website icon indicating copy to clipboard operation
website copied to clipboard
verified publisher icon hackforla

Securing `wins.js` from XSS vulnerability due to innerHTML

Open freaky4wrld opened this issue 1 year ago • 8 comments

Overview

As developers we aim to protect JavaScript files from XSS vulnerabilities, preventing malicious script injections that can compromise user security.

Action Items

  • [x] Open the file assets/js/wins.js in your IDE
  • [x] Search the instances of innerHTML in the file.
  • [x] Replace the instances of the innerHTML property with textContent , using the createElement method for creating DOM elements where necessary
  • [x] Use Docker to test the Wins page at mobile, table, and desktop screen sizes

Resources/Instructions

  • https://developer.mozilla.org/en-US/docs/Web/API/Document/createElement
  • https://developer.mozilla.org/en-US/docs/Web/API/Node/textContent
  • https://medium.com/front-end-weekly/javascript-innerhtml-innertext-and-textcontent-b75ec895cbe3
  • https://github.com/hackforla/website/blob/gh-pages/assets/js/wins.js
  • https://www.hackforla.org/wins
  • This issue resulted from #5654

freaky4wrld avatar Feb 16 '24 06:02 freaky4wrld

  • @roslynwythe created a issue for option 1 for the ER #5654, please check and suggest changes

freaky4wrld avatar Feb 16 '24 06:02 freaky4wrld

Thank you @freaky4wrld - looks good to me.

roslynwythe avatar Feb 20 '24 06:02 roslynwythe

Hi @danvgar, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:- i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?) ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

github-actions[bot] avatar Feb 29 '24 02:02 github-actions[bot]

Happy to take on this issue. Just assigned it to myself and will provide an update by EOW.

danvgar avatar Feb 29 '24 02:02 danvgar

@danvgar I am moving this issue to the in progress column, since you are working on it. On future issues please move the issue after you self assign.

ExperimentsInHonesty avatar Feb 29 '24 04:02 ExperimentsInHonesty

@danvgar I am moving this issue to the in progress column, since you are working on it. On future issues please move the issue after you self assign.

Ah sorry, thank you for catching that, @ExperimentsInHonesty !

danvgar avatar Feb 29 '24 05:02 danvgar

@danvgar

Please add update using the below template (even if you have a pull request). Afterwards, remove the 'To Update !' label and add the 'Status: Updated' label.

  1. Progress: "What is the current status of your project? What have you completed and what is left to do?"
  2. Blockers: "Difficulties or errors encountered."
  3. Availability: "How much time will you have this week to work on this issue?"
  4. ETA: "When do you expect this issue to be completed?"
  5. Pictures (optional): "Add any pictures of the visual changes made to the site so far."

If you need help, be sure to either: 1) place your issue in the Questions/In Review column of the Project Board and ask for help at your next meeting, 2) put a "Status: Help Wanted" label on your issue and pull request, or 3) put up a request for assistance on the #hfla-site channel. Please note that including your questions in the issue comments- along with screenshots, if applicable- will help us to help you. Here and here are examples of well-formed questions.

You are receiving this comment because your last comment was before Monday, March 4, 2024 at 11:06 PM PST.

github-actions[bot] avatar Mar 08 '24 07:03 github-actions[bot]

Apologies, I've been sick on-and-off the past week and have not been able to sit with this. I expect it to be completed by EOW Sun Mar 17, if not sooner!

danvgar avatar Mar 11 '24 00:03 danvgar