[Codex] fix(security): sanitize SVG icons before ValueDisplay injection by Micsi · Pull Request #556 · abeggled/openbridgeserver

Micsi · 2026-05-26T07:08:37Z

The ValueDisplay widget began rendering imported SVG icon markup with v-html, creating a stored XSS sink when the icons API returns raw uploaded SVG.
The intent is to eliminate the XSS vector while preserving the existing widget behavior and icon selection UI by sanitizing icons before they reach v-html.

Replaced the previous normalizeSvg approach with a sanitizeSvg implementation in frontend/src/composables/useIcons.ts that parses the SVG via DOMParser and returns a cleaned root SVG string.
The sanitizer removes executable/HTML-capable elements (script, foreignObject), strips inline event-handler attributes (on*), and removes javascript: payloads from href/xlink:href attributes.
The sanitizer also removes fixed width/height attributes to preserve the original CSS-controlled sizing behavior, and the icon cache now stores sanitized output via svgCache[icon.name] = sanitizeSvg(icon.content).
No changes were made to widget templates or the icons upload/list API in this patch; sanitization is applied client-side at the composable layer before any v-html usage.

Ran type checking with npm --prefix frontend run typecheck (which runs vue-tsc --noEmit) and it completed successfully.

fix(security): sanitize SVG icons before ValueDisplay render

2f04014

Micsi requested a review from abeggled May 26, 2026 07:08

Micsi added the Security Security-related changes label May 26, 2026

Micsi self-assigned this May 26, 2026

Micsi mentioned this pull request May 26, 2026

fix(security): sanitize SVG icons before ValueDisplay injection Micsi/openbridgeserver#43

Open

docs(release): note SVG XSS fix in release notes

17171de

Provide feedback