VSCode Security Issues

Compile-time issues

This section mentions the issues discovered while running VSCode's code with tsec.

Running tsec

Build

    git clone https://github.com/googleinterns/tsec
    cd tsec
    yarn install
	yarn build

Run

In VSCode's package.json add:

"scripts": {
                "tsec-compile-check" : "{PATH TO TSEC}/bin/tsec -p {TSCONFIG} --noEmit"
        }

where {TSCONFIG} is either src/tsconfig.json or src/tsconfig.monaco.json (the second is a smaller subset of the first).

You should get 103 errors from src/tsconfig.json and 28 from src/tsconfig.monaco.json. Mostly caused by assigning a string to innerHTML property.

Issues

From tsconfig.monaco.json

Nr	At	Error	Code	Issue
1	src/vs/editor/browser/config/charWidthReader.ts#L132	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`testElement.innerHTML = htmlString;`
2	src/vs/editor/browser/view/viewLayer.ts#L510	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNode.innerHTML = newLinesHTML;`
3	src/vs/base/browser/markdownRenderer.ts#L158	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`span.innerHTML = strValue;`
4	src/vs/base/browser/markdownRenderer.ts#L233	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`element.innerHTML = insane(renderedMarkdown, { 234 allowedSchemes,... 249 filter 250 });`
5	src/vs/base/browser/ui/selectBox/selectBoxCustom.ts#L708	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`container.innerHTML = this.options[longest].text + (!!this.options[longest].decoratorRight ? (this.options[longest].decoratorRight + ' ') : '');`
6	src/vs/editor/contrib/codelens/codelensWidget.ts#L106	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = '<span>no commands</span>';`
7	src/vs/editor/contrib/codelens/codelensWidget.ts#L113	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = innerHtml;`
8	src/vs/base/browser/ui/inputbox/inputBox.ts#L173	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.mirror.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
9	src/vs/base/browser/ui/inputbox/inputBox.ts#L532	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.mirror.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
10	src/vs/editor/contrib/peekView/peekView.ts#L211	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._primaryHeading.innerHTML = strings.escape(primaryHeading);`
11	src/vs/editor/contrib/peekView/peekView.ts#L214	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._secondaryHeading.innerHTML = strings.escape(secondaryHeading);`
12	src/vs/editor/contrib/peekView/peekView.ts#L224	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._metaHeading.innerHTML = strings.escape(value);`
13	src/vs/base/browser/ui/highlightedlabel/highlightedLabel.ts#L91	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNode.innerHTML = htmlContent;`
14	src/vs/base/browser/ui/iconLabel/iconLabel.ts#L190	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
15	src/vs/base/browser/ui/iconLabel/iconLabel.ts#L197	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
16	src/vs/base/browser/ui/iconLabel/iconLabel.ts#L253	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
17	src/vs/base/browser/ui/iconLabel/iconLabel.ts#L261	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
18	src/vs/base/browser/ui/tree/abstractTree.ts#L884	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.messageDomNode.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
19	src/vs/editor/contrib/gotoSymbol/peek/referencesWidget.ts#L432	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._messageContainer.innerHTML = nls.localize('noResults', "No results");`
20	src/vs/editor/contrib/parameterHints/parameterHintsWidget.ts#L197	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNodes.signature.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
21	src/vs/editor/contrib/parameterHints/parameterHintsWidget.ts#L198	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNodes.docs.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
22	src/vs/editor/contrib/suggest/suggestWidget.ts#L375	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.docs.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
23	src/vs/base/worker/defaultWorkerFactory.ts#L16	TS21228: Constructing Web Workers can cause code to be loaded from an untrusted URL.	`return new Worker(globals.MonacoEnvironment.getWorkerUrl(workerId, label));`
24	src/vs/base/worker/defaultWorkerFactory.ts#L24	TS21228: Constructing Web Workers can cause code to be loaded from an untrusted URL.	`return new Worker(workerUrl, { name: label });`
25	src/vs/editor/standalone/browser/colorizer.ts#L43	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`domNode.innerHTML = str;`
26	src/vs/base/browser/ui/button/button.ts#L183	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._element.innerHTML = renderCodicons(escape(value));`
27	src/vs/base/parts/quickinput/browser/quickInput.ts#L280	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.ui.title.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string

From tsconfig.json

Nr	At	Error	Code	Issue
1	src/vs/base/browser/markdownRenderer.ts#L158	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`span.innerHTML = strValue;`
2	src/vs/base/browser/markdownRenderer.ts#L233	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`element.innerHTML = insane(renderedMarkdown, { 234 allowedSchemes,... 249 filter 250 });`
3	src/vs/base/browser/ui/selectBox/selectBoxCustom.ts#L708	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`container.innerHTML = this.options[longest].text + (!!this.options[longest].decoratorRight ? (this.options[longest].decoratorRight + ' ') : '');`
4	src/vs/base/browser/ui/button/button.ts#L183	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._element.innerHTML = renderCodicons(escape(value));`	Render codicons
5	src/vs/base/browser/ui/codicons/codiconLabel.ts#L16	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._container.innerHTML = renderCodicons(escape(text ?? ''));`	Render codicons
6	src/vs/base/browser/ui/inputbox/inputBox.ts#L173	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.mirror.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
7	src/vs/base/browser/ui/inputbox/inputBox.ts#L532	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.mirror.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
8	src/vs/base/browser/ui/highlightedlabel/highlightedLabel.ts#L91	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNode.innerHTML = htmlContent;`
9	src/vs/base/browser/ui/menu/menubar.ts#L551	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`titleElement.innerHTML = innerHtml;`
10	src/vs/base/browser/ui/menu/menubar.ts#L553	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`titleElement.innerHTML = cleanMenuLabel.replace(/&&/g, '&');`
11	src/vs/base/parts/quickinput/browser/quickInput.ts#L280	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.ui.title.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
12	src/vs/base/worker/defaultWorkerFactory.ts#L16	TS21228: Constructing Web Workers can cause code to be loaded from an untrusted URL.	`return new Worker(globals.MonacoEnvironment.getWorkerUrl(workerId, label));`
13	src/vs/base/worker/defaultWorkerFactory.ts#L24	TS21228: Constructing Web Workers can cause code to be loaded from an untrusted URL.	`return new Worker(workerUrl, { name: label });`
14	src/vs/editor/browser/config/charWidthReader.ts#L132	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`testElement.innerHTML = htmlString;`
15	src/vs/editor/browser/view/viewLayer.ts#L510	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.domNode.innerHTML = newLinesHTML;`
16	src/vs/editor/contrib/codelens/codelensWidget.ts#L106	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = '<span>no commands</span>';`
17	src/vs/editor/contrib/codelens/codelensWidget.ts#L113	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = innerHtml;`
18	src/vs/editor/contrib/peekView/peekView.ts#L211	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._primaryHeading.innerHTML = strings.escape(primaryHeading);`
19	src/vs/editor/contrib/peekView/peekView.ts#L214	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._secondaryHeading.innerHTML = strings.escape(secondaryHeading);`
20	src/vs/editor/contrib/peekView/peekView.ts#L224	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._metaHeading.innerHTML = strings.escape(value);`
21	src/vs/editor/contrib/gotoSymbol/peek/referencesWidget.ts#L432	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._messageContainer.innerHTML = nls.localize('noResults', "No results");`
22	src/vs/workbench/contrib/comments/browser/commentThreadWidget.ts#L700	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._headingLabel.innerHTML = strings.escape(label);`	issueReporterMain: Use DOM API instead of string concatenation
23	src/vs/workbench/contrib/comments/browser/commentsTreeViewer.ts#L123	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.commentText.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
24	src/vs/workbench/browser/parts/views/viewPaneContainer.ts#L507	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.viewWelcomeContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
25	src/vs/workbench/browser/parts/views/viewPaneContainer.ts#L516	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.viewWelcomeContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
26	src/vs/workbench/browser/parts/views/viewPaneContainer.ts#L523	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.viewWelcomeContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
27	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L163	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.templateData.editorContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
28	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L223	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.markdownContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
29	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L243	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.markdownContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
30	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L294	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.templateData.foldingIndicator.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
31	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L297	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.templateData.foldingIndicator.innerHTML = renderCodicons('$(chevron-right)');`	Render codicons
32	src/vs/workbench/contrib/notebook/browser/view/renderers/markdownCell.ts#L300	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.templateData.foldingIndicator.innerHTML = renderCodicons('$(chevron-down)');`	Render codicons
33	src/vs/workbench/contrib/notebook/browser/view/renderers/commonViewComponents.ts#L34	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.label.innerHTML = renderCodicons(this._commandAction.label ?? '');`	Render codicons
34	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L393	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`dragImageContainer.innerHTML = templateData.container.innerHTML;`
35	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L415	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.cellContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
36	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L805	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`dragImageContainer.innerHTML = templateData.container.innerHTML;`
37	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L817	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`editorContainer.innerHTML = richEditorText;`	$ function can't be accessed Cell renderer: Use DOM API instead of string concatenation
38	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L995	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.cellRunStatusContainer.innerHTML = renderCodicons('$(check)');`	Render codicons
