From 743785fb5e598b53450131e8cc50d3f977c409d2 Mon Sep 17 00:00:00 2001
From: Ratko Zagorac <ratkozagorac@gmail.com>
Date: Fri, 17 Apr 2026 15:13:49 +0200
Subject: [PATCH] MWPW-192736: validate milolibs branch param to prevent DOM
 XSS

The milolibs query param was interpolated directly into a template
literal used for a dynamic import(), letting an attacker point module
loading at an arbitrary origin and execute JS in the page context.

Add a strict whitelist (^[a-zA-Z0-9_-]+$) and throw on invalid input
in express/code/scripts/utils.js.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 express/code/scripts/utils.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/express/code/scripts/utils.js b/express/code/scripts/utils.js
index 1782898c8..a63c7dc24 100644
--- a/express/code/scripts/utils.js
+++ b/express/code/scripts/utils.js
@@ -20,6 +20,7 @@ export const [setLibs, getLibs] = (() => {
         const { hostname, search } = location || window.location;
         if (!['.aem.', '.hlx.', '.stage.', 'local', '.da.'].some((i) => hostname.includes(i))) return prodLibs;
         const branch = new URLSearchParams(search).get('milolibs') || 'main';
+        if (!/^[a-zA-Z0-9_-]+$/.test(branch)) throw new Error('Invalid branch name.');
         if (branch === 'local') return 'http://localhost:6456/libs';
         if (branch === 'main' && hostname.includes('.stage.')) return '/libs';
         return branch.includes('--') ? `https://${branch}.aem.live/libs` : `https://${branch}--milo--adobecom.aem.live/libs`;