DEV-46516 GrafanaX fix urls in snapshots page #44
Conversation
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| string += `${metric.label} : `; | ||
| string += `<span style="color:${metric.color}"><b>${metric.value}</b></span>`; | ||
| } | ||
| div.innerHTML = string; |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Unsanitized user input in dynamic HTML insertion (XSS)'.
Severity: High
Description
Unsanitized user input in dynamic HTML insertion can lead to Cross-Site Scripting (XSS) attacks. This vulnerability arises when user-provided data is directly inserted into the DOM without proper sanitization, potentially allowing attackers to execute malicious scripts.
Cycode Remediation Guideline
✅ Do
- Do use an HTML sanitization library to clean user input before inserting it into the HTML. This step helps prevent XSS attacks by removing or neutralizing any potentially harmful scripts.
import sanitizeHtml from 'sanitize-html';
const html = `<strong>${user.Input}</strong>`;
document.body.innerHTML = sanitizeHtml(html);📋 References
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_sast_ignore_here | Ignore this violation — applies to this violation only |
| #cycode_sast_false_positive | Mark as false positive — applies to this violation only |
| plugin.popover = function (text, tagBook, tagImage) { | ||
| const url = this.repository; | ||
| const images = `${this.repository}images/`; | ||
| const textEncoded = String(text).replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"'); |
There was a problem hiding this comment.
❗Cycode: SAST violation: 'Usage of manual HTML sanitization (XSS)'.
Severity: High
Description
Manually sanitizing HTML is prone to mistakes and can lead to Cross-Site Scripting (XSS) vulnerabilities. This occurs when user input is not properly sanitized, allowing attackers to inject malicious scripts into web pages viewed by other users.
Cycode Remediation Guideline
✅ Do
- Do use a trusted HTML sanitization library to handle user input safely. Libraries designed for sanitization are more reliable as they cover a wide range of XSS attack vectors.
import sanitizeHtml from 'sanitize-html';
const html = sanitizeHtml(`<strong>${user.Input}</strong>`);❌ Don't
- Do not manually escape HTML to sanitize user input. This method is unreliable and can easily miss certain exploits.
const sanitizedUserInput = user.Input
.replaceAll('<', '<')
.replaceAll('>', '>'); // unsafe
const html = `<strong>${sanitizedUserInput}</strong>`;📋 References
Tell us what to do with one of the following hashtags:
| Tag | Short Description |
|---|---|
| #cycode_sast_ignore_here | Ignore this violation — applies to this violation only |
| #cycode_sast_false_positive | Mark as false positive — applies to this violation only |
the
grafana-appis still in the urlbut at least the link works now