SEC-012: Critical XSS Vulnerability in Dashboard via Unescaped Single Quotes in Inline Handlers
A critical cross-site scripting (XSS) vulnerability has been identified in the platform's dashboard, exposing users to potential session hijacking and data theft. The flaw resides in multiple inline `onclick` handlers that fail to properly escape single quotes, allowing attackers to inject and execute arbitrary JavaScript code. This P0-priority security defect was discovered during a specification-versus-implementation audit of a related user experience feature, highlighting a systemic oversight in the codebase's input sanitization logic.
The vulnerability is present in three key JavaScript files powering the dashboard interface: `prompt_analytics.js`, `task_overview.js`, and `task_timeline.js`. The root cause is the `esc()` function, which escapes characters like `<`, `>`, `&`, and double quotes but notably omits the single quote (`'`). This allows user-controlled input—such as a task subject or commit message containing a single quote—to break out of the JavaScript string literal in the `onclick="copyToClipboard('${esc(value)}')"` pattern. A proof-of-concept payload like `x');alert(document.cookie);//` would successfully execute, demonstrating the severity of the flaw.
This vulnerability directly impacts the security of user sessions and sensitive data displayed on the analytics and task management dashboards. The recommended fixes are to either extend the `esc()` function to escape single quotes by adding `.replace(/'/g, "'")` or, more robustly, to refactor the code to use `data-*` attributes with event delegation, thereby eliminating the dangerous practice of inline JavaScript handlers altogether. The discovery underscores the persistent risk of XSS in dynamic web applications and the critical need for comprehensive, context-aware escaping routines.