🛡️ Sentinel: [HIGH] Fix XSS vulnerability via javascript: URI in href attributes

.Jules/sentinel.md

@@ -0,0 +1,5 @@
+
+## 2024-05-01 - Prevent javascript: URI XSS in href Attributes
+**Vulnerability:** XSS vulnerability through `javascript:` URI injection in `href` attributes for `ex.mediaUrl` and `info.url` (e.g. `<a href="${ex.mediaUrl}">`).
+**Learning:** `escapeHTML` mitigates standard XSS but not URI-based XSS when user-controlled URLs are injected directly into `href` without protocol validation, allowing `javascript:alert(1)` to be executed upon clicking.
+**Prevention:** Always validate and enforce safe protocols (`http://` or `https://`) for URLs dynamically injected into attributes like `href` or `src` using a function like `sanitizeUrl()`.

src/pages/exercises.js

@@ -10,6 +10,7 @@ import { createLineChart } from '../components/charts.js';
 import { getExerciseHistory } from '../engine/progression.js';
 import { createRMCalculator } from '../components/rm-calculator.js';
 import { getSetting } from '../data/db.js';
+import { sanitizeUrl } from '../utils/sanitize.js';
 
 export async function renderExercisesPage(container) {
     const exercises = await getAll('exercises');
@@ -130,7 +131,7 @@ export async function renderExercisesPage(container) {
       </div>
 
       ${ex.mediaUrl ? `
-        <a href="${ex.mediaUrl}" target="_blank" rel="noopener" class="btn btn-secondary btn-full" style="margin-bottom:var(--sp-4)">
+        <a href="${sanitizeUrl(ex.mediaUrl)}" target="_blank" rel="noopener" class="btn btn-secondary btn-full" style="margin-bottom:var(--sp-4)">
           <svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
             <polygon points="5 3 19 12 5 21 5 3"/>
           </svg>

src/pages/settings.js

@@ -8,6 +8,7 @@ import { showToast } from '../components/toast.js';
 import { STANDARD_PLATES_LB, STANDARD_PLATES_KG } from '../engine/progression.js';
 import { getGistToken, setGistToken, validateToken, pushBackup, pullBackup, restoreFromGist, getBackupInfo, disconnectGist } from '../data/gist-backup.js';
 import { getWebDavConfig, setWebDavConfig, pushToWebDav, pullFromWebDav, disconnectWebDav } from '../data/webdav.js';
+import { sanitizeUrl } from '../utils/sanitize.js';
 
 export async function renderSettingsPage(container) {
   const unit = await getSetting('unit', 'lb');
@@ -259,7 +260,7 @@ export async function renderSettingsPage(container) {
               <div class="text-sm font-medium text-success">● Connected</div>
               <div class="text-xs text-muted">Last backup: ${lastBackup}</div>
             </div>
-            ${info ? `<a href="${info.url}" target="_blank" class="text-xs" style="color:var(--accent)">View Gist ↗</a>` : ''}
+            ${info ? `<a href="${sanitizeUrl(info.url)}" target="_blank" class="text-xs" style="color:var(--accent)">View Gist ↗</a>` : ''}
           </div>
           <div class="flex gap-2">
             <button class="btn btn-primary btn-sm" id="gist-push" style="flex:1">Push Backup</button>

src/utils/sanitize.js

@@ -7,3 +7,13 @@ export function escapeHTML(str) {
     .replace(/"/g, """)
     .replace(/'/g, "'");
 }
+
+export function sanitizeUrl(url) {
+  if (typeof url !== 'string') return '#';
+  const trimmed = url.trim();
+  if (!trimmed) return '#';
+  if (trimmed.startsWith('http://') || trimmed.startsWith('https://')) {
+    return escapeHTML(trimmed);
+  }
+  return '#';
+}