Fix dashboard XSS, credential exposure, auth race, and URL crash (#252)#262
Open
Fix dashboard XSS, credential exposure, auth race, and URL crash (#252)#262
Conversation
…ing (#252) - Validate URL scheme (https?://) before window.open to prevent javascript: XSS - Mask credential values in auth settings table (show last 4 chars only) - Fix double-fetch auth using wrong property names (authToken/authUser → token/user) - Wrap new URL() in try/catch to prevent crash on malformed source_url Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
jessie-coco
approved these changes
Mar 9, 2026
Contributor
jessie-coco
left a comment
jessie-coco
left a comment
There was a problem hiding this comment.
Codex Review R1: CLEAN
0 P1 + 0 P2 + 0 P3 — all four fixes verified correct.
Fix Verification
| # | Fix | Verdict |
|---|---|---|
| 1 | Stored XSS via javascript: URL — renderTopPages (L253) and loadItemsList (L300) now gate window.open() behind /^https?:\/\//i |
✅ Correct — blocks all non-HTTP schemes |
| 2 | Credential masking — renderAuthsTable now shows •••• + last 4 chars instead of plaintext |
✅ Correct — output also passes through escHtml() |
| 3 | Auth property name mismatch — second getAuthFromExtension() call (L53) fixed from extAuth.authToken/extAuth.authUser to extAuth.token/extAuth.user, matching the first call (L29) and the function's return contract |
✅ Correct |
| 4 | new URL() crash on malformed source_url — wrapped in try/catch with substring(0, 40) fallback |
✅ Correct |
Observations (pre-existing, not blocking)
d.external_urlat L206 is set as anhrefwith onlyescHtml()— this prevents attribute breakout but does not blockjavascript:scheme. Not introduced by this PR, but worth a follow-up issue if dispatch URLs can be user-controlled.d.statusat L210 is injected into innerHTML unescaped — safe only if server-controlled. Also pre-existing.
Result: APPROVE — clean fix, no regressions introduced.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
javascript:URL: Validate URL scheme (https?://) beforewindow.open()in bothrenderTopPagesandloadItemsListclick handlers••••+ last 4 characters instead of full plaintextgetAuthFromExtension()call usedextAuth.authToken/extAuth.authUserbut the function returns{ token, user }— fixed to use correct namesnew URL()crash on malformedsource_url: Wrapped in try/catch with fallback to raw substring for displayCloses #252
Codex Review
Pending — requesting review.
Test plan
javascript:alert(1)— verify it does NOT opentoken: ••••xxxxsource_url(e.g.,not-a-url) — verify items list renders without crash🤖 Generated with Claude Code