Fix CSS injection via unvalidated color property in modal by Copilot · Pull Request #102 · numbersprotocol/capture-eye

Copilot · 2026-04-06T14:13:21Z

The color attribute was passed directly to this.style.setProperty('--primary-color', this._color) without validation, allowing CSS injection via payloads like red; --injected: value that could hide UI elements or enable phishing overlays.

Changes

src/modal/modal.ts
- Added isValidColor() using CSS.supports('color', value) — leverages the browser's native CSS parser to accept all valid CSS colors and reject injection payloads without maintaining regex lists
- Refactored updateModalColor() to clear both --primary-color and --hover-color upfront, then gate both setProperty calls behind isValidColor() — ensuring no CSS variable is ever set from unvalidated input

// Before: primary color set before any validation
private updateModalColor() {
  this.style.setProperty('--primary-color', this._color); // ← injected unconditionally
  // ...validation only guarded hover color below
}

// After: validate first, set nothing on failure
private isValidColor(color: string): boolean {
  return CSS.supports('color', color.trim());
}

private updateModalColor() {
  this.style.setProperty('--primary-color', '');
  this.style.setProperty('--hover-color', '');
  if (!this._color || !this.isValidColor(this._color)) return;
  this.style.setProperty('--primary-color', this._color);
  // ...hover color calc unchanged
}

src/test/modal_test.ts: Added tests covering valid hex, short hex, named colors, semicolon injection, arbitrary strings, and empty-color reset.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

api.openweathermap.org
- Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/.npm/_npx/60193c364be7f30b/node_modules/.bin/wtr (dns block)
example.com
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl github.com (dns block)
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl (dns block)
static-cdn.numbersprotocol.io
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl github.com (dns block)
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl (dns block)
via.placeholder.com
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl github.com (dns block)
- Triggering command: /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell /home/REDACTED/.cache/ms-playwright/chromium_headless_shell-1208/chrome-headless-shell-linux64/chrome-headless-shell --disable-field-trial-config --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-back-forward-cache --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-component-update --no-default-browser-check --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-features=AvoidUnnecessaryBeforeUnloadCheckSync,BoundaryEventDispatchTracksNodeRemoval,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,LensOverlay,MediaRouter,PaintHolding,ThirdPartyStoragePartitioning,Transl (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Agent-Logs-Url: https://github.com/numbersprotocol/capture-eye/sessions/4e9e0041-158a-4d32-88c8-a3fab26600f5 Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>

Initial plan

65d7b2f

Copilot AI assigned Copilot and numbers-official Apr 6, 2026

Copilot AI linked an issue Apr 6, 2026 that may be closed by this pull request

[Security][High] CSS injection via unvalidated color property in modal component #101

Closed

Copilot started work on behalf of numbers-official April 6, 2026 14:13 View session

Fix CSS injection via unvalidated color property in modal component

8d4c3c3

Agent-Logs-Url: https://github.com/numbersprotocol/capture-eye/sessions/4e9e0041-158a-4d32-88c8-a3fab26600f5 Co-authored-by: numbers-official <181934381+numbers-official@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix CSS injection via unvalidated color property in modal component~~ Fix CSS injection via unvalidated color property in modal Apr 6, 2026

Copilot AI requested a review from numbers-official April 6, 2026 14:19

Copilot finished work on behalf of numbers-official April 6, 2026 14:19

olgahaha marked this pull request as ready for review April 16, 2026 07:48

olgahaha merged commit b506c2e into main Apr 16, 2026
7 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix CSS injection via unvalidated color property in modal#102

Fix CSS injection via unvalidated color property in modal#102
olgahaha merged 2 commits intomainfrom
copilot/fix-css-injection-vulnerability

Copilot AI commented Apr 6, 2026 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 6, 2026 •

edited

Loading