Improve remote handling in job posting schema #51
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting
| <script type="application/ld+json"> | ||
| { | ||
| "@@context": "https://schema.org/", | ||
| "@@type": "JobPosting", | ||
| "title": @json($job->title), | ||
| "description": @json($job->description), | ||
| "identifier": { | ||
| "@@type": "PropertyValue", | ||
| "name": @json($job->company->name), | ||
| "value": @json((string) $job->id) | ||
| }, | ||
| "datePosted": @json(optional($job->created_at)->toIso8601String()), | ||
| "employmentType": "FULL_TIME", | ||
| "hiringOrganization": { | ||
| "@@type": "Organization", | ||
| "name": @json($job->company->name), | ||
| "sameAs": @json($job->company->url), | ||
| "logo": @json($job->company->logo) | ||
| }, | ||
| "jobLocationType": @json($job->setting === 'fully-remote' ? 'TELECOMMUTE' : null), | ||
| "jobLocation": { | ||
| "@@type": "Place", | ||
| "name": @json(collect($job->locations)->first()) | ||
| }, | ||
| "baseSalary": { | ||
| "@@type": "MonetaryAmount", | ||
| "currency": @json($job->currency ?? 'USD'), | ||
| "value": { | ||
| "@@type": "QuantitativeValue", | ||
| "minValue": @json($job->min_salary), | ||
| "maxValue": @json($job->max_salary), | ||
| "unitText": "YEAR" | ||
| } | ||
| }, | ||
| "directApply": false | ||
| } | ||
| {!! json_encode($jobPostingSchema, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE) !!} | ||
| </script> |
There was a problem hiding this comment.
The job detail template renders the JSON-LD schema with JSON_UNESCAPED_SLASHES. If any user-controlled field (title, description, etc.) contains </script>—for example </script><script>alert(1)</script>—the closing tag is emitted verbatim inside the <script type="application/ld+json"> block. Browsers will terminate the JSON-LD block and execute the injected JavaScript, giving a stored XSS vector to whoever can edit a job. Dropping the JSON_UNESCAPED_SLASHES flag (or otherwise escaping </script>) prevents this.
Useful? React with 👍 / 👎.
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68e27f276c508321b0c098be8698d0b3