Security: stored XSS via social group discussion thread title#8595
Merged
Conversation
Render the discussion thread title as auto-escaped text instead of raw v-html in usergroup/GroupDiscussions.vue. A thread title is plain text and needs no markup, so escaping it closes the stored-XSS sink where an attacker-supplied title executed in every group member's browser on page load. Refs GHSA-9mpp-78g5-c22m Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
AngelFQC
force-pushed
the
security/auto-fix-GHSA-9mpp-78g5-c22m
branch
from
7124e54 to
5d7af2f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The discussion thread title in a social group was rendered as raw HTML (
v-html="discussion.title") inusergroup/GroupDiscussions.vue. Any group member (a regular student account suffices) could create a thread whose title contained an XSS payload that executed in every group member's browser — including teachers/admins sharing the group — on page load, with no victim interaction.Fix
Render the thread title as auto-escaped text (
{{ discussion.title }}) instead ofv-html. A discussion title is plain text and carries no legitimate markup, so escaping it fully neutralizes the sink while preserving the displayed title.Invariant now enforced
Group discussion titles can no longer inject markup or script into the group page; they are always displayed as inert text.
OWASP control
A03:2021 – Injection (Stored Cross-Site Scripting).
Refs GHSA-9mpp-78g5-c22m
🤖 Generated with Claude Code