[go: up one dir, main page]

Security: Prevent MOTDs from being able to inject HTML - CVE-2025-14701

Scottrequested to merge
security/motd-parsing into dev

What does this MR do and why?

Replaces multiple unsafe .innerHTML calls in server MOTD parsing components and ensures non-styled text is only ever called with .innerText.

This now parses the literal text of potential HTML injection from MOTDs instead of parsing them as HTML tags.

Resolves: #647 and CVE-2025-14701

How to set up and validate locally

  1. Pull branch
  2. Create a server with an MOTD of xsstesting_<img src\='nothere.jpg' onerror\='console.log("successful XSS!");'/>
  3. Note the absence of successful XSS! in the browser console.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

  • Have you checked this doesn't interfere/conflict/duplicate someone elses work?
  • Have you fully tested your changes?
  • Have you resolved any lint issues?
  • Have you assigned a reviewer?
  • Have you applied correct labels?
Edited by Scott

Merge request reports