Skip to content

Fix HIGH-level code scanning alerts: DOM XSS and unvalidated URL redirect#480

Open
Copilot wants to merge 3 commits intomainfrom
copilot/fix-high-level-code-scanning-alerts
Open

Fix HIGH-level code scanning alerts: DOM XSS and unvalidated URL redirect#480
Copilot wants to merge 3 commits intomainfrom
copilot/fix-high-level-code-scanning-alerts

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 17, 2026

Two HIGH-severity CodeQL alerts in client-side JavaScript: DOM-based XSS via HTML string concatenation and an unvalidated URL redirect via window.location assignment.

related-modal.js — DOM XSS (js/xss-through-dom)

  • Replaced unsafe HTML string concatenation passed to jQuery's $() constructor (which uses innerHTML) with explicit DOM API calls that set attributes directly, eliminating the XSS sink.
// Before — iframeName/iframeSrc flow into innerHTML
const iframeHTML = '<iframe id="related-modal-iframe" name="' + iframeName + '" src="' + iframeSrc + '"></iframe>';
const modalEl = $(modalHTML);

// After — attributes set via DOM API, no HTML parsing
const iframeEl = $('<iframe>').attr({ id: 'related-modal-iframe', name: iframeName, src: iframeSrc });
const modalEl = $('<div>').addClass('related-modal-iframe-container').append(iframeEl);

dropdown-filter.js — Unvalidated URL redirect (js/client-side-unvalidated-url-redirection)

  • Added URL validation before window.location assignment to block javascript: and protocol-relative (//evil.com) URLs. Django admin filter values are always query strings (?...) or path-relative (/...), so this is lossless.
// Before
if (value) { window.location = value; }

// After
if (value && (value.startsWith('?') || (value.startsWith('/') && !value.startsWith('//')))) {
    window.location = value;
}

Checklist before requesting a review

  • I have performed a self-review of my code.
  • I have added tests for the proposed changes.
  • I have run the tests and there are not errors.

@fabiocaccamo fabiocaccamo marked this pull request as ready for review April 17, 2026 16:31
Copilot AI review requested due to automatic review settings April 17, 2026 16:31
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.48%. Comparing base (361d7a0) to head (00ac26a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #480   +/-   ##
=======================================
  Coverage   97.48%   97.48%           
=======================================
  Files          40       40           
  Lines         438      438           
=======================================
  Hits          427      427           
  Misses         11       11
Flag Coverage Δ
unittests 97.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI reviewed Apr 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses two HIGH-severity CodeQL findings in the admin UI JavaScript by removing an innerHTML-based DOM XSS sink and adding client-side validation before performing a window.location navigation.

Changes:

  • Refactors related-modal iframe creation to avoid HTML string concatenation and jQuery HTML parsing of interpolated content.
  • Adds a URL allowlist guard before assigning to window.location from dropdown filter selections.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
admin_interface/static/admin_interface/related-modal/related-modal.js Builds the modal + iframe via element creation/attribute setting rather than concatenated HTML to remove the DOM XSS sink.
admin_interface/static/admin_interface/dropdown-filter/dropdown-filter.js Adds a prefix-based allowlist check intended to prevent unsafe client-side redirects.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread admin_interface/static/admin_interface/dropdown-filter/dropdown-filter.js Outdated
@fabiocaccamo
Update admin_interface/static/admin_interface/dropdown-filter/dropdow…
00ac26a 
…n-filter.js

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@fabiocaccamo fabiocaccamo fabiocaccamo approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@fabiocaccamo fabiocaccamo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fabiocaccamo