fix(mgt-components): sanitize search result summaries with DOMPurify to prevent XSS#3493
Merged
Merged
Conversation
…to prevent XSS sanitizeSummary() previously only replaced proprietary Graph API tags (<ddd/>, <c0>, </c0>) without sanitizing other HTML. This allowed stored XSS via attacker-controlled content indexed by Microsoft Search and rendered through .innerHTML in mgt-search-results. Add DOMPurify to sanitize HTML after proprietary tag conversion, allowing only safe formatting tags (b, em, strong, span) with no attributes. Closes #3492 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Thank you for creating a Pull Request @@gavinbarron. This is a checklist for the PR reviewer(s) to complete before approving and merging this PR:
|
The @web/dev-server-esbuild plugin passes the tsconfig to esbuild as tsconfigRaw, which does not resolve `extends`. After bumping esbuild, its default switched to standard (TC39) decorators, causing Lit's @Property to throw "Unsupported decorator location: field/getter" and breaking test module imports. Declare experimentalDecorators and emitDecoratorMetadata directly so esbuild emits legacy decorators. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sebastienlevert
approved these changes
Jun 26, 2026
Member
Author
|
Bypassing rules and merging. GitOps/AdvancedSecurity is triggering on dev dependencies and the electron version used in the electron provider. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #3492
sanitizeSummary()only replaced proprietary Graph API tags without sanitizing other HTML, enabling stored XSS via.innerHTMLinmgt-search-results.Changes
dompurifyas a dependency topackages/mgt-componentssanitizeSummary()to runDOMPurify.sanitize()after proprietary tag conversionb,em,strong,span(no attributes)Security
This addresses a stored XSS vulnerability where attacker-controlled content in SharePoint/OneDrive files could execute JavaScript in the browser of any user viewing search results through
<mgt-search-results>.