Skip to content

🔒 fix: prevent XSS in JSON-LD script block#64

Merged
amrabed merged 1 commit into
mainfrom
fix/json-ld-xss-vulnerability-18188873139106152267
Jun 30, 2026
Merged

🔒 fix: prevent XSS in JSON-LD script block#64
amrabed merged 1 commit into
mainfrom
fix/json-ld-xss-vulnerability-18188873139106152267

Conversation

@google-labs-jules

Copy link
Copy Markdown
Contributor

🎯 What: Fixed a potential XSS vulnerability in the JSON-LD script block.
⚠️ Risk: Attackers could inject malicious scripts by terminating the JSON-LD script block using </script> if any field in the JSON-LD was user-controlled or contained malicious content.
🛡️ Solution: Implemented a safeJsonLdStringify utility that replaces < with its JSON escape sequence \u003c. This ensures that even if the JSON contains </script>, it is rendered as \u003c/script>, which is ignored by the HTML parser as a tag terminator but correctly parsed as part of the JSON data.


PR created automatically by Jules for task 18188873139106152267 started by @amrabed

@google-labs-jules

Copy link
Copy Markdown
Contributor Author

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jun 27, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
typescript Ready Ready Preview, Comment Jun 30, 2026 10:35am

@amrabed amrabed marked this pull request as ready for review June 28, 2026 12:50
@amrabed amrabed self-requested a review as a code owner June 28, 2026 12:50
amrabed
amrabed previously approved these changes Jun 28, 2026
Implement safeJsonLdStringify utility to escape '<' as '\\u003c' in JSON-LD script tags, preventing script tag termination attacks. Apply this utility to the JSON-LD block in the landing page.
@amrabed amrabed force-pushed the fix/json-ld-xss-vulnerability-18188873139106152267 branch from ef887f8 to d54cf79 Compare June 30, 2026 10:34
@amrabed amrabed merged commit e0b397d into main Jun 30, 2026
3 checks passed
@amrabed amrabed deleted the fix/json-ld-xss-vulnerability-18188873139106152267 branch June 30, 2026 10:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant