Skip to content

fix(core/data-abbr): DOM text reinterpreted as HTML#5196

Merged
marcoscaceres merged 3 commits into
mainfrom
alert-autofix-56
Apr 17, 2026
Merged

fix(core/data-abbr): DOM text reinterpreted as HTML#5196
marcoscaceres merged 3 commits into
mainfrom
alert-autofix-56

Conversation

@marcoscaceres

Copy link
Copy Markdown
Contributor

Potential fix for https://github.com/speced/respec/security/code-scanning/5

Use DOM APIs to construct nodes and set text/attributes directly instead of insertAdjacentHTML. This preserves existing behavior while preventing HTML reinterpretation.

Best fix in src/core/data-abbr.js:

  • In processDfnElement, replace the insertAdjacentHTML call (lines 33–36 region) with:
    • document.createTextNode(" (")
    • document.createElement("abbr")
    • set abbrElem.title = fullForm
    • set abbrElem.textContent = abbr
    • document.createTextNode(")")
    • insert these nodes after dfn in order.
  • This removes the HTML sink entirely and addresses both variants, including taint from generateAbbreviation/elem.textContent.

No new imports or dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@marcoscaceres

Copy link
Copy Markdown
Contributor Author

@copilot see the CI error about the commit message. Can you fix that please?

Copilot AI commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

@copilot see the CI error about the commit message. Can you fix that please?

Fixed in 8dc77e0. Updated the commit message to follow the conventional commits format: fix(core/data-abbr): prevent DOM text reinterpreted as HTML. Also simplified the code by removing the redundant openParen/closeParen text node variables.

@marcoscaceres marcoscaceres changed the title Potential fix for code scanning alert no. 5: DOM text reinterpreted as HTML fix: code scanning alert no. 5: DOM text reinterpreted as HTML Apr 14, 2026
@marcoscaceres marcoscaceres changed the title fix: code scanning alert no. 5: DOM text reinterpreted as HTML fix: DOM text reinterpreted as HTML Apr 14, 2026
@marcoscaceres marcoscaceres marked this pull request as ready for review April 15, 2026 09:02
Comment thread src/core/data-abbr.js Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security finding where DOM text could be reinterpreted as HTML by removing an insertAdjacentHTML sink and constructing the <abbr> node using safe DOM APIs in core/data-abbr.

Changes:

  • Replace insertAdjacentHTML usage in processDfnElement() with createElement + property assignment (title, textContent) and adjacent text insertion for parentheses.
  • Add a regression test ensuring HTML-special characters in <dfn> text and data-abbr are preserved correctly (no HTML reinterpretation).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
src/core/data-abbr.js Removes HTML string insertion and builds the <abbr> + surrounding text nodes via DOM APIs to prevent HTML reinterpretation.
tests/spec/core/data-abbr-spec.js Adds coverage for special characters in <dfn> text and data-abbr to validate the safer DOM construction behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@sidvishnoi sidvishnoi changed the title fix: DOM text reinterpreted as HTML fix(core/data-abbr): DOM text reinterpreted as HTML Apr 17, 2026
@marcoscaceres

Copy link
Copy Markdown
Contributor Author

@copilot Can you rebase, lint, and prettier this?

1 similar comment
@marcoscaceres

Copy link
Copy Markdown
Contributor Author

@copilot Can you rebase, lint, and prettier this?

Verify that dfn text containing ampersands and quotes is safely
handled via DOM construction.
Replace insertAdjacentHTML with DOM construction (dfn.after()) in
processDfnElement to safely handle untrusted text without HTML sink.

Addresses code scanning alert: DOM text reinterpreted as HTML.

Co-authored-by: marcoscaceres <870154+marcoscaceres@users.noreply.github.com>

Copilot AI commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

@copilot Can you rebase, lint, and prettier this?

Done in ef9e43d. Rebased onto current main (squashed to 2 clean commits), ran eslint (no errors), and ran prettier --check (no formatting issues).

@marcoscaceres marcoscaceres enabled auto-merge (squash) April 17, 2026 19:29
@marcoscaceres marcoscaceres merged commit 76a6ee9 into main Apr 17, 2026
9 checks passed
@marcoscaceres marcoscaceres deleted the alert-autofix-56 branch April 17, 2026 19:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants