CWE-79 (XSS) in a content script context is dangerous not just for the extension user but for the host page: a content script that reads text from the DOM and inserts it back via innerHTML without sanitization can be triggered by the host page itself injecting a payload. CWE-116 (Improper Encoding or Escaping) names the adjacent failure. OWASP A03 (Injection) applies. Content scripts occupy a trusted position relative to the host page — they can read storage, message the background script, and interact with chrome.* APIs — so an XSS here has a blast radius beyond what a typical page-level XSS would achieve.
High because unsanitized `innerHTML` in a content script creates an XSS vector in a trusted extension context that can access `chrome.*` APIs and user storage, extending the blast radius beyond the page.
Replace innerHTML assignments with textContent for text data. If rendering HTML from page data is unavoidable, wrap it with DOMPurify before insertion.
// src/content.js — safe DOM manipulation
element.textContent = scrapedText; // Safe: no HTML parsing
// If HTML is required:
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(scrapedHtml);
Never pass a variable derived from document.querySelector, location.href, or window.name directly into innerHTML or outerHTML.
ID: extension-permissions-security.content-script-isolation.page-data-sanitized
Severity: high
What to look for: Enumerate all content script files. For each, count occurrences of innerHTML, outerHTML, and document.write. Quote the actual usage pattern found. Check whether data derived from the page (scraped text, URLs) is sanitized before DOM insertion.
Pass criteria: No more than 0 usages of innerHTML with unsanitized page data in content scripts. Usage of textContent or innerText is preferred. Usage of DOMPurify or equivalent sanitizer library is acceptable. Report the count of DOM write operations found across all content scripts.
Fail criteria: innerHTML is set using variables derived from the DOM without sanitization. Do not pass when DOMPurify is imported but not actually applied to all innerHTML assignments.
Skip (N/A) when: No DOM modification in content scripts.
Detail on fail: "Potential XSS: Content script uses innerHTML with data extracted from the page."
Remediation: Use textContent to set text in your content scripts. If you must render HTML, use a sanitizer like DOMPurify.
// src/content.js — safe DOM manipulation
element.textContent = userConfiguredText; // Safe
Cross-reference: For CSP-based script injection prevention that complements content script sanitization, see the script-src-safe check in the CSP category.