HTML attribute injection not sanitized in convertXmlTags(): event handlers and CSS survive safe-outputs pipeline #22904
Description
This follows up on a reviewed security finding from githubnext/gh-aw-security. The finding indicates a likely gh-aw defect in the safe-outputs HTML sanitizer (convertXmlTags() in sanitize_content_core.cjs), where allowed HTML tags are passed through with all attributes intact — including on* event handler attributes (e.g., ontoggle="alert(document.cookie)") and style attributes enabling CSS overlay attacks. Live testing against the deployed v0.63.0 modules confirmed that both <details ontoggle="..."> and <span style="position:fixed;..."> survive the entire sanitizeContentCore pipeline completely unchanged. No stage in the 13-step pipeline strips on* or style attributes from allowlisted tags. The span tag was also added to the allowlist in v0.63.0, expanding the exploitable surface. This affects all safe-output types that use sanitizeContentCore (issue bodies, PR bodies, comments, discussions). Actual exploitability depends on GitHub's downstream renderer, but the defect contradicts the documented security goal of preventing injection through content sanitization.
Affected area: Safe-outputs HTML sanitizer / convertXmlTags() content filtering boundary
Original finding: https://github.com/githubnext/gh-aw-security/issues/1518
Filed from githubnext/gh-aw-security · gh-aw version: v0.63.1
Generated by File gh-aw Issue · ◷