Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML #246
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…as HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/veillette/physics-book/security/code-scanning/16
In general, to fix “DOM text reinterpreted as HTML” problems, never assign untrusted strings directly to
.innerHTML(or similar HTML-parsing sinks) unless they have been sanitized by a robust HTML sanitizer or you are absolutely sure the string is trusted. Instead, either (a) use.textContent/.innerTextso the text is rendered literally, or (b) apply a well-vetted sanitizer before using.innerHTML.Here, the code appears to be transforming text into a math-friendly form like
$\theta_r = \theta_i$. That content should be safe to render as text, and any subsequent math renderer (MathJax/KaTeX) can process it from text nodes. Therefore, the best minimal-impact fix is to stop usinginnerHTMLforcaptionandtitleand instead assign totextContent. This preserves all existing functionality except that any HTML markup insidetitle/data-titlewill now be escaped and shown literally, which is the safe default.Concretely:
assets/js/book-viewer.js, around lines 272–280, changecaption.innerHTML = captionText;tocaption.textContent = captionText;.title.innerHTML = titleText;totitle.textContent = titleText;..textContentis a standard DOM API and works in place of.innerHTMLfor plain text.Suggested fixes powered by Copilot Autofix. Review carefully before merging.