Skip to content

Potential fix for code scanning alert no. 1: DOM text reinterpreted as HTML#1

Merged
stephenlyons18 merged 1 commit intomainfrom
alert-autofix-1
Nov 10, 2025
Merged

Potential fix for code scanning alert no. 1: DOM text reinterpreted as HTML#1
stephenlyons18 merged 1 commit intomainfrom
alert-autofix-1

Conversation

@stephenlyons18
Copy link
Copy Markdown
Owner

@stephenlyons18 stephenlyons18 commented Nov 10, 2025

Potential fix for https://github.com/stephenlyons18/stephenlyons18.github.io/security/code-scanning/1

The best way to fix this vulnerability is to prevent user-supplied input from being interpreted as executable HTML by the browser. Specifically:

  • Use textContent (or equivalent) instead of innerHTML when inserting user input into the DOM, as textContent treats its content as plain text, escaping any meta-characters.
  • Alternatively, explicitly sanitize or encode the user input before using it in an HTML context, for example by replacing characters like <, >, and & with their HTML entities.
  • To maintain the output format (with bold names and quoted subjects), construct the DOM elements programmatically rather than relying on string interpolation and innerHTML.

Region to change: Lines 65-72. Instead of constructing a string with interpolated user input and assigning it to formResponse.innerHTML, build the elements using the DOM API. Create and append elements such as <p>, <strong>, etc., and set user data using textContent.

No new imports are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@stephenlyons18 @github-advanced-security
Potential fix for code scanning alert no. 1: DOM text reinterpreted a…
f404ada 
…s HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 10, 2025

🔐 Secret Scanning Alert

TruffleHog has detected potential secrets in this pull request!

Action Required: Please review the findings and:

  1. Remove any committed secrets
  2. Rotate any exposed credentials
  3. Update your code to use environment variables or secrets management

Common Secret Types:

  • AWS Access Keys (AKIA...)
  • API Keys and Tokens
  • Private SSH Keys
  • Database Passwords
  • OAuth Tokens

How to Fix:

# Remove secret from git history
git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch path/to/file" \
  --prune-empty --tag-name-filter cat -- --all

# Use environment variables instead
export API_KEY="your-secret-key"

# Or use GitHub Secrets in Actions

Prevention:

  • Use .gitignore for sensitive files
  • Use pre-commit hooks with TruffleHog
  • Store secrets in GitHub Secrets or a secrets manager
  • Never commit .env files

View detailed findings in the Actions tab.

@stephenlyons18 stephenlyons18 marked this pull request as ready for review November 10, 2025 22:50
@stephenlyons18 stephenlyons18 merged commit 86e3573 into main Nov 10, 2025
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@stephenlyons18