Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sweep: Cross-site scripting in username edit field (βœ“ Sandbox Passed) #315

Closed

Conversation

sweep-ai[bot]
Copy link

@sweep-ai sweep-ai bot commented Feb 18, 2024

PR Feedback (click)

  • πŸ‘ Sweep Did Well
  • πŸ‘Ž Sweep Needs Improvement

Description

This pull request addresses a cross-site scripting vulnerability in the username edit field of the application. It introduces a new utility function sanitizeInput in the sanitizeInput.js file to sanitize user input and prevent the execution of malicious code.

Summary

  • Added sanitizeInput function in sanitizeInput.js to sanitize user input and prevent cross-site scripting attacks.
  • Modified EditableSpan.js in the src/components/common directory:
    • Imported sanitizeInput function from sanitizeInput.js.
    • Updated the replace method in the sanitize function to use sanitizeInput for sanitizing user input.
    • Ensured that the cursor position is retained when setting the text in the handleTextChange method.
    • Added a check to prevent unnecessary updates when the component is hidden or the text value remains the same.
    • Updated the handleFocus method to use the sanitizeInput function for sanitizing user input.

Please review and merge this pull request to address the identified security vulnerability.

Fixes #314.


πŸŽ‰ Latest improvements to Sweep:
  • New dashboard launched for real-time tracking of Sweep issues, covering all stages from search to coding.
  • Integration of OpenAI's latest Assistant API for more efficient and reliable code planning and editing, improving speed by 3x.
  • Use the GitHub issues extension for creating Sweep issues directly from your editor.

πŸ’‘ To get Sweep to edit this pull request, you can:

  • Comment below, and Sweep can edit the entire PR
  • Comment on a file, Sweep will only modify the commented file
  • Edit the original issue to get Sweep to recreate the PR from scratch

Copy link
Author

sweep-ai bot commented Feb 18, 2024

Rollback Files For Sweep

  • Rollback changes to src/components/common/EditableSpan.js
  • Rollback changes to src/utils/sanitizeInput.js

This is an automated message generated by Sweep AI.

@sweep-ai sweep-ai bot added the sweep Assigns Sweep to an issue or pull request. label Feb 18, 2024
Copy link

vercel bot commented Feb 18, 2024

The latest updates on your projects. Learn more about Vercel for Git β†—οΈŽ

Name Status Preview Comments Updated (UTC)
downforacross.com βœ… Ready (Inspect) Visit Preview πŸ’¬ Add feedback Apr 25, 2024 11:19pm

@@ -48,6 +48,7 @@ export default class EditableSpan extends PureComponent {
let result = value;
const nbsp = String.fromCharCode('160');
while (result.indexOf(' ') !== -1) {
import { sanitizeInput } from '../../utils/sanitizeInput';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you put this import statement where it belongs

Copy link
Author

@sweep-ai sweep-ai bot Feb 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸš€ Wrote Changes

Done.

This is an automated message generated by Sweep AI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sweep Assigns Sweep to an issue or pull request.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cross-site scripting in username edit field
1 participant