Skip to content

security: escape session IDs before inserting dropped records into HTML #6

Description

@solomonneas

The drag-and-drop loader accepts arbitrary JSON records, carries sessionId into the session view model, and interpolates it unescaped into a data-id attribute in variant 1.

References:

  • index.html:759-811
  • index.html:900-910
  • index.html:1891-1907

Other record-derived strings in the same renderer use esc, but s.sessionId does not.

Failure scenario: a downloaded or shared usage JSON file contains a session ID such as a quote followed by an event-handler attribute. When the user drops that file onto the page while variant 1 is active, assigning the generated string to innerHTML creates executable markup. The script runs in the page origin and can read cached usage records and subscription settings from localStorage.

Suggested direction: escape the attribute value at minimum, preferably build rows with DOM APIs and event listeners instead of inline HTML handlers. Add a regression test with quotes and markup in every record-derived field accepted by the drop loader.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions