats
2de4b58
@github-actions
ci: update install stats
8e424f0
@github-actions
ci: update install stats
7630647
@github-actions
ci: update install stats
937ed4c
@github-actions
ci: update install stats
33f5e09
@tuanaiseo
fix(security): potential xss via unsanitized highlighted conten
ee30e3b 
The search results view renders HTML using `dangerouslySetInnerHTML` and prefers `r.highlighted` when present. While `r.content` is escaped via `esc()`, `r.highlighted` is inserted without sanitization. If `highlighted` can be influenced by user-controlled indexed content or backend responses, an attacker could inject arbitrary HTML/JS (stored or reflected XSS).

Affected files: search.tsx

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
@mksglu mksglu changed the base branch from main to next April 25, 2026 01:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tuanaiseo