Sanitize user input by replacing innerHTML with textContent to prevent XSS in message username and content rendering.

[zeropath-ai]

Summary

• The Vulnerability Description:
  The code set the innerHTML property of HTML elements directly to user-supplied data (message.user.username), which allowed attackers to inject and execute malicious scripts (XSS) if they included HTML or JavaScript in their username.

• This Fix:
  The patch replaces all assignments of user-supplied data to innerHTML with textContent, ensuring that any special characters in the username or message content are treated as plain text rather than executable code.

• The Cause of the Issue:
  The root cause was unsanitized user input being rendered into the DOM via innerHTML, which interprets the input as HTML and can run embedded scripts.

• The Patch Implementation:
  The patch updates the relevant lines to use textContent instead of innerHTML, which escapes HTML and JavaScript, preventing code injection and eliminating the XSS vulnerability.

Vulnerability Details

• Vulnerability Class: Cross Site Scripting (XSS)
• Severity: 10.0
• Affected File: owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts
• Vulnerable Lines: 107-107

Code Snippets

diff --git a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts
index d2b0a7ee..d14ba6e9 100644
--- a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts
+++ b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts
@@ -104,7 +104,7 @@ export class PlayComponent implements OnInit {
 
     let usernameUserMessage = document.createElement("b");
     usernameUserMessage.className = "user-message";
-    usernameUserMessage.innerHTML = message.user.username;
+    usernameUserMessage.textContent = message.user.username;
 
     labelUserMessage.appendChild(usernameUserMessage);
 
@@ -120,7 +120,7 @@ export class PlayComponent implements OnInit {
 
     newMessageBox.appendChild(labelUserMessage);
 
-    contentMessage.innerHTML = message.content;
+    contentMessage.textContent = message.content;
     newMessageBox.appendChild(contentMessage);
 
     return newMessageBox;

How to Modify the Patch

You can modify this patch by using one of the two methods outlined below. We recommend using the @zeropath-ai bot for updating the code. If you encounter any bugs or issues with the patch, please report them here.

Ask @zeropath-ai!

To request modifications, please post a comment beginning with @zeropath-ai and specify the changes required.

@zeropath-ai will then implement the requested adjustments and commit them to the specified branch in this pull request. Our bot is capable of managing changes across multiple files and various development-related requests.

Manually Modify the Files

# Checkout created branch:
git checkout zvuln_fix_cross_site_scripting_xss_1751928060314614

# if vscode is installed run (or use your favorite editor / IDE):
code owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts

# Add, commit, and push changes:
git add -A
git commit -m "Update generated patch with x, y, and z changes."
git push zvuln_fix_cross_site_scripting_xss_1751928060314614