From 0b2254cb81b2703c3b92ee2e617eaff79c7155c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 14:10:23 +0700
Subject: [PATCH] fix(security): cross-site scripting (xss) via unsanitized
 markdow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The fetched Markdown content from GitHub is parsed by `marked.parse()` and directly assigned to `innerHTML` without any sanitization (e.g., DOMPurify). The `marked` library does not sanitize embedded HTML in Markdown by default. An attacker who can modify the README.md (e.g., via a malicious pull request) could inject arbitrary HTML such as `<img src=x onerror='...'>` which would execute JavaScript in visitors' browsers.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 5f90ae39..9c1e3093 100644
--- a/index.html
+++ b/index.html
@@ -40,6 +40,9 @@
 	<!-- Marked plugin to add heading ID's -->
 	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id/lib/index.umd.js"></script>
 
+	<!-- DOMPurify to sanitize parsed HTML -->
+	<script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js"></script>
+
 	<script>
 		// Basic Settings
 		const defaultTheme = 'darkly';
@@ -53,7 +56,7 @@
 		fetch( 'https://raw.githubusercontent.com/offa/android-foss/master/README.md' )
 			.then( response => response.text() )
 			.then( data => {
-				document.querySelector( 'main' ).innerHTML = marked.parse( data );
+				document.querySelector( 'main' ).innerHTML = DOMPurify.sanitize( marked.parse( data ) );
 			})
 			.catch( error => console.error( 'Error:', error ) );