epic: eliminate XSS vulnerability throughout codebase #6380
Labels
Added to dev/pm agenda
Complexity: Medium
Complexity: See issue making label
See the Issue Making label to understand the issue writing difficulty level
Feature: Refactor JS / Liquid
Page is working fine - JS / Liquid needs changes to become consistent with other pages
Issue Making: Level 2
Make issue(s) from an ER or Epic
ready for dev lead
Issues that tech leads or merge team members need to follow up on
role: front end
Tasks for front end developers
size: 1pt
Can be done in 4-6 hours
Milestone
Overview
We need to examine every Javascript code file for instances in which DOM Elements are dynamically created by setting the innerHTML property, based on user-generated strings, and to update code as needed, to eliminate the risk of Cross-site scripting (XSS) attacks.
Details
innerHTML
property based on user-provided data is an unsafe practice because malicious users can construct strings that result in the execution of scripts within the browser. Instances of this pattern do exist in our codebase because it was believed that parsing the data using decodeURIComponent() would eliminate any risk, however that may not be the case.Action Items
/assets/js
for instances of unsafe usage.Resources/Instructions
The text was updated successfully, but these errors were encountered: