fix: integrate DOMPurify to sanitize innerHTML assignments in dashboard (#252)

Copilot · web-flow · commit 46bfac57a030 · 2026-01-02T19:51:14.000+10:00
* fix: integrate DOMPurify for XSS protection in dashboard
diff --git a/src/AzureEventGridSimulator/Dashboard/app.js b/src/AzureEventGridSimulator/Dashboard/app.js
@@ -279,9 +279,9 @@
 
         elements.emptyState.classList.add('hidden');
 
-        elements.eventsList.innerHTML = filteredEvents
+        elements.eventsList.innerHTML = DOMPurify.sanitize(filteredEvents
             .map(event => renderEventItem(event))
-            .join('');
+            .join(''));
 
         // Attach click handlers
         elements.eventsList.querySelectorAll('.event-item').forEach(item => {
@@ -303,9 +303,9 @@
 
         elements.emptyRejectionsState.classList.add('hidden');
 
-        elements.rejectionsList.innerHTML = filteredRejections
+        elements.rejectionsList.innerHTML = DOMPurify.sanitize(filteredRejections
             .map(rejection => renderRejectionItem(rejection))
-            .join('');
+            .join(''));
 
         // Attach click handlers
         elements.rejectionsList.querySelectorAll('.rejection-item').forEach(item => {
@@ -386,7 +386,7 @@
         selectedEventId = null;
         selectedRejectionId = null;
         elements.detailPanel.classList.remove('open');
-        elements.detailContent.innerHTML = '<p class="detail-placeholder">Select an event to view details</p>';
+        elements.detailContent.innerHTML = DOMPurify.sanitize('<p class="detail-placeholder">Select an event to view details</p>');
         renderEventsList();
         renderRejectionsList();
     }
@@ -447,7 +447,7 @@
             ${renderDeliverySection(event.deliveries || [])}
         `;
 
-        elements.detailContent.innerHTML = html;
+        elements.detailContent.innerHTML = DOMPurify.sanitize(html);
 
         // Attach attempt toggle handlers
         elements.detailContent.querySelectorAll('.attempt-toggle').forEach(toggle => {
@@ -505,7 +505,7 @@
             ` : ''}
         `;
 
-        elements.detailContent.innerHTML = html;
+        elements.detailContent.innerHTML = DOMPurify.sanitize(html);
     }
 
     function renderDeliverySection(deliveries) {
diff --git a/src/AzureEventGridSimulator/Dashboard/index.html b/src/AzureEventGridSimulator/Dashboard/index.html
@@ -1,98 +1,127 @@
 <!DOCTYPE html>
 <html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta content="width=device-width, initial-scale=1.0" name="viewport">
-    <title>Azure Event Grid Simulator - Dashboard</title>
-    <link href="/dashboard/styles.css" rel="stylesheet">
-</head>
-<body>
-<header class="header">
-    <h1>Azure Event Grid Simulator</h1>
-    <div class="header-controls">
-        <button class="clear-btn" id="clearBtn">Clear</button>
-        <label class="auto-refresh-toggle">
-            <input checked id="autoRefresh" type="checkbox">
-            <span>Auto-refresh</span>
-        </label>
-        <span class="refresh-indicator" id="refreshIndicator"></span>
-    </div>
-</header>
+    <head>
+        <meta charset="UTF-8" />
+        <meta content="width=device-width, initial-scale=1.0" name="viewport" />
+        <title>Azure Event Grid Simulator - Dashboard</title>
+        <link href="/dashboard/styles.css" rel="stylesheet" />
+    </head>
+    <body>
+        <header class="header">
+            <h1>Azure Event Grid Simulator</h1>
+            <div class="header-controls">
+                <button class="clear-btn" id="clearBtn">Clear</button>
+                <label class="auto-refresh-toggle">
+                    <input checked id="autoRefresh" type="checkbox" />
+                    <span>Auto-refresh</span>
+                </label>
+                <span class="refresh-indicator" id="refreshIndicator"></span>
+            </div>
+        </header>
 
