fix: validate type parameter against allow-list in showMessage (#83)
Adds allow-list validation for the 'type' parameter in showMessage() to prevent class injection vulnerabilities. The type is now checked against ['success', 'error'] before being passed to addClass(), with a safe fallback to 'error' for any unexpected values. Addresses review feedback from PR #47 (gemini-code-assist finding). Closes #76
This commit is contained in:
GitHub
@@ -147,17 +147,21 @@
|
|||||||
/**
|
/**
|
||||||
* Show a message in the modal
|
* Show a message in the modal
|
||||||
*
|
*
|
||||||
* @param {string} type Message type (success, error)
|
* @param {string} type Message type (success, error)
|
||||||
* @param {string} message Message text
|
* @param {string} message Message text
|
||||||
*/
|
*/
|
||||||
showMessage: function (type, message) {
|
showMessage: function (type, message) {
|
||||||
const $message = this.$modal.find( '.wpst-modal-message' );
|
const $message = this.$modal.find( '.wpst-modal-message' );
|
||||||
|
|
||||||
// Set message as plain text to prevent XSS, then apply type class.
|
// Validate type against allow-list to prevent class injection vulnerabilities.
|
||||||
$message.text( message ).removeClass( 'success error' ).addClass( type ).show();
|
const allowedTypes = [ 'success', 'error' ];
|
||||||
|
const safeType = allowedTypes.includes( type ) ? type : 'error';
|
||||||
|
|
||||||
|
// Set message as plain text to prevent XSS, then apply validated type class.
|
||||||
|
$message.text( message ).removeClass( 'success error' ).addClass( safeType ).show();
|
||||||
|
|
||||||
// Hide message after a delay for success messages.
|
// Hide message after a delay for success messages.
|
||||||
if (type === 'success') {
|
if (safeType === 'success') {
|
||||||
setTimeout(
|
setTimeout(
|
||||||
function () {
|
function () {
|
||||||
$message.fadeOut( 300 );
|
$message.fadeOut( 300 );
|
||||||
|
|||||||
Reference in New Issue
Block a user