[SAST] DOM-based Cross-site Scripting (XSS)

[alan-null]

ise.js

Console/src/Spe/sitecore modules/PowerShell/Scripts/ise.js

Line 841 in 248a7bc

spe.ajaxDialog = $("<div id=\"ajax-dialog\"/>").append("<div id=\"HelpClose\">X</div>").append($.commandHelp).appendTo("body");

reports.js

Console/src/Spe/sitecore modules/PowerShell/Scripts/reports.js

Line 14 in 248a7bc

$(`#chart-${index}-container`).append(`<h2 class="title">${chartData.Results.title}</h2>`);

console.js

Console/src/Spe/sitecore modules/PowerShell/Scripts/console.js

Line 247 in 248a7bc

tip.innerHTML = sigHint;

---

Location:

Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ise.js, line 841
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/reports.js, line 14
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/console.js, line 247
  
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/ise.js, line 841
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/reports.js, line 14
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2.scwdp/Content/Website/sitecore%20modules/PowerShell/Scripts/console.js, line 247
  
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2/files/sitecore%20modules/PowerShell/Scripts/ise.js, line 841
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2/files/sitecore%20modules/PowerShell/Scripts/reports.js, line 14
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2/files/sitecore%20modules/PowerShell/Scripts/console.js, line 247
  
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR/files/sitecore%20modules/PowerShell/Scripts/ise.js, line 841
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR/files/sitecore%20modules/PowerShell/Scripts/reports.js, line 14
Path: Sitecore.PowerShell.Extensions-8.0-Beta-2-IAR/files/sitecore%20modules/PowerShell/Scripts/console.js, line 247

Proof:

Info: Unsanitized input from data from a remote resource flows into innerHTML, where it is used to dynamically construct the HTML page on client side. This may result in a DOM Based Cross-Site Scripting attack (DOMXSS).

Resolution:

• Stop using innerHTML for untrusted data, Use textContent (or innerText) for plain text.
• Use a well-maintained sanitizer (like DOMPurify) at the point of use.

[michaellwest]

Fix Summary

Fixed DOM-based Cross-Site Scripting (XSS) vulnerabilities in three JavaScript files where untrusted data was inserted into the DOM via innerHTML without sanitization.

Changes

• console.js -- Added escapeHtml() helper function; server-returned signature hints are now escaped before being assigned to innerHTML via string concatenation
• ise.js -- Path and name values are now escaped before being embedded in innerHTML strings for breadcrumb/title rendering
• reports.js -- Chart titles now use jQuery .text() instead of template literal HTML, preventing script injection through report titles

Commit

09610f3 — Fix DOM XSS in console, ISE, and reports scripts (#1400)

[michaellwest]

Fixed in release/9.0 via 09610f3.