Critical XSS Vulnerability Disclosed in firearm-import.js — innerHTML Without Escaping Exposes CSV Upload Handler

A security researcher has identified a cross-site scripting (XSS) vulnerability in the CSV import error display logic of firearm-import.js, exposing the application's upload interface to potential script injection. The flaw, classified under OWASP A03:2021 (Injection), exists in the error rendering section at lines 64–66, where user-supplied data from server-side validator messages is inserted into the DOM via innerHTML without any escaping or sanitization.

The vulnerability stems from the error handler constructing HTML list items directly from `rowErr.errors`, a field populated by server-side validators. While current validator implementations do not appear to echo user-supplied input back into their error messages, the code pattern creates a latent risk: if any future validator surfaces raw field values—such as an invalid entry quoted in the error response—an attacker who controls the imported CSV could inject arbitrary HTML or JavaScript into the page. The attack vector requires only that the attacker provide a maliciously crafted CSV file, making it accessible even to low-privilege users interacting with the import function.

The finding carries a low breaking-change risk, as the proposed fix is described as a drop-in replacement. Security guidance recommends replacing the unsafe innerHTML concatenation with a dedicated HTML-escaping function or safe DOM construction methods that prevent markup injection regardless of input content. Organizations running affected instances of this module should prioritize patching the error handler, particularly if the codebase is subject to external or untrusted CSV uploads. Proactive review of other innerHTML usages in the same module is also advised to ensure no similar patterns exist elsewhere in the import pipeline.