Skip to content

fix(dashboard): eliminate XSS via DOM-safe rendering#23

Merged
SafetyMP merged 1 commit into
mainfrom
fix/corpOS-dashboard-xss
Jul 12, 2026
Merged

fix(dashboard): eliminate XSS via DOM-safe rendering#23
SafetyMP merged 1 commit into
mainfrom
fix/corpOS-dashboard-xss

Conversation

@SafetyMP

Copy link
Copy Markdown
Owner

Summary

  • Replace innerHTML rendering with DOM APIs (textContent/createElement) for agents, tasks, approvals, events, and banners.
  • Whitelist task states for KPI counts and badge CSS classes to close remote property injection.
  • Sanitize WebSocket event type class names.

Test plan

Replace innerHTML rendering of API data with createElement/textContent,
whitelist task states for KPI aggregation and CSS classes, and sanitize
event type class names to close CodeQL alerts #1-#3.
Copilot AI review requested due to automatic review settings July 12, 2026 00:38

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@SafetyMP SafetyMP merged commit 9ee363a into main Jul 12, 2026
6 checks passed
@SafetyMP SafetyMP deleted the fix/corpOS-dashboard-xss branch July 12, 2026 01:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants