Skip to content

fix(web): escape HTML in commit messages to prevent XSS#6523

Merged
6543 merged 4 commits into
woodpecker-ci:mainfrom
wucm667:fix/commit-message-html-escaping
May 1, 2026
Merged

fix(web): escape HTML in commit messages to prevent XSS#6523
6543 merged 4 commits into
woodpecker-ci:mainfrom
wucm667:fix/commit-message-html-escaping

Conversation

@wucm667

@wucm667 wucm667 commented Apr 30, 2026

Copy link
Copy Markdown
Contributor

Fixes #6522

Bug

When a commit message contains HTML tags like <input type="color" />,
the Woodpecker web UI renders them as actual HTML elements instead of
displaying them as plain text. This is a potential XSS vulnerability
in the activity log and pipeline pages.

Root Cause

The RenderMarkdown component uses v-html with DOMPurify configured
with { USE_PROFILES: { html: true } }, which allows safe HTML elements
like <input> to be rendered. Commit messages pass through this component
without prior HTML escaping.

Fix

Added HTML escaping (<&lt;, >&gt;, etc.) to the message
and title computed properties in usePipeline.ts. This ensures all
special characters are displayed as plain text before reaching the
markdown renderer.

Verification

  • TypeScript type check passes
  • Vite build succeeds
  • ESLint passes on modified file

@wucm667
fix(web): escape HTML in commit messages to prevent XSS
88cf66a 
Commit messages containing HTML tags (e.g. <input type="color" />)
were being rendered as actual HTML elements in the web UI because
RenderMarkdown uses v-html with DOMPurify, which allows safe HTML.

Add HTML escaping to the message and title computed properties in
usePipeline.ts before they reach the markdown renderer, ensuring
all special characters are displayed as plain text.

Fixes woodpecker-ci#6522

Signed-off-by: wucm667 <stevenwucongmin@gmail.com>
@woodpecker-bot

This comment was marked as off-topic.

Sign in to view
@6543 6543 closed this Apr 30, 2026
@wucm667

This comment was marked as outdated.

Sign in to view
@6543 6543 reopened this Apr 30, 2026
@6543 6543 added bug Something isn't working ui frontend related labels Apr 30, 2026
6543
6543 reviewed Apr 30, 2026
View reviewed changes
Comment thread web/src/compositions/usePipeline.ts Outdated
@6543

6543 commented Apr 30, 2026

Copy link
Copy Markdown
Member

also some tests might be nice...

@6543

6543 commented Apr 30, 2026

Copy link
Copy Markdown
Member

I'm a real dev

sorry, we just get flooded more and more. happy to work with humans 🚀

@wucm667
refactor(web): move escapeHtml helper to utils and add tests
b68de5e 
- Extract escapeHtml from usePipeline.ts to web/src/lib/utils/index.ts
- Add comprehensive unit tests for escapeHtml in utils.test.ts
- Addresses maintainer review comments on PR woodpecker-ci#6523
@wucm667

wucm667 commented Apr 30, 2026

Copy link
Copy Markdown
Contributor Author

Done. Moved escapeHtml to lib/utils and added unit tests for it. Let me know if anything else needs adjusting.

@6543

6543 commented May 1, 2026

Copy link
Copy Markdown
Member
image

@6543 6543 merged commit 1ffa588 into woodpecker-ci:main May 1, 2026
7 checks passed
@woodpecker-bot woodpecker-bot mentioned this pull request Apr 30, 2026
Merged
1 task
@wucm667 wucm667 deleted the fix/commit-message-html-escaping branch May 1, 2026 02:26
@BrewTestBot BrewTestBot mentioned this pull request May 1, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@6543 6543 6543 approved these changes

Assignees

No one assigned

Labels

bug Something isn't working ui frontend related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorrect escaping of commit messages in web ui activity log / pipeline page

3 participants

@wucm667 @woodpecker-bot @6543