Skip to content

fix(security): 2 improvements across 2 files#1953

Open
tomaioo wants to merge 2 commits into
tidepool-org:developfrom
tomaioo:fix/security/potential-xss-via-dangerouslysetinnerhtm
Open

fix(security): 2 improvements across 2 files#1953
tomaioo wants to merge 2 commits into
tidepool-org:developfrom
tomaioo:fix/security/potential-xss-via-dangerouslysetinnerhtm

Conversation

@tomaioo

@tomaioo tomaioo commented Jun 17, 2026

Copy link
Copy Markdown

Summary

fix(security): 2 improvements across 2 files

Problem

Severity: Medium | File: app/components/mailto/mailto.js:L16

The MailTo component constructs a mailto URL by directly concatenating user-controlled props (emailAddress, emailSubject) without URL encoding. While not using dangerouslySetInnerHTML, the href attribute is constructed via string concatenation which could allow JavaScript protocol injection if props are attacker-controlled. The iframe with name='mailto' and src='about:blank' is also a potential security concern as it could be targeted.

Solution

Use URL encoding for emailAddress and emailSubject props. Consider using encodeURIComponent or a URL construction API. Validate that emailAddress matches expected email format before constructing URL.

Changes

  • app/components/mailto/mailto.js (modified)
  • app/components/gate.js (modified)

tomaioo added 2 commits June 17, 2026 11:17
- Security: Potential XSS via dangerouslySetInnerHTML-equivalent pattern in mailto component
- Security: Missing dependency array in useEffect hook

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
- Security: Potential XSS via dangerouslySetInnerHTML-equivalent pattern in mailto component
- Security: Missing dependency array in useEffect hook

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a reported security concern around constructing mailto: URLs from user-controlled props, and adjusts a React hook dependency list to be exhaustive.

Changes:

  • Encode emailAddress and emailSubject when building the mailto: URL in MailTo.
  • Update Gate’s useEffect dependency array to include dispatch and onEnter.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
app/components/mailto/mailto.js Updates mailto URL construction to apply URL encoding to prop-derived values.
app/components/gate.js Updates useEffect dependencies for correctness with React Hooks rules.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

render() {

var mailtoInfo = 'mailto:'+this.props.emailAddress+'?Subject='+this.props.emailSubject;
var mailtoInfo = 'mailto:' + encodeURIComponent(this.props.emailAddress) + '?Subject=' + encodeURIComponent(this.props.emailSubject);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants