Skip to content

security: sanitize HTML in popup trusted-origins list (XSS fix)#15

Merged
melvincarvalho merged 1 commit into
JavaScriptSolidServer:mainfrom
jjohare:security/fix-popup-xss
May 13, 2026
Merged

security: sanitize HTML in popup trusted-origins list (XSS fix)#15
melvincarvalho merged 1 commit into
JavaScriptSolidServer:mainfrom
jjohare:security/fix-popup-xss

Conversation

@jjohare
Copy link
Copy Markdown

@jjohare jjohare commented May 12, 2026

Summary

  • Severity: HIGH-02 (XSS in privileged popup context)
  • Replace innerHTML template literal interpolation with DOM API methods (createElement, textContent, appendChild) when rendering the trusted origins list in popup/popup.js
  • The previous code interpolated the origin string directly into HTML via template literals, allowing an attacker who gets a malicious string into the trusted origins list (e.g. <img src=x onerror="...">) to execute arbitrary JavaScript in the popup's privileged extension context, potentially exfiltrating the user's private key
  • Verified no other innerHTML usage in popup.js involves user-controlled data

Test plan

  • Load extension and navigate to a site, approve trust prompt
  • Verify trusted origins list renders correctly in popup
  • Verify "Remove" buttons still work for each trusted origin
  • Manually add a malicious-looking origin string to storage (e.g. <img src=x onerror="alert(1)">) and verify it renders as escaped text, not executed HTML

Co-Authored-By: claude-flow ruv@ruv.net

@ruvnet
security: sanitize HTML in popup trusted-origins list to prevent XSS
60be0f7 
Replace innerHTML template literal interpolation with DOM API methods
(createElement, textContent, appendChild) when rendering the trusted
origins list. The previous code interpolated the origin string directly
into HTML, allowing an attacker who injects a malicious string into the
trusted origins (e.g. <img src=x onerror="...">) to execute arbitrary
JavaScript in the popup's privileged extension context, potentially
exfiltrating the user's private key.

Co-Authored-By: claude-flow <ruv@ruv.net>
@melvincarvalho melvincarvalho requested a review from Copilot May 12, 2026 23:45
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Mitigates an XSS risk in the extension popup by avoiding HTML string interpolation when rendering the trusted-origins list, ensuring untrusted origin strings can’t execute script in the privileged popup context.

Changes:

  • Replaced innerHTML-based list rendering with safe DOM construction (createElement, textContent, appendChild) for each trusted origin entry.
  • Kept the empty-state rendering as a static innerHTML string (not user-controlled), while preserving per-origin “Remove” functionality via click handlers.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@melvincarvalho melvincarvalho merged commit c051833 into JavaScriptSolidServer:main May 13, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jjohare @melvincarvalho