39	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L997	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.cellRunStatusContainer.innerHTML = renderCodicons('$(error)');`	Render codicons
40	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L999	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.cellRunStatusContainer.innerHTML = renderCodicons('$(sync~spin)');`	Render codicons
41	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L1001	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.cellRunStatusContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
42	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L1065	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.outputContainer.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
43	src/vs/workbench/browser/actions/developerActions.ts#L182	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`keyboardMarker.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
44	src/vs/workbench/browser/parts/editor/editorPart.ts#L61	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.element.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
45	src/vs/workbench/browser/parts/compositePart.ts#L412	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`titleLabel.innerHTML = strings.escape(title);`	issueReporterMain: Use DOM API instead of string concatenation
46	src/vs/workbench/contrib/preferences/browser/settingsTree.ts#L640	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.descriptionElement.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
47	src/vs/workbench/contrib/preferences/browser/settingsTree.ts#L653	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.otherOverridesElement.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
48	src/vs/workbench/contrib/preferences/browser/settingsTree.ts#L690	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.deprecationWarningElement.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
49	src/vs/workbench/contrib/preferences/browser/settingsTree.ts#L824	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`templateData.parent.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
50	src/vs/workbench/contrib/preferences/browser/settingsTree.ts#L1369	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.enumDescriptionElement.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
51	src/vs/workbench/contrib/notebook/browser/view/renderers/webviewPreloads.ts#L82	TS21228: Do not assign variables to HTMLScriptElement#text or HTMLScriptElement#textContent, as this can lead to XSS.	`scriptTag.text = node.innerText;`
52	src/vs/workbench/contrib/notebook/browser/view/renderers/webviewPreloads.ts#L402	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`document.getElementById('container')!.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
53	src/vs/workbench/contrib/scm/browser/scmViewPane.ts#L143	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.label.innerHTML = renderCodicons(escape(this.getAction().label));`	Render codicons
54	src/vs/workbench/contrib/extensions/browser/extensionsWidgets.ts#L58	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`
55	src/vs/workbench/contrib/extensions/browser/extensionsWidgets.ts#L108	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this.container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
56	src/vs/workbench/contrib/extensions/browser/extensionEditor.ts#L432	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.content.innerHTML = ''; // Clear content before setting navbar actions.`	Replace `innerHTML` with `innerText` when assigning non-html string
57	src/vs/workbench/contrib/extensions/browser/extensionEditor.ts#L563	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`template.content.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
58	src/vs/workbench/contrib/codeEditor/browser/inspectEditorTokens/inspectEditorTokens.ts#L250	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = text;`	inspectEditorTokens: Use DOM API instead of string concatenation
59	src/vs/workbench/contrib/watermark/browser/watermark.ts#L144	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`dd.innerHTML = keybinding.element.outerHTML;`
60	src/vs/workbench/contrib/welcome/overlay/browser/welcomeOverlay.ts#L189	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`dom.append(div, $('span.arrow')).innerHTML = arrow;`	welcomeOverlay: Use DOM API instead of string concatenation
61	src/vs/workbench/contrib/welcome/overlay/browser/welcomeOverlay.ts#L199	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`dom.append(div, $('span.arrow')).innerHTML = arrow;`	welcomeOverlay: Use DOM API instead of string concatenation
62	src/vs/workbench/contrib/welcome/page/browser/welcomePage.ts#L320	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`prodName.innerHTML = this.productService.nameLong;`
63	src/vs/workbench/services/extensions/browser/webWorkerExtensionHost.ts#L72	TS21228: Constructing Web Workers can cause code to be loaded from an untrusted URL.	`const worker = new Worker(url, { name: 'WorkerExtensionHost' });`
64	src/vs/code/electron-browser/issue/issueReporterMain.ts#L61	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`document.body.innerHTML = BaseHtml();`
65	src/vs/code/electron-browser/issue/issueReporterMain.ts#L313	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	target.innerHTML = `${details}<table>${table}</table>`;	issueReporterMain: Use DOM API instead of string concatenation
66	src/vs/code/electron-browser/issue/issueReporterMain.ts#L590	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`similarIssues.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
67	src/vs/code/electron-browser/issue/issueReporterMain.ts#L601	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`similarIssues.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
68	src/vs/code/electron-browser/issue/issueReporterMain.ts#L824	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	descriptionTitle.innerHTML = `${localize('stepsToReproduce', "Steps to Reproduce")} <span class="required-input">*</span>`;	Replace `innerHTML` with `innerText` when assigning non-html string
69	src/vs/code/electron-browser/issue/issueReporterMain.ts#L825	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`descriptionSubtitle.innerHTML = localize('bugDescription', "Share the steps needed to reliably reproduce the problem. Please include actual and expected results. We support GitHub-flavored Markdown. You will be able to edit your issue and add screenshots when we preview it on GitHub.");`	Replace `innerHTML` with `innerText` when assigning non-html string
70	src/vs/code/electron-browser/issue/issueReporterMain.ts#L839	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	descriptionTitle.innerHTML = `${localize('stepsToReproduce', "Steps to Reproduce")} <span class="required-input">*</span>`;	Replace `innerHTML` with `innerText` when assigning non-html string
