Fix code scanning alert no. 27: DOM text reinterpreted as HTML #801
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
|
コード上ではあり得ないケースではあるけど一応チェックしたほうがいいっちゃいいか・・・ |
ghost
pushed a commit
to hotomoe/hotomoe
that referenced
this pull request
Dec 20, 2024
* spec(frontend): みつけるに表示される項目の調整 (MisskeyIO#783) * feat(analytics): Google Analytics・同意モード・一部機能のトラッキング実装 (MisskeyIO#784) * update deps (MisskeyIO#786) * fix(typescript): vue-gtagのタイプ定義の修正 (MisskeyIO#788) * もともとセンシティブではないと連合されていたファイルがセンシティブとして連合された場合にセンシティブとしてそのファイルを扱うように (misskey-dev#13879) Cherry-picked from a7a8dc4 Co-authored-by: anatawa12 <[email protected]> Co-authored-by: Sayamame-beans <[email protected]> * enhance(frontend): 外部アプリ認証画面の改良 (misskey-dev#14828) Cherry-picked from 076cc95 Co-authored-by: かっこかり <[email protected]> * 🎨 misskey-dev#14828 のデザイン修正 * enhance(frontend): Self-XSS防止用のメッセージを追加 (misskey-dev#14839) Cherry-picked from a6a1e3d Co-authored-by: かっこかり <[email protected]> * fix(misskey-js): WebSocketの型定義をReconnectingWebsocketに依存するように (misskey-dev#14850) Cherry-picked from ec4358d Co-authored-by: かっこかり <[email protected]> * enhance: アイコンデコレーション管理画面の改善 Cherry-picked from 74847bc Co-authored-by: syuilo <[email protected]> * fix(backend): `/@` にアクセスするとサーバーエラーが発生する問題を修正 (misskey-dev#13884) Cherry-picked from 1df8ea8 Co-authored-by: かっこかり <[email protected]> * fix(backend): ノートを連合する際にリモートユーザーのacctの大小文字を区別して処理している問題を修正 (misskey-dev#14880) Cherry-picked from 6718a54 Co-authored-by: Laura Hausmann <[email protected]> * Bump up version to 2024.5.0-io.4 (MisskeyIO#789) * feat(analytics): イベントの重複フィルターの修正 (MisskeyIO#791) * spec(SSO/SAML): Attribute追加 (MisskeyIO#792) * feat(analytics): デッキUIのページ移動とAPIの応答時間のイベント実装 (MisskeyIO#793) * Bump up version to 2024.5.0-io.4a (MisskeyIO#794) * update deps (MisskeyIO#798) * Fix code scanning alert no. 25: Incomplete URL scheme check (MisskeyIO#799) * Fix code scanning alert no. 26: Incomplete URL scheme check Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Fix code scanning alert no. 25: Incomplete URL scheme check Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * update deps (MisskeyIO#802) * Fix code scanning alert no. 28: Incomplete string escaping or encoding (MisskeyIO#800) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Fix code scanning alert no. 27: DOM text reinterpreted as HTML (MisskeyIO#801) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Bump up version to 2024.5.0-io.4b (MisskeyIO#804) * fix(frontend): 引用RNの判定の条件が不完全だった問題を修正 (MisskeyIO#806) * Bump up version to 2024.5.0-io.4c (MisskeyIO#807) * fix(about-report-resolver): 転送設定を一度有効にすると戻すことができない問題を修正 (MisskeyIO#812) Cherry-picked from atsu1125/misskey-core@5001b4b Co-authored-by: atsu1125 <[email protected]> * fix(frontend): ユーザーのプロフィールページ閲覧時エラーが発生することがある問題を修正 (MisskeyIO#813) * spec(Email/Verifymail): MXレコードのドメインにもBANが適用されるように (MisskeyIO#814) * fix(frontend): スマホで表示した時にipv6だとはみ出てしまうのを修正 (MisskeyIO#815) * spec(sound/note): デフォルトの他人の投稿の効果音をオフに (MisskeyIO#816) * Bump up version to 2024.5.0-io.4d (MisskeyIO#817) * chore(deps): bump codecov/codecov-action from 4 to 5 (MisskeyIO#819) Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 4 to 5. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@v4...v5) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * enhance(Gallery): サムネイルをホバーしてもぼかしが外れないように & ギャラリーの説明を一番上に表示するように (MisskeyIO#820) * use node 22, update deps (MisskeyIO#822) Co-authored-by: riku6460 <[email protected]> * update deps (MisskeyIO#824) * code cleanup (MisskeyIO#825) * fix merge context * enhance(frontend/navbar): ナビゲーションバーにMisskey.ioを支援するを追加 (MisskeyIO#828) * enhance(Page): ページを非公開にできるように (MisskeyIO#821) * fix(frontend): instanceをimportし忘れてた (MisskeyIO#830) * feat(frontend): Audio player で波形を表示するように (MisskeyIO#827) Co-authored-by: あわわわとーにゅ <[email protected]> Co-authored-by: tar_bin <[email protected]> * feat(MiAuth): アクセストークンの発行に失敗した場合コールバックに遷移しないようにする (MisskeyIO#831) Cherry-picked from TeamNijimiss/misskey@8003596 Co-authored-by: nafu-at <[email protected]> * feat(MkError): more error info on MkError components * fix(MkErrorDetailed): component structure * fix(about): change donate link * fix(donate): open in new tab instead of current window * chore: bump version to 2024.5.0-hotomoe.9 --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: あわわわとーにゅ <[email protected]> Co-authored-by: anatawa12 <[email protected]> Co-authored-by: Sayamame-beans <[email protected]> Co-authored-by: かっこかり <[email protected]> Co-authored-by: syuilo <[email protected]> Co-authored-by: Laura Hausmann <[email protected]> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: atsu1125 <[email protected]> Co-authored-by: sleep-moe <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: まっちゃてぃー。 <[email protected]> Co-authored-by: riku6460 <[email protected]> Co-authored-by: オスカー、 <[email protected]> Co-authored-by: tar_bin <[email protected]> Co-authored-by: nafu-at <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://github.com/MisskeyIO/misskey/security/code-scanning/27
To fix this issue, we need to ensure that the
filevariable is properly sanitized before being used as thesrcattribute of theaudioelement. One effective way to do this is by using a URL validation function to ensure that thefilevariable is a valid and safe URL. This will prevent any malicious content from being interpreted as HTML.filevariable is a valid URL.filevariable to thesrcattribute of theaudioelement.filevariable is not a valid URL, handle the error appropriately (e.g., by rejecting the promise or providing a default safe URL).Suggested fixes powered by Copilot Autofix. Review carefully before merging.