Skip to content

Harden highlightSearch against stored XSS and remove unsafe HTML rendering in rule builders#287

Draft
jeroenrinzema with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-stored-xss-vulnerability
Draft

Harden highlightSearch against stored XSS and remove unsafe HTML rendering in rule builders#287
jeroenrinzema with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-stored-xss-vulnerability

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

highlightSearch() previously returned HTML strings that were injected via dangerouslySetInnerHTML, allowing attacker-controlled event/path names to render as executable markup in staff console rule builders. This change moves highlighting to safe React node composition and removes raw HTML injection at all affected render sites.

  • Safe highlight rendering

    • Refactors highlightSearch(text, search, matchClassName?) to return React.ReactNode.
    • Replaces string HTML substitution with split-based rendering and explicit <strong> elements.
    • Ensures untrusted input is rendered as text, not interpreted as HTML.
  • Rule builder call-site migration

    • Updates all affected renderers to consume highlightSearch(...) directly (no dangerouslySetInnerHTML):
      • RuleEventName.tsx
      • RuleOrganizationEventName.tsx
      • FilterRuleEdit.tsx
      • MemberConditionEdit.tsx
      • JourneyRuleEdit.tsx
  • Focused regression coverage

    • Adds ui-utils.test.tsx to verify:
      • repeated match highlighting
      • safe handling of HTML-like payloads (no injected DOM nodes)
      • passthrough behavior when search is empty
export const highlightSearch = (
  text: string,
  search: string,
  matchClassName = "match",
): ReactNode => {
  if (!text || !search) return text ?? ""

  const parts = text.split(search)
  if (parts.length === 1) return text

  return parts.flatMap((part, index) =>
    index < parts.length - 1
      ? [part, <strong key={`${matchClassName}-${index}`} className={matchClassName}>{search}</strong>]
      : [part],
  )
}

Copilot AI changed the title [WIP] Fix stored XSS vulnerability in highlightSearch function Harden highlightSearch against stored XSS and remove unsafe HTML rendering in rule builders Jul 14, 2026
Copilot AI requested a review from jeroenrinzema July 14, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Stored XSS vulnerability in highlightSearch() function

2 participants