hwc-forms-validation
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The
references/2023-11-07-turbo-frames-typeahead-search.mdfile demonstrates a typeahead search pattern that is susceptible to indirect injection.\n - Ingestion points: Untrusted user input is captured from a search field (
#query) and processed via JavaScript.\n - Boundary markers: There are no boundary markers or instructions to isolate the user input from the execution context.\n
- Capability inventory: The script utilizes
innerHTMLto modify the DOM by performing a string replacement on the frame's content, which allows for dynamic UI alteration.\n - Sanitization: The implementation lacks sanitization for the regular expression (allowing for potential ReDoS) and does not escape HTML characters before re-injecting content into the DOM, creating an XSS risk if the matched text is untrusted.\n- [EXTERNAL_DOWNLOADS]: The documentation examples reference official Hotwire and Stimulus libraries from the well-known JSPM CDN (
ga.jspm.io). These references are standard for the technologies being used and are considered safe practice for development examples.
Audit Metadata