Skip to content

Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338 #337

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Jul 10, 2025
Merged

Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338 #337

merged 8 commits into from
Jul 10, 2025

Conversation

crivetimihai
Copy link
Member

@crivetimihai crivetimihai commented Jul 9, 2025
edited
Loading

Add proper HTML escaping for admin UI user data rendering

Closes #336 closes #338

Changes

  • Added escapeHtml() function that escapes HTML special characters
  • Applied HTML escaping to all user data before rendering in modals and tables
  • Implemented safe DOM manipulation using textContent for table cells
  • Added safeUrl() helper for URL validation

Impact

  • Ensures user input displays correctly as text content without unintended HTML rendering
  • Improves data display consistency across admin UI components
  • Applies proper output encoding throughout the interface

Testing

  • Verified HTML content like <img src=x onerror="alert('test')"> is properly escaped and displayed as text
  • Confirmed all user data displays correctly without breaking existing functionality

Additional Improvements to Consider

Immediate:

  • Add Content Security Policy (CSP) headers for enhanced browser protection
  • Implement server-side input validation
  • Review file upload functionality for similar rendering issues
  • Add automated testing for proper data escaping

Medium-term:

  • Consider migrating to a dedicated sanitization library (e.g., DOMPurify)
  • Add CSRF protection for form submissions
  • Establish consistent data handling patterns across components

@crivetimihai crivetimihai added this to the Release 0.4.0 milestone Jul 9, 2025
@crivetimihai crivetimihai self-assigned this Jul 9, 2025
@crivetimihai crivetimihai added bug Something isn't working security Improves security labels Jul 9, 2025
@crivetimihai crivetimihai changed the title Add proper HTML escaping for admin UI user data rendering closes #336 Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 Jul 10, 2025
@crivetimihai crivetimihai changed the title Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 Add proper HTML escaping for admin UI user data rendering, and eliminate all web lint issues closes #336 #338 Jul 10, 2025
@crivetimihai crivetimihai merged commit acd1619 into main Jul 10, 2025
22 of 23 checks passed
@crivetimihai crivetimihai deleted the strengthen-ui branch July 10, 2025 03:45
This was referenced Jul 10, 2025
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels
bug Something isn't working security Improves security
Projects
None yet
Milestone
Release 0.4.0
Development

Successfully merging this pull request may close these issues.

[Security]: Eliminate all lint issues in web stack [Security]: Implement output escaping for user data in UI
1 participant
@crivetimihai