asf-tooling opened a new issue, #1107: URL: https://github.com/apache/tooling-trusted-releases/issues/1107
**ASVS Level(s):** L1 **Description:** ### Summary The filter function in `projects-directory.js` reads `.innerHTML` instead of `.textContent` to extract the project name for filtering. Since `.card-title` contains an `<a>` tag, this causes the filter to match against HTML attributes (href, class) rather than just the visible project name. This is a functional bug rather than a direct XSS risk since it's a read operation, but demonstrates incorrect API usage. ### Details The issue exists in `atr/static/js/src/projects-directory.js` line 26. The code reads innerHTML when it should read textContent for filtering purposes. ### Recommended Remediation Replace innerHTML read with textContent: ```javascript // In atr/static/js/src/projects-directory.js, line 26 // Change: // const name = nameElement.innerHTML; // To: const name = nameElement.textContent; ``` This correctly reads only visible text as done in `committee-directory.js`. ### Acceptance Criteria - [ ] innerHTML replaced with textContent - [ ] Unit tests verify filter matches only visible text - [ ] Unit tests verify filter does not match HTML attributes - [ ] Manual testing confirms filter behavior is correct - [ ] Code review confirms consistent API usage across JavaScript files ### References - Source reports: L1:3.2.2.md - Related findings: None - ASVS sections: 3.2.2 - CWE: CWE-79 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
