Skip to content

Potential fix for code scanning alert no. 26: Client-side cross-site scripting#174

Merged
rajbos merged 2 commits intomainfrom
alert-autofix-26
Feb 3, 2026
Merged

Potential fix for code scanning alert no. 26: Client-side cross-site scripting#174
rajbos merged 2 commits intomainfrom
alert-autofix-26

Conversation

@rajbos
Copy link
Owner

@rajbos rajbos commented Feb 2, 2026

Potential fix for https://github.com/rajbos/github-copilot-token-usage/security/code-scanning/26

In general, to fix DOM-based XSS you must ensure that any data coming from untrusted sources is either (1) safely encoded/escaped for the exact context where it is injected (HTML body, attribute, URL, etc.), or (2) inserted using DOM APIs (textContent, setAttribute, etc.) rather than string concatenation and innerHTML/insertAdjacentHTML.

For this specific code, the simplest fix that preserves existing functionality is:

  • Continue using escapeHtml for text/HTML contexts.
  • Ensure the numeric/session count (sf.count) is safely rendered as plain text by avoiding direct HTML string interpolation.
  • Avoid using insertAdjacentHTML / outerHTML with a large HTML string that contains interpolated untrusted data. Instead, build the DOM nodes programmatically:
    • Create the container, table, and row elements with document.createElement.
    • Set text via textContent and attributes via setAttribute.
    • Append the composed node to the DOM using appendChild/insertBefore/replaceWith.

Concretely, within src/webview/diagnostics/main.ts around lines 915–962:

  • Remove the string-building logic for sessionFilesHtml.
  • Replace it with code that:
    • Creates a <div class="session-folders-table"> container and its child <h4> and <table> elements.
    • Iterates sorted and for each sf creates a <tr> with <td> cells:
      • Folder cell: title set via setAttribute('title', escapeHtml(sf.dir)) or, more robustly, set the raw string and rely on escapeHtml only if needed; textContent set to the display string.
      • Editor badge: create <span class="editor-badge"> and set textContent to editorName.
      • Count: set textContent to String(sf.count).
      • Open directory link: href="#", class="reveal-link", and data-path via setAttribute('data-path', sf.dir) or encodeURIComponent(sf.dir) if required by the extension.
    • Either replace an existing .session-folders-table via existingTable.replaceWith(container) or insert the new container after .report-content with insertBefore on parentNode.

This keeps the rendered structure identical (same classes and attributes) but removes the XSS risk by no longer passing tainted data through insertAdjacentHTML/outerHTML.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@rajbos @github-advanced-security
Potential fix for code scanning alert no. 26: Client-side cross-site …
2b7968d 
…scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@rajbos rajbos marked this pull request as ready for review February 2, 2026 20:17
@rajbos rajbos enabled auto-merge February 2, 2026 20:17
@rajbos rajbos merged commit e196fe1 into main Feb 3, 2026
13 checks passed
@rajbos rajbos deleted the alert-autofix-26 branch February 3, 2026 09:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rajbos

Comments