Security-fix: enhance security by safely parsing HTML #2259
Conversation
… in Magnific Popup
NoumaanAhamed
changed the title
There was a problem hiding this comment.
Pull request overview
This PR enhances security in the Magnific Popup library by implementing safer HTML parsing techniques to prevent potential XSS vulnerabilities. The changes focus on preventing malicious HTML execution by using explicit parsing methods instead of relying on jQuery's implicit HTML interpretation.
- Replaces jQuery's implicit HTML parsing with explicit
$.parseHTML()for close button markup - Switches from jQuery selector/HTML parsing to native
document.querySelector()for the prependTo option to ensure strings are treated strictly as CSS selectors
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ors and providing a fallback
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if (typeof mfp.st.prependTo === 'string') { | ||
| appendToEl = $(document.body).find(mfp.st.prependTo); | ||
| if (typeof mfp.st.prependTo === 'string') { | ||
| // FIX: Use document.querySelector to ensure the string is treated |
There was a problem hiding this comment.
Could you remove the FIX:? Some of the tools think it's a todo directive.
|
Unable to PHPCS or SVG scan one or more files due to error running PHPCS/SVG scanner:
The error may be temporary. If the error persists, please contact a human (commit-ID: 67e3d1e). |
No description provided.