Conversation
…lect all elements (adobecom#3426) * add all-elements test * add all-elements test --------- Co-authored-by: John Pratt <jpratt@adobe.com>
…nt to CME-1 M7 (adobecom#3723) * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * MWPW-168450 EDU plans page CTAs to point to CME-1 M7 EDU * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * MWPW-166076 Update a.com Business plans page CTAs to point to CME-1 M7 Business plans page * Trigger Build --------- Co-authored-by: Bozo Jovicic <bozo@hitthecode.com>
…ser. (adobecom#3815) * replace overflow x with contain layout * add a fix for breaking mobile gnav * move fix to existing media block * add clip to feds-nav-wrapper * shift clip on submenu open
* MWPW-169072: Handle messages from iframe * MWPW-169072: Add manage-plan-cancel style * MWPW-169072: PR update * MWPW-169072: Add lana log in catch
* MWPW-165253 Update invalid lana tag * add page url * Revert "add page url" This reverts commit 5215b60.
… Unav (adobecom#3818) * Adding self unav integration option * Adding self unav integration option
fixed preflight seo lorem ipsum check
…dobecom#3830) * Remove versions * Add workflow README * Small wording improvements * Update readme with example to the PR
…ari browser." (adobecom#3856) Revert "Tooltips are hidden while hovering over top four icons on Safari brow…" This reverts commit 205a539.
* MWPW-169010: MAS resilience & log improvements (adobecom#3775) Improve MAS LANA logs Send list of failed requests to Lana in case of MAS error WCS: Fallback to last good response if offer refresh fails. Freyja: Fallback to last good response if fragment refresh fails Fetch: retry failed fetch requests two more times before failing definitely * MWPW-165526: consume new MAS endpoint (adobecom#3705) * consume new mas endpoint * update * fix unit tests & address PR comments * fix eslint warning * fix missing mas-commerce-service * fix unit tests * add step-by-step * fix docu * fix galleries * address pr comments * fix nala tests * fix benchmark page * fix safari polyfills * on observability for mas-commerce-service * fix issues&tests * fix studio issue * fix refresh * fix nala test * allow overriding lana-tags on documentation pages for mas --------- Co-authored-by: Mariia Lukianets <lukianet@adobe.com> Co-authored-by: Mariia Lukianets <mariia.lukianets@gmail.com>
* branch link in new tab * ctrl/cmd + click --------- Co-authored-by: Drashti Modasara <dmodasara@Drashtis-MacBook-Pro.local>
* Removing the 'clone' method that was used as it was cloning the node but not the event listeners, making it so the video events would not trigger * Removing unneeded line * CR * Adding setViewport to ensure no test breakage due to mobile/desktop differences
* MWPW-169143: AH Try/Buy width and height fixes * build * safari grid height bugfix
Revert "MWPW-169166: Check autoblock source (adobecom#3826)" This reverts commit d98fe88.
* emea1435 * updated to version that actually supports tabs * lint fixes
* Setting accessibleLabel as sr-only * mid * Adding logic for <sr-only>Alternatively at</sr-only> * Applying some of Ilyas comment * 2' * 2' * merge * Sending flag into template.js to generate <sr-only> * nit: trying to improve the readability * nit: Rebuild the mas * Having parentEl dataset for merch price in merch.js * Adding a test for alternativePrice option for aria label (sr-only) * update the logic * Trying to avoid a bug that adding alternativePrice label to random one when there are many inline prices in a P. * Support for &alt=true param for mas price link. * Setting update * test update. * nit: polish the code * Optical & alternative price case handling. * Restore the priceOptical method. * Adding alternative price option for annual template. * This should covers AI bundle case. * Fixing issue with placeholder-failed on stikethrough
…obecom#3831) * added error msg logic * added test for timeout error * more unit tests * cleaning * added checkout-link-sandbox * updated placeholder keys, enhanced icon title * corrected placeholders * checkout-link-sandbox changed to 'on' * removed unnecessary const * added placeholders * updated unit tests
* Assets preflight POC * Screen size prompt. Consolidate with a11y * Handle full width images * Handle PR feedback
…doc (adobecom#3836) * Enable to override aria-label on checkout link via word doc ("CTA Text|Aria Label") * Added a comment.
