Skip to content

fix(gnoweb): prevent XSS in realm markdown TOC entries #4918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 1, 2025
Merged

fix(gnoweb): prevent XSS in realm markdown TOC entries #4918

merged 1 commit into from
Dec 1, 2025

Conversation

@ajnavarro
Copy link
Contributor

@ajnavarro ajnavarro commented Nov 27, 2025

Fixes a stored cross-site scripting vulnerability where HTML entities in markdown headings could be exploited to execute javascript in the browser when rendered in the ToC.

@ajnavarro
fix(gnoweb): prevent XSS in realm markdown TOC entries
75d92bf 
Fixes a stored cross-site scripting vulnerability where HTML entities
in markdown headings could be exploited to execute javascript in the
browser when rendered in the ToC.

Signed-off-by: Antonio Navarro Perez <[email protected]>
@github-actions github-actions bot added 📦 ⛰️ gno.land Issues or PRs gno.land package related 🌍 gnoweb Issues & PRs related to gnoweb and render labels Nov 27, 2025
@Gno2D2
Copy link
Collaborator

Gno2D2 commented Nov 27, 2025
edited
Loading

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):
  • IGNORE the bot requirements for this PR (force green CI check)
Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🟢 Changes related to gnoweb must be reviewed by its codeowners

☑️ Contributor Actions:
  1. Fix any issues flagged by automated checks.
  2. Follow the Contributor Checklist to ensure your PR is ready for review.
    • Add new tests, or document why they are unnecessary.
    • Provide clear examples/screenshots, if necessary.
    • Update documentation, if required.
    • Ensure no breaking changes, or include BREAKING CHANGE notes.
    • Link related issues/PRs, where applicable.
☑️ Reviewer Actions:
  1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.
📚 Resources:
Debug
Automated Checks
Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: ajnavarro/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request
Changes related to gnoweb must be reviewed by its codeowners

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 A changed file matches this pattern: ^gno.land/pkg/gnoweb/ (filename: gno.land/pkg/gnoweb/components/template.go)

Then

🟢 Requirement satisfied
└── 🟢 Or
    ├── 🔴 Or
    │   ├── 🔴 And
    │   │   ├── 🔴 Pull request author is user: alexiscolin
    │   │   └── 🔴 This user reviewed pull request: gfanton (with state "APPROVED")
    │   └── 🔴 And
    │       ├── 🔴 Pull request author is user: gfanton
    │       └── 🟢 This user reviewed pull request: alexiscolin (with state "APPROVED")
    └── 🟢 And
        ├── 🟢 Not (🔴 Pull request author is user: alexiscolin)
        ├── 🟢 Not (🔴 Pull request author is user: gfanton)
        └── 🟢 Or
            ├── 🟢 This user reviewed pull request: alexiscolin (with state "APPROVED")
            └── 🔴 This user reviewed pull request: gfanton (with state "APPROVED")
Manual Checks
**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

  • Any user with comment edit permission

@ajnavarro ajnavarro merged commit 05af17c into gnolang:master Dec 1, 2025
107 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in 💪 Bounties & Worx Dec 1, 2025
@ajnavarro ajnavarro deleted the fix/xss-vector branch December 1, 2025 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moul moul moul approved these changes

@thehowl thehowl thehowl approved these changes

@alexiscolin alexiscolin alexiscolin approved these changes

@gfanton gfanton Awaiting requested review from gfanton

Assignees

@ajnavarro ajnavarro

Labels

🌍 gnoweb Issues & PRs related to gnoweb and render 📦 ⛰️ gno.land Issues or PRs gno.land package related

Projects

💪 Bounties & Worx
Status: Done
🧙‍♂️gno.land core team
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ajnavarro @Gno2D2 @moul @thehowl @alexiscolin