Skip to content

Fix DOM-based XSS on home page pool table#51

Merged
marklynch merged 2 commits into
mainfrom
claude/security-code-review-h5vi83
Jun 25, 2026
Merged

Fix DOM-based XSS on home page pool table#51
marklynch merged 2 commits into
mainfrom
claude/security-code-review-h5vi83

Conversation

@marklynch

@marklynch marklynch commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Channel/zone/valve names are copied verbatim from bus payloads and were
injected into the home page via innerHTML, allowing script execution in
the viewer's browser if a name contained HTML. Build the table cells with
textContent instead so bus-derived strings are never parsed as markup.

Co-Authored-By: Claude Opus 4.8 noreply@anthropic.com
Claude-Session: https://claude.ai/code/session_01AkBZ1XBd8VUSDgN7JYAzhq

claude added 2 commits June 25, 2026 12:34
@claude
Fix DOM-based XSS on home page pool table
fa3cc49 
Channel/zone/valve names are copied verbatim from bus payloads and were
injected into the home page via innerHTML, allowing script execution in
the viewer's browser if a name contained HTML. Build the table cells with
textContent instead so bus-derived strings are never parsed as markup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AkBZ1XBd8VUSDgN7JYAzhq
@claude
Add changelog entry for home page XSS fix
b3b0a6f 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AkBZ1XBd8VUSDgN7JYAzhq
@marklynch marklynch merged commit 5d16943 into main Jun 25, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@marklynch @claude