* MWPW-169294: Update ar locale * MWPW-169294: Change font
* Adjusting the max height limit so Preflight doesn't trunck a very long list of items. Resolves: [MWPW-160751](MWPW-URL) **Test URLs:** - Before: https://stage--milo--adobecom.hlx.page/?martech=off - After: https://<branch>--milo--adobecom.hlx.page/?martech=off Co-authored-by: Ryan Clayton <rclayton@adobe.com>
…ns. (adobecom#3808) * add daa-state=true * add unit test * add daa-ll attribute * remove trailing space for lint fix Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * add unit test for daa-ll attribute * modify the daa-ll to use tabID and tabName * update the corresponding unit test, too --------- Co-authored-by: John Pratt <jpratt@adobe.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…dobecom#3832) add ability to use placeholders in updateAttribute Co-authored-by: John Pratt <jpratt@adobe.com>
…ecom#3837) * Update mep spoofed target integration status * Add fix for mmm tests * Refactor mapping * Show actual value when param bad
* fixed contrast color in sidenav * updated deps * updated deps
* MWPW-169845: Fix action scroller navigation when in tab * MWPW-169845: Fix safari issues * MWPW-169845: Update * Update libs/blocks/action-scroller/action-scroller.js Co-authored-by: Okan Sahin <39759830+mokimo@users.noreply.github.com> * MWPW-169845: Fix bug * MWPW-169845: Turn arrow to normal function --------- Co-authored-by: Okan Sahin <39759830+mokimo@users.noreply.github.com>
* Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * Notification variant split * CSS changes * Handle loc issue with image inline * Handle loc issue with image inline * Handle loc issue with image inline * Handle loc issue with image inline * Unit test * Unit test * Unit test * Unit test * Unit test * Width fix
* consume new mas endpoint * MWPW-165461: Merch card collection autoblock * initing service * classes change * comments * tests * autoblock test fixes * fix autoblock test * MWPW-165478: merch-sidenav and autoblock improvements * merch-sidenav block * four-merch-cards change * class fix * autoblock post process * slot * tagname * test placeholders * test html placeholders * plans width * default literal update * update * plans collection link * commented out link * fix unit tests & address PR comments * fix eslint warning * fix missing mas-commerce-service * fix unit tests * add step-by-step * fix docu * fix galleries * address pr comments * fix nala tests * fix benchmark page * fix safari polyfills * MWPW-169010: MAS resilience & log improvements (adobecom#3775) Improve MAS LANA logs Send list of failed requests to Lana in case of MAS error WCS: Fallback to last good response if offer refresh fails. Freyja: Fallback to last good response if fragment refresh fails Fetch: retry failed fetch requests two more times before failing definitely * build * docs * MWPW-165526: consume new MAS endpoint (adobecom#3705) * consume new mas endpoint * update * fix unit tests & address PR comments * fix eslint warning * fix missing mas-commerce-service * fix unit tests * add step-by-step * fix docu * fix galleries * address pr comments * fix nala tests * fix benchmark page * fix safari polyfills * on observability for mas-commerce-service * fix issues&tests * fix studio issue * fix refresh * some reverts * collection build * temp incorporated sidenav * temp new payload changes * aem-fragment flush cache false * fixed offer timeout * some test updates * some redundant reverts * mas-autoblock to listen ?query as well. * placeholders * touch ups * fix tests and removed placeholders from autoblock * sourcemap * test fixes * removed switches * plan docs * fixed ccd page and removed commented aem-fragment code * removed redundant script * fixed sidenav bug * post io fixes * mas-autoblock to listen ?query as well. * slightly changed logic * updated tests * fixed autoblock element replace issue * separate autoblocks * test fixes * test fix * collection autoblock fixes * default autoblocks to merch-card --------- Co-authored-by: Mariia Lukianets <mariia.lukianets@gmail.com> Co-authored-by: Ilyas Türkben <ilyas@adobe.com> Co-authored-by: Mariia Lukianets <lukianet@adobe.com> Co-authored-by: Sean Choi <seanchoi@adobe.com>
* MWPW-170007 [Footer] Fix horizontal scroll * Fix featured products
Update self hosted dependency Co-authored-by: GitHub Action <action@github.com>
…iles (adobecom#3876) * MWPW-170340- * fix