71	src/vs/code/electron-browser/issue/issueReporterMain.ts#L840	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`descriptionSubtitle.innerHTML = localize('performanceIssueDesciption', "When did this performance issue happen? Does it occur on startup or after a specific series of actions? We support GitHub-flavored Markdown. You will be able to edit your issue and add screenshots when we preview it on GitHub.");`	Replace `innerHTML` with `innerText` when assigning non-html string
72	src/vs/code/electron-browser/issue/issueReporterMain.ts#L842	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	descriptionTitle.innerHTML = `${localize('description', "Description")} <span class="required-input">*</span>`;	Replace `innerHTML` with `innerText` when assigning non-html string
73	src/vs/code/electron-browser/issue/issueReporterMain.ts#L843	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`descriptionSubtitle.innerHTML = localize('featureRequestDescription', "Please describe the feature you would like to see. We support GitHub-flavored Markdown. You will be able to edit your issue and add screenshots when we preview it on GitHub.");`	Replace `innerHTML` with `innerText` when assigning non-html string
74	src/vs/code/electron-browser/issue/issueReporterMain.ts#L854	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	descriptionTitle.innerHTML = `${localize('expectedResults', "Expected Results")} <span class="required-input">*</span>`;	Replace `innerHTML` with `innerText` when assigning non-html string
75	src/vs/code/electron-browser/issue/issueReporterMain.ts#L855	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`descriptionSubtitle.innerHTML = localize('settingsSearchResultsDescription', "Please list the results that you were expecting to see when you searched with this query. We support GitHub-flavored Markdown. You will be able to edit your issue and add screenshots when we preview it on GitHub.");`	Replace `innerHTML` with `innerText` when assigning non-html string
76	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1018	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`target.innerHTML = renderedData;`	issueReporterMain: Use DOM API instead of string concatenation
77	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1058	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`extensionsSelector.innerHTML = '<option></option>' + extensionOptions.map(extension => makeOption(extension, selectedExtension)).join('\n');`	issueReporterMain: Use DOM API instead of string concatenation
78	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1128	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	target.innerHTML = `<code>${state.processInfo}</code>`;	issueReporterMain: Use DOM API instead of string concatenation
79	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1140	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`target.innerHTML = localize('disabledExtensions', "Extensions are disabled");`	Replace `innerHTML` with `innerText` when assigning non-html string
80	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1148	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`target.innerHTML = 'Extensions: none' + themeExclusionStr;`	Replace `innerHTML` with `innerText` when assigning non-html string
81	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1153	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	target.innerHTML = `<table>${table}</table>${themeExclusionStr}`;	issueReporterMain: Use DOM API instead of string concatenation
82	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1161	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`target.innerHTML = 'Extensions: none';`	Replace `innerHTML` with `innerText` when assigning non-html string
83	src/vs/code/electron-browser/issue/issueReporterMain.ts#L1166	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	target.innerHTML = `<table>${table}</table>`;	issueReporterMain: Use DOM API instead of string concatenation
84	src/vs/code/electron-browser/processExplorer/processExplorerMain.ts#L267	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`container.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
85	src/vs/editor/standalone/browser/colorizer.ts#L43	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`domNode.innerHTML = str;`
86	src/vs/editor/standalone/browser/inspectTokens/inspectTokens.ts#L242	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`this._domNode.innerHTML = result;`	inspectTokens: Use DOM API instead of string concatenation
87	src/vs/editor/test/browser/controller/imeTester.ts#L59	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`output.innerHTML = r;`
88	src/vs/workbench/contrib/extensions/electron-browser/runtimeExtensionsEditor.ts#L400	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	el.innerHTML = renderCodicons(escape(` $(alert) Unresponsive`));	Render codicons
89	src/vs/workbench/contrib/extensions/electron-browser/runtimeExtensionsEditor.ts#L407	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	el.innerHTML = renderCodicons(escape(`$(bug) ${nls.localize('errors', "{0} uncaught errors", element.status.runtimeErrors.length)}`));	Render codicons
90	src/vs/workbench/contrib/extensions/electron-browser/runtimeExtensionsEditor.ts#L413	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	el.innerHTML = renderCodicons(escape(`$(alert) ${element.status.messages[0].message}`));	Render codicons
91	src/vs/workbench/contrib/extensions/electron-browser/runtimeExtensionsEditor.ts#L419	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	el.innerHTML = renderCodicons(escape(`$(remote) ${element.description.extensionLocation.authority}`));	Render codicons
92	src/vs/workbench/contrib/extensions/electron-browser/runtimeExtensionsEditor.ts#L424	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	el.innerHTML = renderCodicons(escape(`$(remote) ${hostLabel}`));	Render codicons
93	src/vs/workbench/test/browser/part.test.ts#L66	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`titleLabel.innerHTML = 'Title';`	Replace `innerHTML` with `innerText` when assigning non-html string
94	src/vs/workbench/test/browser/part.test.ts#L75	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`contentSpan.innerHTML = 'Content';`	Replace `innerHTML` with `innerText` when assigning non-html string
95	src/vs/workbench/test/browser/part.test.ts#L95	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`contentSpan.innerHTML = 'Content';`	Replace `innerHTML` with `innerText` when assigning non-html string
96	src/vs/workbench/contrib/notebook/browser/diff/cellComponents.ts		`this._foldingIndicator.innerHTML = renderCodicons('$(chevron-down)');`	Render codicons
97	src/vs/workbench/contrib/notebook/browser/diff/cellComponents.ts		`this._foldingIndicator.innerHTML = renderCodicons('$(chevron-right)');`	Render codicons
98	src/vs/workbench/contrib/notebook/browser/view/renderers/cellRenderer.ts#L341	TS21228: Assigning directly to Element#innerHTML can result in XSS vulnerabilities.	`collapsedPart.innerHTML = renderCodicons('$(unfold)');`	Render codicons

