Fix security vulnerabilities

2025-12-21 15:31:12 -05:00 · 2025-10-04 01:11:43 +00:00
parent b221c75d4a
commit 756d6a5300
5 changed files with 366 additions and 16 deletions
--- a/src/components/moderation/ModerationQueue.tsx
+++ b/src/components/moderation/ModerationQueue.tsx
@@ -1202,20 +1202,29 @@ export const ModerationQueue = forwardRef<ModerationQueueRef>((props, ref) => {
                                src={photo.url}
                                alt={`Photo ${index + 1}: ${photo.filename}`}
                                className="w-full max-h-64 object-contain rounded hover:opacity-80 transition-opacity"
-                                onError={(e) => {
-                                  console.error('Failed to load photo submission:', photo);
-                                  const target = e.target as HTMLImageElement;
-                                  target.style.display = 'none';
-                                  const parent = target.parentElement;
-                                  if (parent) {
-                                    parent.innerHTML = `
-                                      <div class="absolute inset-0 flex flex-col items-center justify-center text-destructive text-xs">
-                                        <div>⚠️ Image failed to load</div>
-                                        <div class="mt-1 font-mono text-xs break-all px-2">${photo.url}</div>
-                                      </div>
-                                    `;
-                                  }
-                                }}
+                onError={(e) => {
+                  console.error('Failed to load photo submission:', photo);
+                  const target = e.target as HTMLImageElement;
+                  target.style.display = 'none';
+                  const parent = target.parentElement;
+                  if (parent) {
+                    // Create elements safely using DOM API to prevent XSS
+                    const errorContainer = document.createElement('div');
+                    errorContainer.className = 'absolute inset-0 flex flex-col items-center justify-center text-destructive text-xs';
+                    
+                    const errorIcon = document.createElement('div');
+                    errorIcon.textContent = '⚠️ Image failed to load';
+                    
+                    const urlDisplay = document.createElement('div');
+                    urlDisplay.className = 'mt-1 font-mono text-xs break-all px-2';
+                    // Use textContent to prevent XSS - it escapes HTML automatically
+                    urlDisplay.textContent = photo.url;
+                    
+                    errorContainer.appendChild(errorIcon);
+                    errorContainer.appendChild(urlDisplay);
+                    parent.appendChild(errorContainer);
+                  }
+                }}
                              />
                              <div className="absolute inset-0 flex items-center justify-center bg-black/50 text-white opacity-0 hover:opacity-100 transition-opacity rounded">
                                <Eye className="w-5 h-5" />