Skip to content

Fix XSS vulnerability in PATH environment variable rendering #432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bart-vmware merged 3 commits into from
Dec 17, 2025
Merged

Fix XSS vulnerability in PATH environment variable rendering #432

bart-vmware merged 3 commits into from
Dec 17, 2025

Conversation

Copy link

Copilot AI commented Dec 17, 2025
edited
Loading

Addressed XSS vulnerability where Html.Raw() was rendering user-controllable environment variable data without encoding.

Changes

  • Encode before replace: Wrapped PATH environment variable with Html.Encode() before delimiter replacement in PlaceholderValues.cshtml
// Before
@Html.Raw(Model.ResolvedFromPathEnvironmentVariable?.Replace(";", "<br/>"))

// After  
@Html.Raw(Html.Encode(Model.ResolvedFromPathEnvironmentVariable).Replace(";", "<br/>"))

This ensures HTML entities are escaped before rendering while preserving intended <br/> line breaks. The null-conditional operator (?.) is not needed since Html.Encode() handles null values by returning an empty string.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Dec 17, 2025
Open
Copy link
Author

Copilot AI commented Dec 17, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • 2wrvsblobprodwus2180.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • 84hvsblobprodwus2148.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • 8yfvsblobprodwus2171.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • b5svsblobprodwus2116.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • hd3vsblobprodwus2117.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • n6wvsblobprodwus2123.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)
  • vm9vsblobprodwus2190.blob.core.windows.net
    • Triggering command: /usr/bin/dotnet dotnet build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Address feedback on updating samples to dotnet 10 Fix XSS vulnerability in PATH environment variable rendering Dec 17, 2025
Copilot AI requested a review from bart-vmware December 17, 2025 12:21
bart-vmware
bart-vmware requested changes Dec 17, 2025
View reviewed changes
Copy link
Member

@bart-vmware bart-vmware left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please take these suggestions. The ?. is no longer needed.

Copy link
Author

Copilot AI commented Dec 17, 2025

Please take these suggestions. The ?. is no longer needed.

Applied in commit 74f31e7. Removed the unnecessary ?. operator from both lines since Html.Encode() handles null values by returning an empty string.

Copilot AI requested a review from bart-vmware December 17, 2025 12:28
@bart-vmware bart-vmware marked this pull request as ready for review December 17, 2025 12:55
@bart-vmware bart-vmware merged commit eae1246 into update-samples-to-dotnet-10 Dec 17, 2025
5 checks passed
@bart-vmware bart-vmware deleted the copilot/sub-pr-431 branch December 17, 2025 12:55
bart-vmware added a commit that referenced this pull request Dec 18, 2025
@bart-vmware
Fix XSS vulnerability in PATH environment variable rendering (#432)
1584783 
* Initial plan

* Fix XSS vulnerability by HTML-encoding before replacing delimiters

Co-authored-by: bart-vmware <[email protected]>

* Remove unnecessary null-conditional operator after Html.Encode

Co-authored-by: bart-vmware <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: bart-vmware <[email protected]>
bart-vmware added a commit that referenced this pull request Dec 19, 2025
@bart-vmware
Fix XSS vulnerability in PATH environment variable rendering (#432)
c825384 
* Initial plan

* Fix XSS vulnerability by HTML-encoding before replacing delimiters

Co-authored-by: bart-vmware <[email protected]>

* Remove unnecessary null-conditional operator after Html.Encode

Co-authored-by: bart-vmware <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: bart-vmware <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@bart-vmware bart-vmware bart-vmware approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@bart-vmware bart-vmware

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bart-vmware