Found through manual search (not found by tsec)

Nr	At	Code	Issue
1	src/vs/workbench/browser/parts/editor/breadcrumbsControl.ts#L101	`label.innerHTML = '…';`	Replace `innerHTML` with `innerText` when assigning non-html string
2	src/vs/editor/browser/widget/diffReview.ts#705	`originalLineNumber.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
3	src/vs/editor/browser/widget/diffReview.ts#717	`modifiedLineNumber.innerHTML = ' ';`	Replace `innerHTML` with `innerText` when assigning non-html string
4	src/vs/editor/browser/widget/diffReview.ts#727	`spacerCodicon.innerHTML = '  ';`	Replace `innerHTML` with `innerText` when assigning non-html string
5	src/vs/editor/browser/widget/diffReview.ts#730	`spacer.innerHTML = '  ';`	Replace `innerHTML` with `innerText` when assigning non-html string
6	src/vs/code/electron-sandbox/issue/issueReporterMain.ts#L716	`sourceSelect.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
7	src/vs/workbench/contrib/welcome/walkThrough/browser/walkThroughPart.ts#L271	`this.content.innerHTML = '';`	Replace `innerHTML` with `innerText` when assigning non-html string
8	src/vs/editor/test/browser/controller/imeTester.ts#L77	`startBtn.innerHTML = 'Start';`	Replace `innerHTML` with `innerText` when assigning non-html string
9	src/vs/editor/test/browser/controller/imeTester.ts#L144	`check.innerHTML = '[GOOD]';`	Replace `innerHTML` with `innerText` when assigning non-html string
10	src/vs/editor/test/browser/controller/imeTester.ts#L147	`check.innerHTML = '[BAD]';`	Replace `innerHTML` with `innerText` when assigning non-html string
11	src/vs/workbench/contrib/extensions/browser/extensionEditor.ts#L65	`const newDocument = new DOMParser().parseFromString(documentContent, 'text/html');`
12	src/vs/code/electron-sandbox/issue/issueReporterMain.ts#L257	`styleTag.innerHTML = content.join('\n');`	`content` includes only styles, not sure if violation

