Skip to content

Fix stored XSS in PageHead via HtmlSanitizer allowlist#2408

Draft
Copilot wants to merge 2 commits intodevfrom
copilot/fix-reflected-xss-vulnerability
Draft

Fix stored XSS in PageHead via HtmlSanitizer allowlist#2408
Copilot wants to merge 2 commits intodevfrom
copilot/fix-reflected-xss-vulnerability

Conversation

Copy link
Copy Markdown

Copilot AI commented Mar 30, 2026
edited
Loading

The page Head settings field was rendered verbatim as a MarkupString, allowing any admin to store arbitrary <script> tags that execute for all page visitors. The GoogleTagsId setting had the same issue — injected directly into generated <script> tags without validation.

Changes

  • HtmlSanitizer (Ganss.Xss 9.0.892) added to FluentCMS.Web.UI
  • Allowlist sanitizer configured in PageHead.razor.cs permitting only safe head-section elements (<meta>, <link>, <style>, <noscript>) and their expected attributes; applied before rendering Head content as MarkupString: 
    // Before
@((MarkupString)GetSetting("Head"))

// After
@((MarkupString)SanitizeHeadContent(GetSetting("Head")))
  • GoogleTagsId validation — strict ^[A-Za-z0-9\-]+$ regex check before embedding the value in generated script tags; returns empty string on mismatch

Copilot AI linked an issue Mar 30, 2026 that may be closed by this pull request
Reflected XSS vulnerability in FluentCMS #2403
Open
@pournasserian pournasserian requested a review from Copilot March 30, 2026 13:45
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pournasserian
Fix stored XSS vulnerability in PageHead component via HtmlSanitizer …
c68405c 
…allowlist

Agent-Logs-Url: https://github.com/fluentcms/FluentCMS/sessions/1651a529-c67c-468a-bb04-c0561e9d436c

Co-authored-by: pournasserian <24959477+pournasserian@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix reflected XSS vulnerability in FluentCMS admin page Fix stored XSS in PageHead via HtmlSanitizer allowlist Mar 30, 2026
Copilot AI requested a review from pournasserian March 30, 2026 13:55
@pournasserian pournasserian added the bug Something isn't working label Mar 30, 2026
@pournasserian pournasserian added this to the MVP milestone Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pournasserian pournasserian Awaiting requested review from pournasserian

@TheHadiAhmadi TheHadiAhmadi Awaiting requested review from TheHadiAhmadi

At least 1 approving review is required to merge this pull request.

Assignees

@pournasserian pournasserian

Copilot code review Copilot

Labels

bug Something isn't working

Projects

None yet

Milestone

MVP

Development

Successfully merging this pull request may close these issues.

Reflected XSS vulnerability in FluentCMS

3 participants

@pournasserian