Security: Potential Cross-Site Scripting (XSS) via HTML Attribute Injection#1658
Open
tomaioo wants to merge 1 commit into
Open
Security: Potential Cross-Site Scripting (XSS) via HTML Attribute Injection#1658tomaioo wants to merge 1 commit into
tomaioo wants to merge 1 commit into
Conversation
In _includes/footer.html, the site.baseurl is interpolated into an HTML attribute without explicit escaping. While Jekyll typically escapes output by default, the use of double quotes around the attribute value relies on proper escaping. If site.baseurl ever contains malicious content or if the template engine's escaping behavior changes, this could lead to attribute injection. More critically, in _includes/historical_data_download.html and _includes/visualizations.html, the agencies data is passed via JSON through Jekyll's jsonify filter into HTML attributes using single quotes. The jsonify filter may not sufficiently escape content for HTML attribute contexts, particularly if agency names contain single quotes or other special characters, potentially breaking out of the attribute context and enabling XSS. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security: Potential Cross-Site Scripting (XSS) via HTML Attribute Injection
Problem
Severity:
Medium| File:_includes/historical_data_download.html:L10In _includes/footer.html, the site.baseurl is interpolated into an HTML attribute without explicit escaping. While Jekyll typically escapes output by default, the use of double quotes around the attribute value relies on proper escaping. If site.baseurl ever contains malicious content or if the template engine's escaping behavior changes, this could lead to attribute injection. More critically, in _includes/historical_data_download.html and _includes/visualizations.html, the agencies data is passed via JSON through Jekyll's jsonify filter into HTML attributes using single quotes. The jsonify filter may not sufficiently escape content for HTML attribute contexts, particularly if agency names contain single quotes or other special characters, potentially breaking out of the attribute context and enabling XSS.
Solution
Ensure all dynamic content inserted into HTML attributes is properly escaped for the HTML attribute context. Consider using data-* attributes with URL-encoded or base64-encoded JSON, or ensure the jsonify filter properly escapes single quotes and other HTML-sensitive characters. Add explicit HTML escaping where Jekyll's default escaping might be bypassed.
Changes
_includes/historical_data_download.html(modified)