Skip to content

fix(mgt-components): sanitize search result summaries with DOMPurify to prevent XSS#3493

Merged
gavinbarron merged 3 commits into
mainfrom
gavinbarron/fix-sanitize-summary-xss
Jun 26, 2026
Merged

fix(mgt-components): sanitize search result summaries with DOMPurify to prevent XSS#3493
gavinbarron merged 3 commits into
mainfrom
gavinbarron/fix-sanitize-summary-xss

Conversation

@gavinbarron

Copy link
Copy Markdown
Member

Summary

Fixes #3492

sanitizeSummary() only replaced proprietary Graph API tags without sanitizing other HTML, enabling stored XSS via .innerHTML in mgt-search-results.

Changes

  • Added dompurify as a dependency to packages/mgt-components
  • Updated sanitizeSummary() to run DOMPurify.sanitize() after proprietary tag conversion
  • Only allows safe formatting tags: b, em, strong, span (no attributes)
  • Added unit tests covering XSS payload stripping and proprietary tag conversion

Security

This addresses a stored XSS vulnerability where attacker-controlled content in SharePoint/OneDrive files could execute JavaScript in the browser of any user viewing search results through <mgt-search-results>.

…to prevent XSS

sanitizeSummary() previously only replaced proprietary Graph API tags
(<ddd/>, <c0>, </c0>) without sanitizing other HTML. This allowed stored
XSS via attacker-controlled content indexed by Microsoft Search and
rendered through .innerHTML in mgt-search-results.

Add DOMPurify to sanitize HTML after proprietary tag conversion, allowing
only safe formatting tags (b, em, strong, span) with no attributes.

Closes #3492

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gavinbarron gavinbarron requested a review from a team as a code owner June 25, 2026 20:22
@microsoft-github-policy-service

microsoft-github-policy-service Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Thank you for creating a Pull Request @@gavinbarron.

This is a checklist for the PR reviewer(s) to complete before approving and merging this PR:

  • I have verified a documentation PR has been linked and is approved (or not applicable)
  • I have ran this PR locally and have tested the fix/feature
  • I have verified that stories have been added to storybook (or not applicable)
  • I have tested existing stories in storybook to verify no regression has occured
  • I have tested the solution in at least two browsers (Edge + 1 non-Chromium based browser)

gavinbarron and others added 2 commits June 25, 2026 22:37
The @web/dev-server-esbuild plugin passes the tsconfig to esbuild as
tsconfigRaw, which does not resolve `extends`. After bumping esbuild,
its default switched to standard (TC39) decorators, causing Lit's
@Property to throw "Unsupported decorator location: field/getter" and
breaking test module imports. Declare experimentalDecorators and
emitDecoratorMetadata directly so esbuild emits legacy decorators.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gavinbarron gavinbarron enabled auto-merge (squash) June 25, 2026 23:39
@github-project-automation github-project-automation Bot moved this to Done ✔️ in Graph Toolkit Jun 26, 2026
@gavinbarron gavinbarron disabled auto-merge June 26, 2026 15:55
@gavinbarron

Copy link
Copy Markdown
Member Author

Bypassing rules and merging.

GitOps/AdvancedSecurity is triggering on dev dependencies and the electron version used in the electron provider.

@gavinbarron gavinbarron merged commit 9d0cd98 into main Jun 26, 2026
8 of 10 checks passed
@gavinbarron gavinbarron deleted the gavinbarron/fix-sanitize-summary-xss branch June 26, 2026 15:58
@github-project-automation github-project-automation Bot moved this from Done ✔️ to Shipped 🚀 in Graph Toolkit Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Shipped 🚀

Development

Successfully merging this pull request may close these issues.

fix: incomplete sanitization in sanitizeSummary allows XSS via mgt-search-results

2 participants