Potential fix for code scanning alert no. 1: DOM text reinterpreted as HTML#10
Merged
EthanThePhoenix38 merged 1 commit intomainfrom Jan 31, 2026
Merged
Potential fix for code scanning alert no. 1: DOM text reinterpreted as HTML#10EthanThePhoenix38 merged 1 commit intomainfrom
EthanThePhoenix38 merged 1 commit intomainfrom
Conversation
…s HTML Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a DOM-based XSS vulnerability (code scanning alert #1) in the chatbot functionality by preventing user-supplied text from being interpreted as HTML. The fix replaces string interpolation with insertAdjacentHTML with safe DOM manipulation using textContent.
Changes:
- Refactored
addBotMessage()to create DOM elements programmatically and usetextContentfor message content - Refactored
addUserMessage()to create DOM elements programmatically and usetextContentfor message content
Comments suppressed due to low confidence (1)
chatbot.js:229
- This statement is unreachable.
window.open('https://calendly.com/ethanbernier/nouveau-creneau/', '_blank');
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/ThePhoenixAgency/ThePhoenixAgency.github.io/security/code-scanning/1
In general, to fix this class of problem, you must ensure that untrusted text is not interpreted as HTML. Either (1) never build HTML strings with untrusted data and instead construct DOM nodes and assign untrusted content via
textContent, or (2) sanitize/encode the untrusted text before inserting it into the DOM with HTML-parsing APIs.The best fix here, without changing existing functionality, is to stop using
insertAdjacentHTMLfor messages that contain untrusted text, and instead build the message DOM structure withdocument.createElement. Then assign the user-controlledtextviatextContenton the.message-contentnode. This preserves the visual layout and behavior while ensuring that any<script>,<img onerror=...>, or other markup in user input is treated purely as text, not executable HTML. We should apply the same pattern toaddBotMessageas well, because future changes might pass user-influenced data into that method. Concretely:addUserMessage, replace template literalmessageHTML+insertAdjacentHTMLwith DOM creation: create the outer.chatbot-message userdiv, the.message-contentdiv, set itstextContenttotext, create the avatar div and its SVG, then append everything and callappendChild.addBotMessage, similarly replace the HTML string +insertAdjacentHTMLwith DOM construction and set.message-content.textContent = text.All required APIs (
document.createElement,appendChild,textContent,innerHTMLfor static SVG) are standard browser APIs, so no imports are needed, and all changes stay insidechatbot.jsin the provided regions.Suggested fixes powered by Copilot Autofix. Review carefully before merging.