🛡️ Sentinel: [CRITICAL] Fix XSS vulnerability in ShiftScreen.tsx#61
🛡️ Sentinel: [CRITICAL] Fix XSS vulnerability in ShiftScreen.tsx#61TargetMisser wants to merge 2 commits intomainfrom
Conversation
Co-authored-by: TargetMisser <52361977+TargetMisser@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Fixes an XSS vector in ShiftScreen.tsx where untrusted/dynamic content was interpolated into JavaScript executed via WebView.injectJavaScript.
Changes:
- Removes manual single-quote escaping on the JSON payload.
- Passes the payload into injected JS using
JSON.stringify(...)so it is encoded as a safe JS string literal.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: TargetMisser <52361977+TargetMisser@users.noreply.github.com>
🚨 Severity: CRITICAL
💡 Vulnerability: The ShiftScreen.tsx component previously injected a dynamic base64 JSON string directly into a JavaScript template literal executed by a WebView (
injectJavaScript). It attempted to mitigate issues via manual single quote replacement (.replace(/'/g, "\\'")), which is unreliable and vulnerable to XSS and syntax corruption via unhandled backslashes or line endings.🎯 Impact: Attackers or malformed inputs could execute arbitrary JavaScript within the context of the WebView.
🔧 Fix: Wrapped the data in
JSON.stringify(base64Json)when passing it to the JavaScript string literal. This leverages native encoding to safely escape all characters and completely neutralizes injection risks.✅ Verification: Ran
npm run typecheckand verified syntax changes insrc/screens/ShiftScreen.tsx(the solution aligns precisely with prior fixes onHomeScreen.tsx).PR created automatically by Jules for task 15818564123666207320 started by @TargetMisser