Skip to content

Potential fix for code scanning alert no. 5: DOM text reinterpreted as HTML#61

Draft
LaxentaInc wants to merge 1 commit into
mainfrom
alert-autofix-5
Draft

Potential fix for code scanning alert no. 5: DOM text reinterpreted as HTML#61
LaxentaInc wants to merge 1 commit into
mainfrom
alert-autofix-5

Conversation

@LaxentaInc

Copy link
Copy Markdown
Member

Potential fix for https://github.com/Colorwall/Colorwall-Site/security/code-scanning/5

General fix: avoid permissive string-prefix checks and instead perform strict URL/scheme validation at render time (or, better, store only trusted object URLs generated by your code). Since this component creates previews from local files, the safest no-functional-change fix is to allow only blob: and (optionally) constrained image data: URLs, and reject everything else.

Best single fix in this file:

  • In src/app/components/FeedbackCards.tsx, replace the inline src ternary on line 390 with a helper function call.
  • Add a local helper function (inside the component scope) like getSafeImagePreviewSrc(src: string): string that:
    • returns '' unless src is a string,
    • allows blob: URLs,
    • allows only data:image/...;base64,... URLs via regex,
    • blocks http/https and other schemes for previews (not needed for local upload previews).
      This preserves current behavior for uploaded previews and removes weak scheme checks.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

…s HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
colorwall-site Ready Ready Preview, Comment Jun 26, 2026 5:43pm

<div key={i} className="relative w-16 h-16 rounded border border-[#30363d] overflow-hidden group">
{/* CodeQL fix: sanitize image src */}
<img src={typeof src === 'string' && (src.startsWith('blob:') || src.startsWith('data:') || src.startsWith('http')) ? src : ''} alt="" className="w-full h-full object-cover" />
<img src={getSafeImagePreviewSrc(src)} alt="" className="w-full h-full object-cover" />
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants