Bug : xss notifications. #3123
Description
What happened
A potential XSS (Cross-Site Scripting) vulnerability exists in the notifications display component. The NotificationsList.jsx component at line 46 uses React's dangerouslySetInnerHTML to render notification bodies as raw HTML without any client-side sanitization:
<ListGroupItemText
className="text-light"
dangerouslySetInnerHTML={{ __html: notif?.body }}
/>If notification content contains malicious scripts (e.g., <script>alert('XSS')</script> or <img src="x" onerror="...">), they would execute in the user's browser. This could allow attackers to steal session tokens, perform actions on behalf of users, or redirect to malicious sites.
Environment
- OS: macOS Darwin 25.1.0
- IntelOwl version: v6.4.0 (commit 5e814c6)
What did you expect to happen
Notification bodies should be sanitized before rendering to prevent any embedded scripts or malicious event handlers from executing. Only safe HTML tags (like <b>, <i>, <a>, <p>) should be allowed.
How to reproduce your issue
- Create a notification with a malicious body payload such as:
<script>alert('XSS')</script><img src="x" onerror="alert('XSS')">
- View the notification in the frontend
- If unsanitized, the script will execute
Note: Reproduction depends on how notifications are created (via certego_saas.apps.notifications). If only system-generated, severity is lower; if user-controllable, severity is high.
Error messages and logs
No error messages - this is a silent security vulnerability. The malicious code executes without errors.
Severity: High (if user-controllable) / Medium (defense-in-depth)
OWASP Category: A7:2017 - Cross-Site Scripting (XSS)
File: frontend/src/components/jobs/notification/NotificationsList.jsx:46
Recommended Fix: Use DOMPurify to sanitize HTML before rendering:
import DOMPurify from 'dompurify';
// ...
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(notif?.body) }}