Skip to content

Comments

🛡️ Sentinel: [HIGH] Fix Stored XSS in Devices, Users and RMCs dashboards#21

Open
richkmeli wants to merge 1 commit intomasterfrom
fix-stored-xss-dashboards-7179854288409035912
Open

🛡️ Sentinel: [HIGH] Fix Stored XSS in Devices, Users and RMCs dashboards#21
richkmeli wants to merge 1 commit intomasterfrom
fix-stored-xss-dashboards-7179854288409035912

Conversation

@richkmeli
Copy link
Owner

@richkmeli richkmeli commented Feb 1, 2026

The application was vulnerable to Stored XSS on major dashboard pages (Devices, Users, RMCs) because it used .innerHTML to inject unsanitized data from the server into the DOM. This was particularly dangerous in a Command and Control (C2) context where data might come from untrusted infected hosts.

I refactored the following files:

  • src/main/resources/static/js/rms/devices.js
  • src/main/resources/static/js/rms/users.js
  • src/main/resources/static/js/rms/rmcs.js

The refactoring involved:

  1. Using jQuery to build DOM elements.
  2. Setting all dynamic content using .text() to ensure automatic escaping.
  3. Replacing dangerous inline onclick attributes with jQuery's .click() event handlers, avoiding JS string literal injection.
  4. Introducing a global escapeHTML helper in account.js (loaded by all pages) for cases where manual escaping is still required (e.g., when building HTML strings for popovers).
  5. Safely building popover HTML content by using jQuery to create elements and .text() for the data, then extracting the safe HTML.

These changes significantly improve the security of the RMS dashboard without introducing any functional regressions.

PR created automatically by Jules for task 7179854288409035912 started by @richkmeli

@google-labs-jules @richkmeli
🛡️ Sentinel: [HIGH] Fix Stored XSS in Devices, Users and RMCs dashboards
db6ff6d 
Refactored the dynamic table construction in Devices, Users, and RMCs dashboards to use safe jQuery methods.
- Replaced `.innerHTML` usage with jQuery element creation and `.text()` for all user-controllable data.
- Replaced inline string-based `onclick` attributes with jQuery event handlers.
- Added a global `escapeHTML` utility in `account.js` for manual sanitization where needed.
- Safely constructed popover content using jQuery and `.text()`.

This fix mitigates a critical Stored XSS vulnerability where malicious data from infected hosts or other users could execute scripts in the context of the RMS dashboard.

Co-authored-by: richkmeli <7313162+richkmeli@users.noreply.github.com>
@google-labs-jules
Copy link
Contributor

google-labs-jules bot commented Feb 1, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@richkmeli