From 10ecbddeae33d2659ae0e281b33414d1b745e0f6 Mon Sep 17 00:00:00 2001
From: acaptutorials <acap.tutorials@gmail.com>
Date: Mon, 17 Feb 2025 02:41:03 +0800
Subject: [PATCH] docs: additional note on xss details

---
 docs/pages/announcements/firebase-storage-2024.mdx | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx
index f54b3497..3c176d14 100644
--- a/docs/pages/announcements/firebase-storage-2024.mdx
+++ b/docs/pages/announcements/firebase-storage-2024.mdx
@@ -148,10 +148,14 @@ Yes. <u>Some of the latest core deliverables</u> implemented for ACAP in its [2.
 
 This table shows the overall security criteria ensured and accounted for by ACAP's best practices in its recommended [security guidelines](/security).
 
+<Callout type="error">
+The reduced enforcement of **Cross-Site Scripting (XSS) protection** particularly affects the <u>WYSIWYG-form Crop Recommendations</u>, leading to a reproducible security vulnerability. A [detailed description](https://github.com/amia-cis/acap-v2/issues/34) is available in the parent **acap-v2** GitHub issues list, with a video demonstration available upon request.
+</Callout>
+
 | Criteria | Purpose | ACAP [1.0](/changelog/#version-1-acap-10) | ACAP [2.0](/changelog/#version-2-acap-20) |
 | --- | --- | :---: | :---: |
 | User authentication | Authorized, allowed, and predictable operations access to resources | ✅ | ✅ |
-| Cross-Site Scripting (XSS) Protection | <u>Predictable billing</u>, reliable/authentic website information, <u>user information confidentiality</u>, predictable data manipulation / SMS sending, protection for <u>unvalidated writes that allow tampering with stored data</u>, impacting system reliability, protection for <u>injecting malicious scripts</u> that <u>steal user info</u> or <u>redirect users to phishing sites</u> (and protection for other uncontrolled scenarios that stem from XSS) | ✅ | ❌ |
+| **Cross-Site Scripting (XSS) Protection** | <u>Predictable billing</u>, reliable/authentic website information, <u>user information confidentiality</u>, predictable data manipulation / SMS sending, protection for <u>unvalidated writes that allow tampering with stored data</u>, impacting system reliability, protection for <u>injecting malicious scripts</u> that <u>steal user info</u> or <u>redirect users to phishing sites</u> (and protection for other uncontrolled scenarios that stem from XSS) | ✅ | ❌ |
 | Cloud storage protection | Authorized, allowed, and predictable operations access to storage, <u>predictable billing</u> | ✅ | ✅ |
 | Database integrity | Accuracy, consistency, and <u>reliability</u> of data stored in a database and presented to users | ✅ | ❌ |
 | Database protection | Authorized, allowed, and predictable operations access to the (Firestore) database, <u>predictable billing</u> | ✅ | ❌ |