## XSS Vulnerability in Map Popup via innerHTML Exposes User Data to Script Injection
A critical cross-site scripting (XSS) vulnerability has been identified in a React component, where user-controlled data is directly injected into the DOM via `innerHTML`. The flaw, located in `SitterClusterMap.tsx` between lines 97 and 118, constructs popup content by interpolating unsanitized fields like `sitter.name` and `sitter.avatar_url` into an HTML string. This creates a direct vector for a malicious actor—such as a sitter registering with a crafted name containing script tags—to execute arbitrary JavaScript in the context of the application, potentially leading to session hijacking, data theft, or further compromise.

The vulnerability stems from a common but dangerous pattern of using string interpolation with `innerHTML` instead of safe DOM APIs or proper escaping. The provided fix demonstrates a simple `escapeHtml` utility function that uses `textContent` to neutralize HTML tags, or recommends rebuilding the popup using methods like `document.createElement` and `appendChild`. This is a fundamental security failure in input sanitization for a frontend feature handling user-generated content.

While the reported effort to patch is minimal (estimated at 30 minutes), the exposure window and risk are significant. Any application with similar patterns in its codebase is likely vulnerable. This issue underscores the persistent threat of XSS in modern web applications, especially when developers bypass React's built-in protections by directly manipulating `innerHTML`. It prompts immediate scrutiny of all data rendering paths and serves as a stark warning against trusting any user-supplied data without validation.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: XSS, Security Vulnerability, Web Development, Code Review, React
- **Credibility**: unverified
- **Published**: 2026-03-28 16:27:02
- **ID**: 39171
- **URL**: https://whisperx.ai/en/intel/39171