Skip to content

security: sanitize admin question HTML with DOMPurify#545

Open
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/sanitize-admin-question-html
Open

security: sanitize admin question HTML with DOMPurify#545
xpoes123 wants to merge 1 commit into
qbreader:mainfrom
xpoes123:security/sanitize-admin-question-html

Conversation

@xpoes123

@xpoes123 xpoes123 commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

The admin category-reports page rendered question and answer HTML via dangerouslySetInnerHTML without sanitization, creating a stored XSS surface. This wraps every affected field with DOMPurify.sanitize().

Problem

In client/admin/category-reports/index.jsx, five dangerouslySetInnerHTML={{ __html: ... }} expressions rendered raw database content directly into the DOM: tossup.question, tossup.answer, bonus.leadin, bonus.parts[i], and bonus.answers[i]. Any malicious <script> or event-handler attribute stored in those fields would execute in an admin's browser session.

Changes

  • Imports DOMPurify from dompurify at the top of client/admin/category-reports/index.jsx.
  • Wraps all five __html values with DOMPurify.sanitize(...). Null-safe defaults (?? '') are added for tossup.answer and bonus.answers[i] to avoid passing undefined to the sanitizer.

Risk & testing

DOMPurify is already listed as a project dependency (^3.0.0); no package installation is required. sanitize() preserves legitimate formatting markup (<b>, <em>, <i>, etc.) that question text routinely contains, so the rendered output is visually identical for well-formed content. semistandard and node --check pass.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant