Description
Summary
A potential Cross-Site Scripting (XSS) vulnerability has been detected in the cloneInputValue function, where DOM text is reinterpreted as HTML using innerHTML.
Details
During a CodeQL scan, the following warning was raised:
Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability.
The issue originates from this part of the code:
function cloneInputValue(nativeNode, clonedNode) {
if (isInstanceOfElement(nativeNode, HTMLTextAreaElement)) {
clonedNode.innerHTML = nativeNode.value; // ⚠️ Vulnerable to XSS
}
if (isInstanceOfElement(nativeNode, HTMLInputElement)) {
clonedNode.setAttribute('value', nativeNode.value);
}
}The innerHTML assignment on clonedNode can lead to HTML injection if nativeNode.value contains untrusted or unsafe user input, especially characters like <, >, or JavaScript event attributes.
Risk
-
This vulnerability could allow an attacker to inject malicious scripts through a <textarea> field, which would then be executed when the cloned DOM is rendered.
-
This can be especially dangerous in export, preview, or rendering contexts where DOM is serialized or displayed directly.
Recommended Fix
Instead of assigning to innerHTML, consider using a safe alternative:
clonedNode.textContent = nativeNode.value;Using textContent ensures that the value is inserted as raw text, not parsed as HTML, thus mitigating the risk of script injection.
References
MDN: Element.innerHTML - Security concerns
CodeQL Query Help - DOM reinterpreted as HTML