fix: escape f.url and f.type in renderFinding to prevent XSS

2026-06-21 18:53:06 +02:00
parent e3d483422d
commit 47bd93597d
1 changed files with 2 additions and 2 deletions
@@ -20,9 +20,9 @@ function renderFinding(f) {
  el.innerHTML = `
    <div class="finding-header">
      <span class="badge badge-${f.severity}">${f.severity}</span>
-      <span class="finding-type">${f.type.replace(/_/g, ' ')}</span>
+      <span class="finding-type">${escapeHtml(f.type).replace(/_/g, ' ')}</span>
    </div>
-    <div class="finding-url">${f.url}</div>
+    <div class="finding-url">${escapeHtml(f.url)}</div>
    <div class="finding-evidence">${escapeHtml(f.evidence)}</div>
  `;
  el.addEventListener('click', () => el.classList.toggle('open'));