Skip to content

MWPW-192736: Add check for milolibs query param#373

Merged
hadobe merged 1 commit intoadobecom:stagefrom
zagi25:MWPW-192736
Apr 23, 2026
Merged

MWPW-192736: Add check for milolibs query param#373
hadobe merged 1 commit intoadobecom:stagefrom
zagi25:MWPW-192736

Conversation

@zagi25
Copy link
Copy Markdown
Contributor

@zagi25 zagi25 commented Apr 17, 2026
edited
Loading

Whitelist branch parameter with /^[a-zA-Z0-9_-]+$/; throw on any other characters.

Ticket

https://jira.corp.adobe.com/browse/MWPW-192736

Test URLs

Before: https://stage--da-express-milo--adobecom.aem.page/
After: https://MWPW-192736--da-express-milo--zagi25.aem.page/

This PR was generated by Claude (Anthropic's Claude Code CLI).

@zagi25 @claude
MWPW-192736: validate milolibs branch param to prevent DOM XSS
743785f 
The milolibs query param was interpolated directly into a template
literal used for a dynamic import(), letting an attacker point module
loading at an arbitrary origin and execute JS in the page context.

Add a strict whitelist (^[a-zA-Z0-9_-]+$) and throw on invalid input
in express/code/scripts/utils.js.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@aem-code-sync
Copy link
Copy Markdown

aem-code-sync Bot commented Apr 17, 2026
edited
Loading

Page Scores Audits
📱 / PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS
🖥️ / PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (stage@03be090). Learn more about missing BASE report.

Additional details and impacted files 
@@           Coverage Diff            @@
##             stage     #373   +/-   ##
========================================
  Coverage         ?   64.86%           
========================================
  Files            ?      312           
  Lines            ?    70811           
  Branches         ?        0           
========================================
  Hits             ?    45929           
  Misses           ?    24882           
  Partials         ?        0

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zagi25 zagi25 changed the title MWPW-192736: validate milolibs branch param to prevent DOM XSS MWPW-192736: Add check for milolibs query param Apr 17, 2026
@nateyolles nateyolles added this to the Express-26.16 milestone Apr 21, 2026
@hadobe hadobe merged commit a9bf6a6 into adobecom:stage Apr 23, 2026
13 of 17 checks passed
@hadobe hadobe mentioned this pull request Apr 23, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nateyolles nateyolles nateyolles approved these changes

@fullcolorcoder fullcolorcoder fullcolorcoder approved these changes

Assignees

No one assigned

Labels

Design Review Not Required Ready for QA

Projects

None yet

Milestone

Express-26.16

Development

Successfully merging this pull request may close these issues.

5 participants

@zagi25 @codecov-commenter @nateyolles @fullcolorcoder @hadobe