From 3353b637c0a5f74e963f842cb9b20f673304a140 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 14 Jul 2026 12:01:49 -0700 Subject: [PATCH 1/2] fix(js): cross-site scripting (xss) via innerhtml in iframe The `media_id` variable, derived from `this.data.url`, is directly assigned to `innerHTML` without sanitization. An attacker can supply a malicious URL in the storymap configuration JSON to inject arbitrary HTML and JavaScript, resulting in DOM-based XSS. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/js/media/types/IFrame.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/js/media/types/IFrame.js b/src/js/media/types/IFrame.js index ebb1e714..0a23144e 100644 --- a/src/js/media/types/IFrame.js +++ b/src/js/media/types/IFrame.js @@ -22,10 +22,16 @@ export default class IFrame extends Media { this.media_id = this.data.url; // API URL - let iframe = this.media_id; + let iframe = document.createElement('iframe'); + iframe.src = this.media_id; + iframe.style.width = "100%"; + iframe.style.height = "100%"; + iframe.setAttribute('frameborder', '0'); + iframe.setAttribute('allowfullscreen', ''); + iframe.setAttribute('allow', 'autoplay; encrypted-media'); // API Call - this._el.content_item.innerHTML = iframe; + this._el.content_item.appendChild(iframe); // After Loaded this.onLoaded(); From d6fde01aef70e5ff0f05c59be1f05654f423dde2 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Tue, 14 Jul 2026 12:01:50 -0700 Subject: [PATCH 2/2] fix(js): cross-site scripting (xss) via innerhtml in iframe The `media_id` variable, derived from `this.data.url`, is directly assigned to `innerHTML` without sanitization. An attacker can supply a malicious URL in the storymap configuration JSON to inject arbitrary HTML and JavaScript, resulting in DOM-based XSS. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- src/js/media/types/Blockquote.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/js/media/types/Blockquote.js b/src/js/media/types/Blockquote.js index 4ad799d9..146358a8 100644 --- a/src/js/media/types/Blockquote.js +++ b/src/js/media/types/Blockquote.js @@ -22,7 +22,7 @@ export default class Blockquote extends Media { this.media_id = this.data.url; // API Call - this._el.content_item.innerHTML = this.media_id; + this._el.content_item.textContent = this.media_id; // After Loaded this.onLoaded();