Skip to content

🤖 🔒 Unsanitized HTML injection via document.write #109

Description

@asmit25805

🔒 Security · 🟠 High · Confidence: 96%

File: next/src/lib/export/deck.ts
Location: exportDeckPrint


What's wrong

The code writes raw HTML from slide data directly into a new window using w.document.write(

<title>${escapeHtml(title)}</title> ${head} <style>...</style> ${sectionsHtml} <script>...</script> `);`. The `${head}` and `${sectionsHtml}` values are taken from untrusted slide content without any sanitisation, allowing injected scripts or malicious markup to execute in the opened window.

Suggested fix

Sanitise or escape the injected HTML before writing it, or construct the DOM using safe APIs. For example:

import DOMPurify from 'dompurify';
const safeHead = DOMPurify.sanitize(head);
const safeSections = DOMPurify.sanitize(sectionsHtml);
const html = `<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>${escapeHtml(title)}</title>
${safeHead}
<style>...</style>
</head>
<body>
${safeSections}
<script>...</script>
</body>
</html>`;
w.document.open();
w.document.write(html);
w.document.close();

About this report

This finding was generated by an automated audit tool using Llama 3.3 70B + verification passes.
Only findings with ≥92% confidence that passed both LLM self-verification and line reference
verification are reported. False positives are still possible — please verify before acting.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions