From 03347ec2c1783350872c049e1e4af565955bf54b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 18:06:50 +0700
Subject: [PATCH] fix(security): dom-based xss via unsanitized innerhtml with
 remot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The page fetches Markdown from a remote GitHub URL and renders it directly into the DOM using `innerHTML = marked.parse(data)`. The `marked` library does not sanitize HTML by default in many versions. If the remote README.md content is compromised or contains malicious HTML/JavaScript (e.g., via a compromised contributor account), arbitrary scripts could execute in visitors' browsers.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/index.html b/index.html
index 5f90ae39..877455fa 100644
--- a/index.html
+++ b/index.html
@@ -37,6 +37,9 @@
 	<!-- JavaScript Library to Convert Markdown into HTML -->
 	<script src="https://cdn.jsdelivr.net/npm/marked/marked.min.js"></script>
 
+	<!-- DOMPurify to sanitize HTML output -->
+	<script src="https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js"></script>
+
 	<!-- Marked plugin to add heading ID's -->
 	<script src="https://cdn.jsdelivr.net/npm/marked-gfm-heading-id/lib/index.umd.js"></script>
 
@@ -53,7 +56,7 @@
 		fetch( 'https://raw.githubusercontent.com/offa/android-foss/master/README.md' )
 			.then( response => response.text() )
 			.then( data => {
-				document.querySelector( 'main' ).innerHTML = marked.parse( data );
+				document.querySelector( 'main' ).innerHTML = DOMPurify.sanitize( marked.parse( data ) );
 			})
 			.catch( error => console.error( 'Error:', error ) );