Skip to content

wip #487

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

wip #487

wants to merge 4 commits into from
+5,022 −173

Conversation

cyclotruc
Copy link
Member

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 4, 2025
View reviewed changes
src/static/js/utils_ai.js
function setAIButtonLoadingState(submitButton, isLoading) {
if (!isLoading) {
submitButton.disabled = false;
submitButton.innerHTML = submitButton.getAttribute('data-original-content') || 'Ingest';

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix

AI about 18 hours ago

To fix the problem, we need to ensure that any value read from data-original-content and assigned to innerHTML is properly escaped so that it is interpreted as plain text, not HTML. The best way to do this is to use textContent instead of innerHTML when restoring the button's content, but only if the original content was plain text. However, if the original content may contain HTML (e.g., icons, formatting), we need to sanitize it before assigning it to innerHTML. For simplicity and safety, we can escape any meta-characters in the attribute value before assigning it to innerHTML. This can be done by creating a helper function that escapes HTML special characters (<, >, &, ", ') and using it when restoring the button's content.

Specifically, in setAIButtonLoadingState, on line 102, replace:

submitButton.innerHTML = submitButton.getAttribute('data-original-content') || 'Ingest';

with:

submitButton.innerHTML = escapeHTML(submitButton.getAttribute('data-original-content')) || 'Ingest';

and define the escapeHTML function in the same file.

Suggested changeset 1
src/static/js/utils_ai.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/static/js/utils_ai.js b/src/static/js/utils_ai.js
--- a/src/static/js/utils_ai.js
+++ b/src/static/js/utils_ai.js
@@ -2,2 +2,17 @@
 
+// Escape HTML special characters to prevent XSS
+function escapeHTML(str) {
+    if (!str) return '';
+    return str.replace(/[&<>"']/g, function (m) {
+        switch (m) {
+            case '&': return '&amp;';
+            case '<': return '&lt;';
+            case '>': return '&gt;';
+            case '"': return '&quot;';
+            case "'": return '&#39;';
+            default: return m;
+        }
+    });
+}
+
 // Copy functionality
@@ -101,3 +116,3 @@
         submitButton.disabled = false;
-        submitButton.innerHTML = submitButton.getAttribute('data-original-content') || 'Ingest';
+        submitButton.innerHTML = escapeHTML(submitButton.getAttribute('data-original-content')) || 'Ingest';
         submitButton.classList.remove('bg-[#ffb14d]', 'opacity-75', 'cursor-not-allowed');
EOF
@@ -2,2 +2,17 @@

// Escape HTML special characters to prevent XSS
function escapeHTML(str) {
if (!str) return '';
return str.replace(/[&<>"']/g, function (m) {
switch (m) {
case '&': return '&amp;';
case '<': return '&lt;';
case '>': return '&gt;';
case '"': return '&quot;';
case "'": return '&#39;';
default: return m;
}
});
}

// Copy functionality
@@ -101,3 +116,3 @@
submitButton.disabled = false;
submitButton.innerHTML = submitButton.getAttribute('data-original-content') || 'Ingest';
submitButton.innerHTML = escapeHTML(submitButton.getAttribute('data-original-content')) || 'Ingest';
submitButton.classList.remove('bg-[#ffb14d]', 'opacity-75', 'cursor-not-allowed');
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cyclotruc @NicolasIRAGNE