Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

epic: eliminate XSS vulnerability throughout codebase #6380

Closed
5 tasks
roslynwythe opened this issue Feb 26, 2024 · 4 comments
Closed
5 tasks

epic: eliminate XSS vulnerability throughout codebase #6380

roslynwythe opened this issue Feb 26, 2024 · 4 comments
Labels
Added to dev/pm agenda Complexity: Medium Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Feature: Refactor JS / Liquid Page is working fine - JS / Liquid needs changes to become consistent with other pages Issue Making: Level 2 Make issue(s) from an ER or Epic ready for dev lead Issues that tech leads or merge team members need to follow up on role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Milestone

Comments

@roslynwythe
Copy link
Member

roslynwythe commented Feb 26, 2024

Overview

We need to examine every Javascript code file for instances in which DOM Elements are dynamically created by setting the innerHTML property, based on user-generated strings, and to update code as needed, to eliminate the risk of Cross-site scripting (XSS) attacks.

Details

  • Composing DOM Elements by setting the innerHTML property based on user-provided data is an unsafe practice because malicious users can construct strings that result in the execution of scripts within the browser. Instances of this pattern do exist in our codebase because it was believed that parsing the data using decodeURIComponent() would eliminate any risk, however that may not be the case.
  • In ER: Potential XSS Vulnerability in wins.js #5654 an XSS vulnerability was identified and resolved in wins.js. In this epic we need to audit the remaining Javascript codebase and update the code as needed.

Action Items

  • Create an epic for auditing of every Javascript file within /assets/js for instances of unsafe usage.
    • Create a spreadsheet "HfLA Javascript audit" with columns to track issues for audit, the results of the audit (which sections of code should be refactored), and to track issues for fixing code
    • Create a template for audit issues and an issue level 1 making issue to create the new issues
  • If there are multiple sections of code that need to be refactored, create an epic for refactoring
    • Create a template for refactoring issues and an issue level 1 making issue to create the new issues

Resources/Instructions

@roslynwythe roslynwythe added Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing role missing Complexity: Missing epic labels Feb 26, 2024
@github-actions github-actions bot removed the epic label Feb 26, 2024

This comment was marked as outdated.

@roslynwythe roslynwythe added role: front end Tasks for front end developers Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Complexity: Small Take this type of issues after the successful merge of your second good first issue Complexity: Medium size: 1pt Can be done in 4-6 hours and removed Feature Missing This label means that the issue needs to be linked to a precise feature label. role missing Complexity: Missing Complexity: Small Take this type of issues after the successful merge of your second good first issue size: missing labels Feb 26, 2024
@ExperimentsInHonesty ExperimentsInHonesty added this to the 02. Security milestone Feb 27, 2024
@ExperimentsInHonesty ExperimentsInHonesty added Feature: Refactor JS / Liquid Page is working fine - JS / Liquid needs changes to become consistent with other pages Added to dev/pm agenda labels Mar 3, 2024
@roslynwythe roslynwythe added Issue Making: Level 2 Make issue(s) from an ER or Epic and removed Issue Making: Level 4 Create an Epic Issue, and it's Level 2 or 3 issues labels Mar 6, 2024
@roslynwythe
Copy link
Member Author

@ExperimentsInHonesty Would it be better if the Action Items on this issue called for the creation of two child epics, one for auditing the codebase and the other for refactoring?

@ExperimentsInHonesty
Copy link
Member

@roslynwythe yes

@ExperimentsInHonesty ExperimentsInHonesty added ready for dev lead Issues that tech leads or merge team members need to follow up on and removed ready for product labels Mar 8, 2024
@roslynwythe
Copy link
Member Author

I don't believe there are any instances of code (other than wins.js) in which present a risk, so closing this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Added to dev/pm agenda Complexity: Medium Complexity: See issue making label See the Issue Making label to understand the issue writing difficulty level Feature: Refactor JS / Liquid Page is working fine - JS / Liquid needs changes to become consistent with other pages Issue Making: Level 2 Make issue(s) from an ER or Epic ready for dev lead Issues that tech leads or merge team members need to follow up on role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Projects
Development

No branches or pull requests

2 participants