|
| 1 | +# XSS Vulnerability Findings - Quick Reference |
| 2 | + |
| 3 | +## Files with XSS-Unsafe DOM Manipulation |
| 4 | + |
| 5 | +### 🔴 CRITICAL - Requires Immediate Fix (7 files) |
| 6 | + |
| 7 | +These files use `innerHTML` with dynamic, unsanitized data: |
| 8 | + |
| 9 | +1. **`samples/advanced-markers-html/index.ts`** (Line 48) |
| 10 | + - Inserts property data (type, price, address, bed, bath, size) into HTML without escaping |
| 11 | + - Example: `content.innerHTML = \`...\${property.address}...\`` |
| 12 | + |
| 13 | +2. **`samples/3d-places/index.ts`** (Lines 29, 30, 34) |
| 14 | + - Inserts Places API data (displayName, id, types) without sanitization |
| 15 | + - Example: `element.innerHTML = "<b>Name :</b>" + place.displayName` |
| 16 | + |
| 17 | +3. **`samples/deckgl-kml/index.ts`** (Line 132) |
| 18 | + - Inserts KML properties into tooltip HTML |
| 19 | + - KML description field can contain arbitrary HTML |
| 20 | + - Example: `tooltip.innerHTML = tooltipContent` with KML data |
| 21 | + |
| 22 | +4. **`samples/deckgl-kml-updated/index.ts`** (Line 156) |
| 23 | + - Same vulnerability as #3 |
| 24 | + |
| 25 | +5. **`samples/deckgl-heatmap/index.ts`** (Line 100) |
| 26 | + - Inserts data source properties (ADDRESS, RACKS, SPACES) into tooltip |
| 27 | + - Example: `tooltipContent += \`\${info.object.ADDRESS}\`` |
| 28 | + |
| 29 | +6. **`samples/deckgl-polygon/index.ts`** (Line 110) |
| 30 | + - Similar tooltip vulnerability with dynamic data |
| 31 | + |
| 32 | +7. **`samples/advanced-markers-graphics/index.ts`** (Line 93) |
| 33 | + - Uses innerHTML for icon (currently hardcoded but unsafe pattern) |
| 34 | + - Example: `icon.innerHTML = '<i class="fa fa-pizza-slice fa-lg"></i>'` |
| 35 | + |
| 36 | +### 🟡 MEDIUM - Should Be Refactored (4 files) |
| 37 | + |
| 38 | +These files use innerHTML with static content but follow unsafe patterns: |
| 39 | + |
| 40 | +8. **`samples/react-ui-kit-place-details/src/app.tsx`** (Line 44) |
| 41 | +9. **`samples/react-ui-kit-place-details-latlng/src/app.tsx`** (Line 45) |
| 42 | +10. **`samples/react-ui-kit-place-details-latlng-compact/src/app.tsx`** (Line 48) |
| 43 | +11. **`samples/react-ui-kit-place-details-compact/src/app.tsx`** (Line 47) |
| 44 | + - All insert static Google Maps web component markup via innerHTML |
| 45 | + - Currently safe but could be vulnerable if modified to include dynamic data |
| 46 | + |
| 47 | +### 🟢 SAFE - No Action Required (2 files) |
| 48 | + |
| 49 | +12. **`samples/weather-api-current-compact/simple-weather-widget.ts`** (Line 11) |
| 50 | + - Uses innerHTML in Web Component constructor with Shadow DOM (standard pattern) |
| 51 | + - All content is static CSS and HTML structure |
| 52 | + |
| 53 | +13. **`samples/ui-kit-customization/index.ts`** (Lines 290, 293, 307) |
| 54 | + - Only uses innerHTML for clearing content (`innerHTML = ''`) |
| 55 | + - Dynamic elements created with safe DOM methods |
| 56 | + |
| 57 | +### Additional Files Using innerHTML for Clearing (Safe) |
| 58 | +- `samples/react-ui-kit-search-nearby/src/app.tsx` (Lines 130, 141) |
| 59 | +- `samples/react-ui-kit-search-text/src/app.tsx` (Lines 134, 156) |
| 60 | +- React UI Kit samples listed above also use `innerHTML = ''` for clearing |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +## Quick Fix Guide |
| 65 | + |
| 66 | +### Pattern to Replace: |
| 67 | +```typescript |
| 68 | +// ❌ UNSAFE |
| 69 | +element.innerHTML = `<span>${data.value}</span>`; |
| 70 | +``` |
| 71 | + |
| 72 | +### Safe Alternative: |
| 73 | +```typescript |
| 74 | +// ✅ SAFE |
| 75 | +const span = document.createElement('span'); |
| 76 | +span.textContent = data.value; |
| 77 | +element.appendChild(span); |
| 78 | +``` |
| 79 | + |
| 80 | +### For Multiple Children: |
| 81 | +```typescript |
| 82 | +// ❌ UNSAFE |
| 83 | +element.innerHTML = ` |
| 84 | + <div class="title">${data.title}</div> |
| 85 | + <div class="body">${data.body}</div> |
| 86 | +`; |
| 87 | +``` |
| 88 | + |
| 89 | +### Safe Alternative: |
| 90 | +```typescript |
| 91 | +// ✅ SAFE |
| 92 | +const title = document.createElement('div'); |
| 93 | +title.className = 'title'; |
| 94 | +title.textContent = data.title; |
| 95 | + |
| 96 | +const body = document.createElement('div'); |
| 97 | +body.className = 'body'; |
| 98 | +body.textContent = data.body; |
| 99 | + |
| 100 | +element.replaceChildren(title, body); |
| 101 | +``` |
| 102 | + |
| 103 | +--- |
| 104 | + |
| 105 | +## Priority Order for Fixes |
| 106 | + |
| 107 | +1. **Highest:** Files handling external data (KML files, user-uploaded content) |
| 108 | + - `deckgl-kml/index.ts`, `deckgl-kml-updated/index.ts` |
| 109 | + |
| 110 | +2. **High:** Files displaying API data in tooltips |
| 111 | + - `deckgl-heatmap/index.ts`, `deckgl-polygon/index.ts` |
| 112 | + |
| 113 | +3. **Medium:** Files displaying property/place data |
| 114 | + - `advanced-markers-html/index.ts`, `3d-places/index.ts` |
| 115 | + |
| 116 | +4. **Low:** Files with static content but unsafe patterns |
| 117 | + - React UI Kit samples, `advanced-markers-graphics/index.ts` |
| 118 | + |
| 119 | +--- |
| 120 | + |
| 121 | +## Total Count |
| 122 | + |
| 123 | +- **Total files with innerHTML usage:** 15 |
| 124 | +- **Critical vulnerabilities:** 7 files (46.7%) |
| 125 | +- **Medium risk:** 4 files (26.7%) |
| 126 | +- **Safe usage:** 4 files (26.7%) |
| 127 | + |
| 128 | +--- |
| 129 | + |
| 130 | +Generated: $(date) |
0 commit comments