Skip to content

Fix AJAX example handling of query parameters #780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix AJAX example handling of query parameters #780

wants to merge 1 commit into from

Conversation

@romaricpascal
Copy link
Member

@romaricpascal romaricpascal commented Nov 18, 2025

The example was injecting the query parameters as HTML, which allowed for arbitrary javascript to be ran (for ex. through an onerror attribute on an image).

As the value only needs displaying, the query parameter is now displayed using textContent, meaning HTML tags are escaped.

@netlify
Copy link

netlify bot commented Nov 18, 2025
edited
Loading

Deploy Preview for accessible-autocomplete ready!

Name Link
🔨 Latest commit 0d315a2
🔍 Latest deploy log https://app.netlify.com/projects/accessible-autocomplete/deploys/69249c2993caec0008b833e0
😎 Deploy Preview https://deploy-preview-780--accessible-autocomplete.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

domoscargin
domoscargin requested changes Nov 20, 2025
View reviewed changes
Copy link
Contributor

@domoscargin domoscargin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also change the form and form-single JS for completeness. They were flagged in the security review too.

@romaricpascal
Fix handling of query parameters in examples
0d315a2 
The examples were injecting the query parameters as HTML,
which allowed for arbitrary javascript to be ran (for ex. through
an `onerror` attribute on an image).

As the values in the query parameters only needs displaying, the query parameter
is now displayed via text content.
@romaricpascal romaricpascal force-pushed the fix-html-injection-ajax-example branch from c72be5b to 0d315a2 Compare November 24, 2025 17:55
@romaricpascal
Copy link
Member Author

romaricpascal commented Nov 24, 2025

@domoscargin Whoops, sorry for missing those. I've updated the PR.

Merging is currently blocked by CI not managing to run Chrome, though. Could merge the extra flags I suggested on the issue to unblock this (and other reviews) and log an issue to figure how to remove them further down the line, maybe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@domoscargin domoscargin domoscargin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@romaricpascal @domoscargin