Skip to content

Add URL validation and DOMPurify sanitization to Discogs markup parser #183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BeardedBear merged 4 commits into from
Dec 9, 2025
Merged

Add URL validation and DOMPurify sanitization to Discogs markup parser #183

BeardedBear merged 4 commits into from
Dec 9, 2025

Conversation

Copy link
Contributor

Copilot AI commented Dec 9, 2025
edited
Loading

Addresses XSS vulnerability in Discogs markup parsing where unsanitized user content from the Discogs API could be injected into the DOM through [url] tags and link text.

Changes

Added DOMPurify dependency

  • Provides trusted HTML sanitization for user-provided content

Implemented sanitizeUrl() function

  • Validates URL format using native URL API
  • Restricts protocols to http:, https:, ftp: only
  • Returns safe placeholder # for invalid/malicious URLs (e.g., javascript:, data:)
  • Decodes HTML entities before validation

Sanitized all user-controlled strings

  • Link text in [url=...]text[/url] tags stripped of HTML
  • Display names in [a=name] search links stripped of HTML
  • Display URLs in [url]...[/url] tags use validated URL

Example

Before:

// Vulnerable to XSS
result.replace(/\[url=(.*?)\](.*?)\[\/url\]/gi, 
  '<a href="$1">$2</a>');

After:

// Sanitized and validated
result.replace(/\[url=(.*?)\](.*?)\[\/url\]/gi, (_, url, text) => {
  const sanitizedUrl = sanitizeUrl(url);  // Protocol validation
  const sanitizedText = DOMPurify.sanitize(text, { ALLOWED_TAGS: [] });
  return `<a href="${sanitizedUrl}">${sanitizedText}</a>`;
});

Blocks: javascript:alert(1), data:text/html,<script>..., <img onerror=alert(1)>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Dec 9, 2025
Merged
@BeardedBear
Add DOMPurify sanitization to prevent XSS in Discogs markup parsing
8f0783e 
Co-authored-by: BeardedBear <7188702+BeardedBear@users.noreply.github.com>
@socket-security
Copy link

socket-security bot commented Dec 9, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​dompurify@​3.0.51001007180100
Addeddompurify@​3.3.1981001009070

View full report

@BeardedBear
Fix display URL sanitization to use already validated URL
a6973f0 
Co-authored-by: BeardedBear <7188702+BeardedBear@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on Discogs and Wikipedia/Wikidata support Add URL validation and DOMPurify sanitization to Discogs markup parser Dec 9, 2025
Copilot AI requested a review from BeardedBear December 9, 2025 22:18
@BeardedBear BeardedBear marked this pull request as ready for review December 9, 2025 22:36
@BeardedBear BeardedBear merged commit c3bf7e8 into add-discogs-support Dec 9, 2025
2 checks passed
@BeardedBear BeardedBear deleted the copilot/sub-pr-180-another-one branch December 9, 2025 22:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@BeardedBear BeardedBear BeardedBear approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@BeardedBear BeardedBear

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BeardedBear