Description
Dynamic content (such as display names, NIP-05 identifiers, and other user-provided text) is currently being rendered without proper sanitization or HTML escaping. This creates potential XSS (Cross-Site Scripting) vulnerabilities where malicious actors can inject JavaScript or HTML that will execute when rendered in the DOM.
Scope
- Identify all locations where dynamic text/HTML content is rendered
- Implement proper sanitization using a library like DOMPurify or HTML escaping
- Ensure that legitimate HTML tags in content continue to work correctly after sanitization
- Test to verify that the sanitization prevents XSS attacks while preserving intended functionality
Related
Description
Dynamic content (such as display names, NIP-05 identifiers, and other user-provided text) is currently being rendered without proper sanitization or HTML escaping. This creates potential XSS (Cross-Site Scripting) vulnerabilities where malicious actors can inject JavaScript or HTML that will execute when rendered in the DOM.
Scope
Related