From e9f708bf735de13ba0bb1a736ab6ff68b43b9d5d Mon Sep 17 00:00:00 2001 From: Ali Jaafer <93264687+i5d6@users.noreply.github.com> Date: Tue, 29 Apr 2025 00:18:58 +0300 Subject: [PATCH] Update settings-sync.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A DOM-based XSS vulnerability exists due to the use of .html(message) without proper sanitization. If the message variable can be influenced by an attacker, arbitrary HTML or JavaScript code could be injected and executed in the victim's browser. Impact: An attacker could inject malicious scripts that would execute in the context of the victim’s session, leading to potential session hijacking, defacement, or phishing attacks. Steps to Reproduce: Find a way to control or inject content into the message variable. Inject payload like . Observe the JavaScript code being executed Recommendation: Replace .html(message) with .text(message) to safely display user-provided data without interpreting it as HTML. Alternatively, sanitize message before using it with .html(), for example using a library like DOMPurify. $('#sync_progress').show().html(DOMPurify.sanitize(message)).css('color', 'inherit'); --- assets/js/admin/settings-sync.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/assets/js/admin/settings-sync.js b/assets/js/admin/settings-sync.js index e0b8f3921..86c4ebc0e 100644 --- a/assets/js/admin/settings-sync.js +++ b/assets/js/admin/settings-sync.js @@ -245,7 +245,8 @@ jQuery( document ).ready( function( $ ) { } // set products sync status - $( '#sync_progress' ).show().html( message ).css( 'color', 'inherit' ); + $('#sync_progress').show().html(DOMPurify.sanitize(message)).css('color', 'inherit'); + facebook_for_woocommerce_settings_sync.sync_in_progress = true; }