Fix code scanning alert no. 18: Client-side cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Dr. Hans-Peter Störr <999184+stoerr@users.noreply.github.com>
ist-dresden · Nov 13, 2024 · e871fae · e871fae
1 parent 9b85cb5
commit e871fae
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/...s/src/main/content/jcr_root/apps/composum-ai/components/tool/comparetool/comparetool.html b/...s/src/main/content/jcr_root/apps/composum-ai/components/tool/comparetool/comparetool.html
@@ -30,6 +30,7 @@
             border: none;
         }
     </style>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.3.4/purify.min.js"></script>
 </head>
 <body>
 <div class="iframe-container">
@@ -62,7 +63,7 @@
         leftLoaded = false;
         try {
             const url = new URL(this.value);
-            leftIframe.src = url.href;
+            leftIframe.src = DOMPurify.sanitize(url.href);
         } catch (e) {
             console.error('Invalid URL:', this.value);
         }
@@ -72,7 +73,7 @@
         rightLoaded = false;
         try {
             const url = new URL(this.value);
-            rightIframe.src = url.href;
+            rightIframe.src = DOMPurify.sanitize(url.href);
         } catch (e) {
             console.error('Invalid URL:', this.value);
         }
@@ -88,11 +89,11 @@
     const initialUrl1 = getParameterByName('url1');
     const initialUrl2 = getParameterByName('url2');
     if (initialUrl1) {
-        leftIframe.src = initialUrl1;
+        leftIframe.src = DOMPurify.sanitize(initialUrl1);
         leftField.value = initialUrl1;
     }
     if (initialUrl2) {
-        rightIframe.src = initialUrl2;
+        rightIframe.src = DOMPurify.sanitize(initialUrl2);
         rightField.value = initialUrl2;
     }