Open
Conversation
Contributor
devGregA
commented
Feb 20, 2026
devGregA
commented
- Improves styling with branding guide as reference
- separates OS vs Pro in more areas
Update the documentation site CSS/SCSS to align with DefectDojo Brand Guidelines V1. This includes brand colors (Fuji Blue, Torii Orange, Dojo Black palettes), Work Sans typography with proper weight hierarchy (Semi Bold headlines, Medium nav/buttons, Regular body), and full light/dark mode support. No content or navigation changes. - Add Work Sans font weights: Light (300), Italic (400i), Semi Bold (600), Semi Bold Italic (600i) - Set Bootstrap variable overrides for brand colors and typography - Style navbar, sidebar, buttons, cards, code blocks, and DocSearch with brand palette - Add dark mode adaptations using lighter brand color variants - Move CTA button styles from inline to SCSS (.btn-cta class) - Update DocSearch modal colors from generic purple to Fuji Blue - Remove deprecated getjson cache config for Hugo v0.131+ compat - Remove unused Jost font preloads from resource hints Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Declutter header: remove release notes API fetch, border around search, consolidate social icons to just GitHub (rest moved to footer) - Add skip-to-content link and id="main-content" target for accessibility - Remove emoji chevrons from nav menu items - Create branded multi-column footer with docs, community, company links - Redesign homepage with hero section, two CTAs, and 6 icon nav cards - Brand the 404 page with large display number and action buttons - Add description/lead text to section list page cards - Enable breadcrumb trail and back-to-top button via Doks params - Replace sidebar inline styles with proper CSS classes - Add scroll progress bar (blue-to-orange gradient) on doc pages - Comprehensive SCSS: footer, hero, home cards, 404, back-to-top, breadcrumbs, typography, TOC active indicator, header nav pills, sidebar chevron rotation, print styles, focus-visible outlines, prefers-reduced-motion support - Fix copyright from "Thulite" to "DefectDojo Inc." No markdown content files were modified. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Increase nav text size and add social links (GitHub, LinkedIn, YouTube, X) to header - Restyle search button with solid background, icon, and keyboard shortcut indicator - Reduce spacing between logo and nav row - Change hero CTAs to brand-aligned colors (Fuji Blue primary, Dojo Black outline) - Expand homepage to 8 symmetric tiles (4×2 grid) with title case headings - Update tool count from 190+ to 200+ - Update footer tagline to align with brand messaging Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…rk mode logo fix - Title case top navigation menu items (Get Started, Import Data, etc.) - Add version-toggled dashboard images on About and Dashboard pages - Hide Pro-versioned content by default via CSS - Fix version toggle to use display:block instead of empty string - Update dark mode logo SVG fill color for visibility Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…olors - Hide DocSearch/Algolia logo in search modal via CSS - Add version-toggled OS content for Introduction Dashboard page - Mark Custom Dashboard Tiles as pro-only via audience front matter - Fix dark mode SVG logo to use proper background (#212529) and foreground (#FFFFFF) colors Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
🟡 Please give this pull request extra attention during review.This pull request introduces multiple instances where Hugo templates render content without proper escaping or sanitization (e.g., raw .Content and page params in layouts/_default/list.html, use of safeHTML on .Params.lead in layouts/home.html, and safeHTML on menu .Pre in _partials/footer/footer.html), creating potential stored XSS vectors if authors or site configuration can be influenced by untrusted input. These findings are risky but non-blocking and recommend applying context-aware escaping or sanitization before emitting user- or config-supplied HTML.
🟡 Potential Cross-Site Scripting in
|
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The patch renders .Content and several page parameters (.Params.title, .Description, .Params.lead, .RelPermalink) directly into HTML without applying explicit escaping or context-aware sanitization. In Hugo (Go templates) .Content is the rendered HTML of a page and is intentionally raw HTML; inserting it unescaped into a page will include any embedded HTML/ scripts from the source. Similarly, using params like .Params.lead or .Description without filters relies on their contents being trusted — if authors or upstream content can include untrusted markup, that will be emitted raw. There is no evidence in the patch of contextual escaping (e.g., htmlEscape) or sanitization (e.g., passing through a sanitizer) before output, so user-supplied or content-supplied HTML can reach the rendering sink unsanitized. |
django-DefectDojo/docs/layouts/_default/list.html
Lines 6 to 9 in b876803
🟡 Potential Cross-Site Scripting in docs/layouts/_partials/footer/footer.html (7d69853b)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The template iterates over .Site.Menus.social and renders .Pre using the safeHTML filter ({{ .Pre safeHTML }}). safeHTML disables Hugo's automatic escaping and inserts raw HTML into the page. Menu fields such as .Pre, .URL, and .Name are content-driven and may originate from site configuration or CMS-managed data; if an attacker can modify those menu entries (or if configuration contains untrusted input), arbitrary HTML/JS can be injected into the footer. No sanitization is applied before rendering with safeHTML, and surrounding attributes (href and aria-label) are not further validated or escaped in a context-appropriate way, so a path exists for malicious input to reach an HTML sink unsafely. |
django-DefectDojo/docs/layouts/_partials/footer/footer.html
Lines 54 to 57 in b876803
🟡 Potential Cross-Site Scripting in docs/layouts/home.html (9d584e69)
| Vulnerability | Potential Cross-Site Scripting |
|---|---|
| Description | The template uses the Hugo 'safeHTML' filter on .Params.lead ("{{ .Params.lead safeHTML }}"), which disables template auto-escaping and will render raw HTML. If .Params.lead can be influenced by an attacker (e.g., from page front-matter or CMS input), that user-controlled content would be injected into the page without escaping, allowing stored or reflected XSS. |
django-DefectDojo/docs/layouts/home.html
Lines 11 to 14 in b876803
All finding details can be found in the DryRun Security Dashboard.
paulOsinski
approved these changes
Feb 23, 2026
Contributor
|
Content is ok but I'll see if we can address the XSS issue. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.