Found at runtime only

Tested on VSCode's version with revision nr: 371f6306f9de7e704870e7d7263a96ebc5eb2c88

Nr.	Where	Code
1	src/vs/workbench/services/keybinding/browser/keymapService.ts:444:31	`const worker = new Worker(url, { name: 'WorkerExtensionHost' });`
2	src/vs/workbench/services/textMate/browser/abstractTextMateService.ts:234:4	`const [vscodeTextmate, vscodeOniguruma] = await Promise.all([import('vscode-textmate'), this._getVSCodeOniguruma()]);`
3	src/vs/workbench/services/textMate/browser/abstractTextMateService.ts:404:37	`const [vscodeOniguruma, wasm] = await Promise.all([import('vscode-oniguruma'), this._loadVSCodeOnigurumWASM()]);`
4	src/vs/loader.js:609:36	`scriptCallbacks[i].callback();`
5	src/vs/workbench/contrib/extensions/browser/extensionEditor.ts:64	`const newDocument = new DOMParser().parseFromString(documentContent, 'text/html');`
6	src/vs/workbench/contrib/webview/browser/pre/main.js:370	`const newDocument = new DOMParser().parseFromString(text, 'text/html');`

Name		Name	Last commit message	Last commit date
Latest commit History 68,338 Commits
.devcontainer		.devcontainer
.github		.github
.vscode		.vscode
build		build
extensions		extensions
remote		remote
resources		resources
scripts		scripts
src		src
test		test
.editorconfig		.editorconfig
.eslintignore		.eslintignore
.eslintrc.json		.eslintrc.json
.gitattributes		.gitattributes
.gitignore		.gitignore
.mailmap		.mailmap
.mention-bot		.mention-bot
.nvmrc		.nvmrc
.yarnrc		.yarnrc
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE.txt		LICENSE.txt
README.md		README.md
ThirdPartyNotices.txt		ThirdPartyNotices.txt
azure-pipelines.yml		azure-pipelines.yml
cglicenses.json		cglicenses.json
cgmanifest.json		cgmanifest.json
errors.md		errors.md
gulpfile.js		gulpfile.js
package.json		package.json
product.json		product.json
tsfmt.json		tsfmt.json
vscode_security_issues.md		vscode_security_issues.md
yarn.lock		yarn.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

VSCode Security Issues

Compile-time issues

Running tsec

Build

Run

Issues

From tsconfig.monaco.json

From tsconfig.json

Found through manual search (not found by tsec)

Found at runtime only

About

Uh oh!

Releases

Packages

Languages

License

annkamsk/vscode

Folders and files

Latest commit

History

Repository files navigation

VSCode Security Issues

Compile-time issues

Running tsec

Build

Run

Issues

From tsconfig.monaco.json

From tsconfig.json

Found through manual search (not found by tsec)

Found at runtime only

About

Resources

License

Contributing

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages