deno_doc: Self-XSS in HTML Generation (Low Severity)

2024-11-28

This article describes a low severity vulnerability in the `deno_doc` crate that could lead to Cross-site Scripting (XSS) attacks when using the `deno doc –html` command.

Form:

Platform: deno_doc
Version: (not specified)
Vulnerability: Self-XSS
Severity: Low
Date: November 25, 2024

What Undercode Says:

Several vulnerabilities in `deno_doc` allowed for XSS attacks when generating HTML documentation. These vulnerabilities included:

Unsanitized input in `search_index.js`: The generated JavaScript file for searching used `innerHTML` on untrusted user input, potentially allowing for script injection.
Unsanitized property/method/enum names: Property, method, and enum names were not sanitized, potentially allowing for malicious code injection.

The impact of the first vulnerability is likely minimal as `deno doc –html` is typically used locally with personal packages.

Recommendations:

Keep `deno_doc` updated to benefit from any potential patches.
Be cautious when using `deno doc –html` with untrusted code.

Note: This vulnerability has been reviewed and addressed.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top