Impact
The renderPairingPage() function embeds the error parameter directly into HTML without escaping:
const errorHtml = error ? `<p style="color:#e74c3c">${error}</p>` : "";All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.
The renderAuthorizePage() function in the same file correctly uses escapeHtml() for dynamic content, making this an inconsistency.
Affected code:
packages/server/src/index.ts:64-89 — renderPairingPage() with unescaped error interpolation- Compare:
packages/server/src/index.ts:130 — renderAuthorizePage() correctly uses escapeHtml()
Patches
Not yet patched.
Fix: Apply escapeHtml() to the error parameter:
const errorHtml = error ? `<p style="color:#e74c3c">${escapeHtml(error)}</p>` : "";Workarounds
No workaround needed — all current callers pass hardcoded strings.
References
- CWE-79: Improper Neutralization of Input During Web Page Generation
- File:
packages/server/src/index.ts
Impact
The
renderPairingPage()function embeds theerrorparameter directly into HTML without escaping:All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability.
The
renderAuthorizePage()function in the same file correctly usesescapeHtml()for dynamic content, making this an inconsistency.Affected code:
packages/server/src/index.ts:64-89—renderPairingPage()with unescaped error interpolationpackages/server/src/index.ts:130—renderAuthorizePage()correctly usesescapeHtml()Patches
Not yet patched.
Fix: Apply
escapeHtml()to the error parameter:Workarounds
No workaround needed — all current callers pass hardcoded strings.
References
packages/server/src/index.ts