fix(security): escape product name/category in admin vendor-detail ProductCard (stored XSS)#3304
Open
MdAsifHossainNadim wants to merge 1 commit into
Open
fix(security): escape product name/category in admin vendor-detail ProductCard (stored XSS)#3304MdAsifHossainNadim wants to merge 1 commit into
MdAsifHossainNadim wants to merge 1 commit into
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughProductCard.tsx now decodes and renders product name, category, and sold count as escaped JSX text instead of using ChangesProductCard XSS Fix
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…oductCard (stored XSS) Render vendor-controlled product name/category as decoded, auto-escaped JSX text (decodeEntities + React escaping) instead of dangerouslySetInnerHTML, so HTML entities still display correctly while injected markup can no longer execute in the admin dashboard. Fixes finding L5 from the Dokan security audit (getdokan/plugin-internal-tasks#1994). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
e2fbd83 to
265f900
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All Submissions:
Changes proposed in this Pull Request:
This PR fixes L5 from the Dokan security audit (getdokan/plugin-internal-tasks#1994): latent stored XSS: admin vendor-detail ProductCard renders product name/category via dangerouslySetInnerHTML (currently KSES-mitigated).
The problem
The admin vendor-detail ProductCard renders vendor-controlled product data via React's dangerouslySetInnerHTML instead of as escaped JSX text. product.name (lines 28-30) and product.category (lines 35-37) are strings from products a vendor fully controls; a name/category containing markup (e.g. an img tag with an onerror handler) is injected raw into the admin dashboard DOM = stored XSS in an admin context. product.sold (lines 42-45) also uses dangerouslySetInnerHTML with an @ts-ignore; numeric so not currently exploitable but the same unsafe pattern. Latent/KSES-mitigated because the REST payload may currently be sanitized server-side, but the client enforces no trust boundary of its own. React auto-escaping is the correct self-contained fix.
The fix
Removes dangerouslySetInnerHTML for product.name; React escapes the string, closing the stored-XSS vector while keeping 30-char truncation. Removes dangerouslySetInnerHTML for product.category; React escapes the string, keeping 20-char truncation. Removes the last dangerouslySetInnerHTML and its @ts-ignore; numeric sold renders as escaped JSX, eliminating the unsafe pattern from this component.
Implementation scope
How to test the changes in this Pull Request:
Security — the vulnerability is now closed.
Before (reproduces the issue on
develop):Attack blocked: as a vendor, create a product whose name is an img tag with an onerror alert and a category name containing a script tag, then as admin open the vendor-single detail page rendering ProductCard; confirm the literal text is shown and no script/onerror fires (pre-fix the payload executes).
After (this PR): the attack is rejected; the legitimate flow and admin access are unaffected.
Regression — verify each of these still holds:
Changelog entry
Title: Fix escape product name/category in admin vendor-detail ProductCard
Fixed a cross-site scripting security issue: latent stored XSS: admin vendor-detail ProductCard renders product name/category via dangerouslySetInnerHTML (currently KSES-mitigated).
Related Pull Request(s)
Security audit: getdokan/plugin-internal-tasks#1994 (finding(s) L5)
Closes getdokan/plugin-internal-tasks#2077
Summary by CodeRabbit
&in product details without exposing raw markup.