FbIN/android-foss
1
0
Fork 0
mirror of https://github.com/offa/android-foss.git synced 2026-04-19 19:56:17 +05:30
Code Issues Projects Releases Packages Wiki Activity

fix(security): rendering mutable remote content from branch head (#639)

Browse source 
The app fetches Markdown from `.../master/README.md`, which is a mutable branch reference. Content can change at any time and is immediately rendered client-side. This increases risk of unexpected content/script injection and makes output non-reproducible.

Affected files: index.html

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
This commit is contained in:
tomaioo 2026-04-15 12:39:35 -07:00 committed by GitHub
commit d3e32a78a2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
index.html
View file

@ -51,7 +51,7 @@
marked.use( markedGfmHeadingId.gfmHeadingId() );
// Get the markdown file, convert it to HTML & put it inside the main tag
fetch( 'https://raw.githubusercontent.com/offa/android-foss/master/README.md' )
fetch( 'README.md' )
.then( response => response.text() )
.then( data => {
document.querySelector( 'main' ).innerHTML = marked.parse( data );