-<main class="main-content">
-    <section class="stats-section" id="statsSection">
-        <div class="stat-card">
-            <span class="stat-value" id="statTotalReceived">0</span>
-            <span class="stat-label">Total Received</span>
-        </div>
-        <div class="stat-card">
-            <span class="stat-value" id="statInHistory">0</span>
-            <span class="stat-label">In History</span>
-        </div>
-        <div class="stat-card">
-            <span class="stat-value" id="statDelivered">0</span>
-            <span class="stat-label">Delivered</span>
-        </div>
-        <div class="stat-card">
-            <span class="stat-value" id="statFailed">0</span>
-            <span class="stat-label">Failed</span>
-        </div>
-        <div class="stat-card">
-            <span class="stat-value" id="statPending">0</span>
-            <span class="stat-label">Pending</span>
-        </div>
-        <div class="stat-card stat-card-rejected">
-            <span class="stat-value" id="statRejected">0</span>
-            <span class="stat-label">Rejected</span>
-        </div>
-        <div class="stat-card">
-            <span class="stat-value" id="statTopics">0</span>
-            <span class="stat-label">Active Topics</span>
-        </div>
-    </section>
+        <main class="main-content">
+            <section class="stats-section" id="statsSection">
+                <div class="stat-card">
+                    <span class="stat-value" id="statTotalReceived">0</span>
+                    <span class="stat-label">Total Received</span>
+                </div>
+                <div class="stat-card">
+                    <span class="stat-value" id="statInHistory">0</span>
+                    <span class="stat-label">In History</span>
+                </div>
+                <div class="stat-card">
+                    <span class="stat-value" id="statDelivered">0</span>
+                    <span class="stat-label">Delivered</span>
+                </div>
+                <div class="stat-card">
+                    <span class="stat-value" id="statFailed">0</span>
+                    <span class="stat-label">Failed</span>
+                </div>
+                <div class="stat-card">
+                    <span class="stat-value" id="statPending">0</span>
+                    <span class="stat-label">Pending</span>
+                </div>
+                <div class="stat-card stat-card-rejected">
+                    <span class="stat-value" id="statRejected">0</span>
+                    <span class="stat-label">Rejected</span>
+                </div>
+                <div class="stat-card">
+                    <span class="stat-value" id="statTopics">0</span>
+                    <span class="stat-label">Active Topics</span>
+                </div>
+            </section>
 
-    <section class="events-section">
-        <div class="events-header">
-            <div class="tab-container">
-                <button class="tab-btn active" data-tab="events" id="tabEvents">Events</button>
-                <button class="tab-btn" data-tab="rejections" id="tabRejections">Rejections <span
-                    class="rejection-count" id="rejectionCount"></span></button>
-            </div>
-            <select class="topic-filter" id="topicFilter">
-                <option value="">All Topics</option>
-            </select>
-        </div>
+            <section class="events-section">
+                <div class="events-header">
+                    <div class="tab-container">
+                        <button
+                            class="tab-btn active"
+                            data-tab="events"
+                            id="tabEvents"
+                        >
+                            Events
+                        </button>
+                        <button
+                            class="tab-btn"
+                            data-tab="rejections"
+                            id="tabRejections"
+                        >
+                            Rejections
+                            <span
+                                class="rejection-count"
+                                id="rejectionCount"
+                            ></span>
+                        </button>
+                    </div>
+                    <select class="topic-filter" id="topicFilter">
+                        <option value="">All Topics</option>
+                    </select>
+                </div>
 
-        <div class="tab-content" id="eventsTab">
-            <div class="empty-state" id="emptyState">
-                <div class="empty-state-icon">&#128235;</div>
-                <h3>No events received yet</h3>
-                <p>Events will appear here when they are published to the simulator.</p>
-            </div>
-            <div class="events-list" id="eventsList"></div>
-        </div>
+                <div class="tab-content" id="eventsTab">
+                    <div class="empty-state" id="emptyState">
+                        <div class="empty-state-icon">&#128235;</div>
+                        <h3>No events received yet</h3>
+                        <p>
+                            Events will appear here when they are published to
+                            the simulator.
+                        </p>
+                    </div>
+                    <div class="events-list" id="eventsList"></div>
+                </div>
 
-        <div class="tab-content hidden" id="rejectionsTab">
-            <div class="empty-state" id="emptyRejectionsState">
-                <div class="empty-state-icon">&#10003;</div>
-                <h3>No rejected events</h3>
-                <p>Validation errors will appear here when invalid events are sent to the simulator.</p>
-            </div>
-            <div class="events-list" id="rejectionsList"></div>
-        </div>
-    </section>
+                <div class="tab-content hidden" id="rejectionsTab">
+                    <div class="empty-state" id="emptyRejectionsState">
+                        <div class="empty-state-icon">&#10003;</div>
+                        <h3>No rejected events</h3>
+                        <p>
+                            Validation errors will appear here when invalid
+                            events are sent to the simulator.
+                        </p>
+                    </div>
+                    <div class="events-list" id="rejectionsList"></div>
+                </div>
+            </section>
 
-    <aside class="detail-panel" id="detailPanel">
-        <div class="detail-header">
-            <h3>Event Details</h3>
-            <button class="close-btn" id="closeDetail">&times;</button>
-        </div>
-        <div class="detail-content" id="detailContent">
-            <p class="detail-placeholder">Select an event to view details</p>
-        </div>
-    </aside>
-</main>
+            <aside class="detail-panel" id="detailPanel">
+                <div class="detail-header">
+                    <h3>Event Details</h3>
+                    <button class="close-btn" id="closeDetail">&times;</button>
+                </div>
+                <div class="detail-content" id="detailContent">
+                    <p class="detail-placeholder">
+                        Select an event to view details
+                    </p>
+                </div>
+            </aside>
+        </main>
 
-<script src="/dashboard/app.js"></script>
-</body>
+        <script
+            src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.2.7/purify.min.js"
+            integrity="sha512-78KH17QLT5e55GJqP76vutp1D2iAoy06WcYBXB6iBCsmO6wWzx0Qdg8EDpm8mKXv68BcvHOyeeP4wxAL0twJGQ=="
+            crossorigin="anonymous"
+            referrerpolicy="no-referrer"
+        ></script>
+        <script src="/dashboard/app.js"></script>
+    </body>
 </html>
