2024-11-28
This article describes a low severity vulnerability in the `deno_doc` crate that could lead to Cross-site Scripting (XSS) attacks when using the `deno doc –html` command.
Form:
Platform: deno_doc
Version: (not specified)
Vulnerability: Self-XSS
Severity: Low
Date: November 25, 2024
What Undercode Says:
Several vulnerabilities in `deno_doc` allowed for XSS attacks when generating HTML documentation. These vulnerabilities included:
Unsanitized input in `search_index.js`: The generated JavaScript file for searching used `innerHTML` on untrusted user input, potentially allowing for script injection.
Unsanitized property/method/enum names: Property, method, and enum names were not sanitized, potentially allowing for malicious code injection.
The impact of the first vulnerability is likely minimal as `deno doc –html` is typically used locally with personal packages.
Recommendations:
Keep `deno_doc` updated to benefit from any potential patches.
Be cautious when using `deno doc –html` with untrusted code.
Note: This vulnerability has been reviewed and addressed.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help