phase1の機能実装 [feat/#43] #45
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| <link rel="stylesheet" | ||
| href="https://cdn.jsdelivr.net/npm/flatpickr/dist/flatpickr.min.css"> | ||
| <!-- jquery --> | ||
| <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> |
Check warning
Code scanning / CodeQL
Inclusion of functionality from an untrusted source Medium
| html += '<div class="message my-message">' + message + '</div>'; | ||
| } | ||
| html += '</li>'; | ||
| element.insertAdjacentHTML('beforebegin', html); |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the issue, all user-provided data (e.g., data.username and data.time) must be sanitized before being inserted into the DOM. The escapeHTML function already exists in the code and can be reused to sanitize these fields. This ensures that any potentially malicious content is properly escaped, preventing XSS attacks.
The changes involve:
- Applying the
escapeHTMLfunction todata.usernameanddata.timebefore interpolating them into thehtmlstring. - Ensuring that all dynamic content in the HTML string is sanitized.
| @@ -379,3 +379,3 @@ | ||
| html += '<div class="message-data text-end">'; | ||
| html += '<span class="message-data-time">(' + data.time + ')</span> ' | ||
| html += '<span class="message-data-time">(' + escapeHTML(data.time) + ')</span> ' | ||
| if (data.is_admin) { | ||
| @@ -391,3 +391,3 @@ | ||
| if (data.username !== '{{ request.user.username }}') { | ||
| tmp_username = data.username; | ||
| tmp_username = escapeHTML(data.username); | ||
| } | ||
| @@ -398,3 +398,3 @@ | ||
| } | ||
| html += '<span class="message-data-time">(' + data.time + ')</span>'; | ||
| html += '<span class="message-data-time">(' + escapeHTML(data.time) + ')</span>'; | ||
| html += '</div>'; |
| html += '<div class="message my-message">' + message + '</div>'; | ||
| } | ||
| html += '</li>'; | ||
| element.insertAdjacentHTML('beforebegin', html); |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 7 months ago
To fix the issue, all user-provided data used in constructing the HTML string must be sanitized to prevent XSS. The escapeHTML function should be applied to all fields that are interpolated into the HTML, including data.time, data.username, and data.is_admin. Additionally, the use of insertAdjacentHTML should be replaced with safer alternatives, such as creating DOM elements programmatically and appending them to the DOM.
| @@ -366,22 +366,44 @@ | ||
| let message = escapeHTML(data.message).replace(/\n/g, '<br>'); | ||
| let time = escapeHTML(data.time); | ||
| let username = escapeHTML(data.username); | ||
|
|
||
| let li = document.createElement('li'); | ||
| li.className = 'clearfix'; | ||
|
|
||
| let html = '<li class="clearfix">'; | ||
| if (data.username === '{{ request.user.username }}' && !data.is_admin) { | ||
| html += '<div class="message-data text-end">'; | ||
| html += '<span class="message-data-time">(' + data.time + ')</span> あなた' | ||
| html += '</div>'; | ||
| html += '<div class="message other-message float-right">' + message + '</div>' | ||
| let messageData = document.createElement('div'); | ||
| messageData.className = 'message-data text-end'; | ||
| messageData.innerHTML = `<span class="message-data-time">(${time})</span> あなた`; | ||
| li.appendChild(messageData); | ||
|
|
||
| let messageDiv = document.createElement('div'); | ||
| messageDiv.className = 'message other-message float-right'; | ||
| messageDiv.innerHTML = message; | ||
| li.appendChild(messageDiv); | ||
| } else { | ||
| html += '<div class="message-data">'; | ||
| let messageData = document.createElement('div'); | ||
| messageData.className = 'message-data'; | ||
|
|
||
| if (data.is_admin) { | ||
| html += '<span class="badge bg-primary">管理者</span>'; | ||
| let adminBadge = document.createElement('span'); | ||
| adminBadge.className = 'badge bg-primary'; | ||
| adminBadge.textContent = '管理者'; | ||
| messageData.appendChild(adminBadge); | ||
| } else { | ||
| html += data.username; | ||
| messageData.textContent = username; | ||
| } | ||
| html += '<span class="message-data-time">(' + data.time + ')</span>'; | ||
| html += '</div>'; | ||
| html += '<div class="message my-message">' + message + '</div>'; | ||
|
|
||
| let timeSpan = document.createElement('span'); | ||
| timeSpan.className = 'message-data-time'; | ||
| timeSpan.textContent = `(${time})`; | ||
| messageData.appendChild(timeSpan); | ||
| li.appendChild(messageData); | ||
|
|
||
| let messageDiv = document.createElement('div'); | ||
| messageDiv.className = 'message my-message'; | ||
| messageDiv.innerHTML = message; | ||
| li.appendChild(messageDiv); | ||
| } | ||
| html += '</li>'; | ||
| element.insertAdjacentHTML('beforebegin', html); | ||
|
|
||
| element.parentNode.insertBefore(li, element); | ||
| }; |
yoneyan
force-pushed
the
feat/#43
branch
2 times, most recently
from
03d64d0 to
ac4c519
Compare
対象のIssue番号
fixes #43
変更内容
変更理由