From 1e8cde81be78a5a2f558e8d15690bccb9e90cb74 Mon Sep 17 00:00:00 2001 From: ZGaetano Date: Tue, 19 May 2026 00:09:49 -0400 Subject: [PATCH] fix(projects): prevent JS injection via bin names in onclick handlers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit binCard() was building onclick="renameBinPrompt('id', 'NAME')" by calling esc() then .replace(/'/g, "\\'"). The problem: esc() converts ' to ', so the replace never fires on raw single quotes. When the HTML parser evaluates the attribute it decodes ' back to ', breaking the JS string — and for injected payloads like `'; alert(1)//` this is stored XSS. Fix: use JSON.stringify(b.name) to produce a properly-escaped double- quoted JS string literal, then esc() to HTML-encode the surrounding double-quotes for safe embedding in the HTML attribute. --- services/web-ui/public/projects.html | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/web-ui/public/projects.html b/services/web-ui/public/projects.html index 946f7cd..7fa80dd 100644 --- a/services/web-ui/public/projects.html +++ b/services/web-ui/public/projects.html @@ -480,6 +480,9 @@ } function binCard(b) { + // Use JSON.stringify + esc so the bin name is safe in an onclick JS string + // regardless of quotes, backslashes, or other special characters it may contain. + const nameJs = esc(JSON.stringify(b.name)); return '
' + '
' + '' + @@ -487,7 +490,7 @@ '
' + '
Created ' + new Date(b.created_at).toLocaleDateString() + '
' + '
' + - '' + + '' + '' + '
' + '
';