* first draft * add callout * fix stock js issue * fix plans variant * remove sitemap * fix unit tests * add nala tests * MWPW-167305 [Plans Milo] Callout grey block: authoring improvement (adobecom#3663) Co-authored-by: Bozo Jovicic <bozo@hitthecode.com> * use consonant cta for plans * add plans.md * fix review comments * fix merge issue * revert obsolete change * pixel perfect initial styles * batch 2 * temp plans * heading height * nit fix * css fixes * removed callout padding * removed rest of callout styles * pixel perfect callout * header fix * fixed callout * icon fix * visual updates * more updates * removed space * revert badge stuff * MWPW-167207: add Nala for plans CSS check * MWPW-167207: fix lint * strikethrough style cover * strikethrough heading fix * color changes * MWPW-167207: update colors * reverted global style changes --------- Co-authored-by: Mariia Lukianets <mariia.lukianets@gmail.com> Co-authored-by: Bozo Jovicic <37440641+bozojovicic@users.noreply.github.com> Co-authored-by: Bozo Jovicic <bozo@hitthecode.com> Co-authored-by: cod23684 <cod23684@adobe.com>
…ecom#3855) * adding attributes for placeholder * adding attributes for placeholder --------- Co-authored-by: Suhani <suhjain@suhanis-mbp.corp.adobe.com>
…ation (adobecom#3896) * Update notification.css * Update notification.css * Close notif via button * Btn close notification * Btn close notification * Btn close notification * Update notification.js * Review comment * quote fix * Unit test for close * review comments * review comments
* MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * Trigger Build * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-167306 [Plans] Quantity Selector & Badge * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * Trigger Build * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * Build mas * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * build mas * Trigger Build * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * Trigger Build * MWPW-164491 [Plans] Updates to Individuals wide key apps merch-card * Trigger Build * Trigger Build * Trigger Build * Trigger Build --------- Co-authored-by: Bozo Jovicic <bozo@hitthecode.com>
* Close localnav on scroll of the body but not on scroll of the localnav itself * Animations for localnav open and close * Close localnav dropdowns only after the animation plays * Fixed an issue where the last element in the list was shifting when the local nav closing animation played * fixed an issue where the page wasn't interactable because of the localnav
* added notify-on-merge and removed slack notification on merge in merge-to-stage.js * changed the name of the workflow * removed SlackNotification form merge-to-main
|
Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
Commits
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Remaining comments which cannot be posted as a review comment to avoid GitHub Rate Limit
eslint
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
Unexpected console statement.
Line 595 in ff4e0bb
There was a problem hiding this comment.
File ignored by default. Use a negated ignore pattern (like "--ignore-pattern '!<relative/path/to/filename>'") to override.
There was a problem hiding this comment.
File ignored by default. Use a negated ignore pattern (like "--ignore-pattern '!<relative/path/to/filename>'") to override.
There was a problem hiding this comment.
File ignored by default. Use a negated ignore pattern (like "--ignore-pattern '!<relative/path/to/filename>'") to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
There was a problem hiding this comment.
File ignored because of a matching ignore pattern. Use "--no-ignore" to override.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| switch (subType) { | ||
| case 'EXTERNAL': | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that the data.externalUrl is validated against a list of allowed URLs before using it in the window.open call. This can be achieved by maintaining a list of authorized URLs and checking if the data.externalUrl is in that list before proceeding with the redirection.
- Create a list of authorized URLs.
- Check if
data.externalUrlis in the list of authorized URLs before using it in thewindow.opencall. - If the URL is not authorized, do not perform the redirection.
| @@ -6,2 +6,6 @@ | ||
| ]; | ||
| const AUTHORIZED_URLS = [ | ||
| 'https://trusted.example.com', | ||
| 'https://another-trusted.example.com', | ||
| ]; | ||
|
|
||
| @@ -12,3 +16,5 @@ | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); | ||
| if (AUTHORIZED_URLS.includes(new URL(data.externalUrl).origin)) { | ||
| window.open(data.externalUrl, data.target); | ||
| } | ||
| break; | ||
| @@ -16,3 +22,5 @@ | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); | ||
| if (AUTHORIZED_URLS.includes(new URL(data.externalUrl).origin)) { | ||
| window.open(data.externalUrl, data.target); | ||
| } | ||
| break; |
| break; | ||
| case 'SWITCH': | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that the data.externalUrl is validated against a list of allowed URLs before using it for redirection. This can be achieved by checking if the URL's origin is in the ALLOWED_MESSAGE_ORIGINS array. If the URL is not in the allowed list, we should not perform the redirection.
