Skip to content

Security: DOM XSS in server UI from untrusted transcript content#299

Open
tuanaiseo wants to merge 2 commits into
KoljaB:masterfrom
tuanaiseo:contribai/fix/security/dom-xss-in-server-ui-from-untrusted-tran
Open

Security: DOM XSS in server UI from untrusted transcript content#299
tuanaiseo wants to merge 2 commits into
KoljaB:masterfrom
tuanaiseo:contribai/fix/security/dom-xss-in-server-ui-from-untrusted-tran

Conversation

@tuanaiseo

Copy link
Copy Markdown

Problem

The web UI writes message.text directly into innerHTML for both realtime and full sentence updates. Since this data comes from a WebSocket channel, any attacker-controlled message can inject script/HTML into the page.

Severity: high
File: RealtimeSTT_server/index.html

Solution

Replace innerHTML writes with textContent and explicit element creation. For highlighting, split and append safe text nodes/spans instead of string-based HTML templating.

Changes

  • RealtimeSTT_server/index.html (modified)
  • example_browserclient/client.js (modified)

Testing

  • Existing tests pass
  • Manual review completed
  • No new warnings/errors introduced

The web UI writes `message.text` directly into `innerHTML` for both realtime and full sentence updates. Since this data comes from a WebSocket channel, any attacker-controlled message can inject script/HTML into the page.

Affected files: index.html, client.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
The web UI writes `message.text` directly into `innerHTML` for both realtime and full sentence updates. Since this data comes from a WebSocket channel, any attacker-controlled message can inject script/HTML into the page.

Affected files: index.html, client.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant