Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential fix for code scanning alert no. 6: Stored cross-site scripting #63

Merged
merged 5 commits into from
Jan 26, 2025
Merged

Potential fix for code scanning alert no. 6: Stored cross-site scripting #63

merged 5 commits into from
Jan 26, 2025

Conversation

NelsonBN
Copy link
Member

Potential fix for https://github.com/craft-code-club/blog-c3/security/code-scanning/6

To fix the stored cross-site scripting vulnerability, we need to sanitize the post.id value before using it in the href attribute of the Link component. The best way to achieve this is by using a library that provides HTML escaping functionality to ensure that any potentially harmful characters are properly encoded.

We will use the escape-html library to escape the post.id value before using it in the Link component. This will prevent any malicious scripts from being executed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@NelsonBN @github-advanced-security
Potential fix for code scanning alert no. 6: Stored cross-site scripting
babd8ec 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@cloudflare-workers-and-pages Cloudflare Workers and Pages
Copy link

cloudflare-workers-and-pages bot commented Jan 25, 2025
edited
Loading

Deploying blog-c3 with  Cloudflare Pages  Cloudflare Pages

Latest commit: babd8ec
Status:🚫  Build failed.

View logs

@NelsonBN NelsonBN marked this pull request as ready for review January 25, 2025 19:09
@NelsonBN NelsonBN requested a review from a team as a code owner January 25, 2025 19:09
@github-actions GitHub Actions
Copy link

🚀 Preview Url 🚀

https://aafffc5d.blog-c3.pages.dev

Copilot
Copilot AI reviewed Jan 26, 2025
View reviewed changes

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

Files not reviewed (1)
  • package.json: Language not supported
Comments suppressed due to low confidence (2)

src/app/topics/[topic]/page.tsx:74

  • Ensure that post.id is a string before passing it to escapeHtml to prevent unexpected behavior if post.id is not a string.
<Link href={`/posts/${escapeHtml(post.id)}`}>

src/app/topics/[topic]/page.tsx:74

  • Ensure that post.id is a string before passing it to escapeHtml to prevent unexpected behavior if post.id is not a string.
<Link href={`/posts/${escapeHtml(post.id)}`}>
@NelsonBN NelsonBN merged commit d744d7c into main Jan 26, 2025
4 checks passed
@NelsonBN NelsonBN deleted the alert-autofix-6 branch January 26, 2025 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@giovannymassuia giovannymassuia giovannymassuia approved these changes

@matheusses matheusses Awaiting requested review from matheusses matheusses is a code owner automatically assigned from craft-code-club/c3-admins

@marcelfernandes marcelfernandes Awaiting requested review from marcelfernandes marcelfernandes is a code owner automatically assigned from craft-code-club/c3-admins

@wilsonneto-dev wilsonneto-dev Awaiting requested review from wilsonneto-dev wilsonneto-dev is a code owner automatically assigned from craft-code-club/c3-admins

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@NelsonBN @giovannymassuia