- Add a function to validate the URL against the allowed origins.
- Use this function to check the
data.externalUrlbefore callingwindow.open.
| @@ -7,2 +7,11 @@ | ||
|
|
||
| function isValidUrl(url) { | ||
| try { | ||
| const parsedUrl = new URL(url); | ||
| return ALLOWED_MESSAGE_ORIGINS.includes(parsedUrl.origin); | ||
| } catch (e) { | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| function handleManagePlanEvents(message) { | ||
| @@ -12,3 +21,5 @@ | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); | ||
| if (isValidUrl(data.externalUrl)) { | ||
| window.open(data.externalUrl, data.target); | ||
| } | ||
| break; | ||
| @@ -16,3 +27,5 @@ | ||
| if (!data?.externalUrl || !data?.target) return; | ||
| window.open(data.externalUrl, data.target); | ||
| if (isValidUrl(data.externalUrl)) { | ||
| window.open(data.externalUrl, data.target); | ||
| } | ||
| break; |
libs/features/mas/docs/ccd.html
Outdated
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High documentation
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that any text content inserted into the HTML is properly escaped to prevent XSS attacks. This can be achieved by using a function that escapes HTML special characters before inserting the text content into the HTML.
The best way to fix the problem without changing existing functionality is to create a utility function that escapes HTML special characters and use this function to sanitize el.textContent before inserting it into the HTML.
We will add a function escapeHTML that replaces special characters with their corresponding HTML entities. We will then use this function to sanitize el.textContent before inserting it into the HTML.
| @@ -65,2 +65,14 @@ | ||
| <script type="module"> | ||
| function escapeHTML(str) { | ||
| return str.replace(/[&<>"']/g, function(match) { | ||
| const escapeMap = { | ||
| '&': '&', | ||
| '<': '<', | ||
| '>': '>', | ||
| '"': '"', | ||
| "'": ''' | ||
| }; | ||
| return escapeMap[match]; | ||
| }); | ||
| } | ||
| document.querySelectorAll('code.demo').forEach(el => { | ||
| @@ -68,3 +80,3 @@ | ||
| targetContainer.classList.toggle('light', el.classList.contains('light')); | ||
| targetContainer.innerHTML = `<h4>Demo: </h4><div class="demo-container">${el.textContent}</div>`; | ||
| targetContainer.innerHTML = `<h4>Demo: </h4><div class="demo-container">${escapeHTML(el.textContent)}</div>`; | ||
| el.parentElement.after(targetContainer); |
Check failure
Code scanning / CodeQL
DOM text reinterpreted as HTML High documentation
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we need to ensure that any text content inserted into the innerHTML property is properly escaped to prevent it from being interpreted as HTML. This can be achieved by creating a text node and appending it to the container, rather than directly setting innerHTML.
- Replace the line that sets
innerHTMLwith code that creates a text node and appends it to the container. - Ensure that the text content is safely inserted without being interpreted as HTML.
| @@ -63,3 +63,7 @@ | ||
| targetContainer.classList.toggle('light', el.classList.contains('light')); | ||
| targetContainer.innerHTML = `<h4>Demo: </h4><div class="demo-container">${el.textContent}</div>`; | ||
| const demoContainer = document.createElement('div'); | ||
| demoContainer.className = 'demo-container'; | ||
| demoContainer.textContent = el.textContent; | ||
| targetContainer.innerHTML = '<h4>Demo: </h4>'; | ||
| targetContainer.appendChild(demoContainer); | ||
| el.parentElement.after(targetContainer); |
20 participants
Resolves: MWPW-NUMBER
Test URLs: