2024-11-25
Platform: deno_doc
Version: All versions before a fix is released
Vulnerability: Cross-site Scripting (XSS)
Severity: Low
Date: November 25, 2024
What Undercode Says:
Deno Doc, a documentation generator for Deno code, contained two XSS vulnerabilities that could potentially be exploited if using the `deno doc –html` flag. These vulnerabilities would only impact users generating documentation locally and not intended for a public-facing website.
Vulnerability 1: The generated `search_index.js` file used `innerHTML` on unsanitized user input. This could allow for script injection if the user provided malicious code.
Vulnerability 2: Deno Doc did not sanitize property, method, and enum names within the generated documentation. This could potentially allow for a more complex XSS attack but is considered low risk due to the expected use case.
Recommendation:
Update Deno Doc to the latest version once a fix is available.
Additional Notes:
This vulnerability is considered low risk due to the expected use case of `deno doc –html` being for local documentation generation. However, it’s still recommended to update to the latest version of Deno Doc once a fix is released.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help