hwc-stimulus-fundamentals
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The Web Share API implementation in
references/2025-11-25-stimulus-web-share-api.mddemonstrates a pattern that fetches a resource from a URL provided via a Stimulus value (this.fileValue) and passes it tonavigator.share(). This configuration allows the application to initiate network requests to arbitrary URLs defined in the element's data attributes and share the results. - [REMOTE_CODE_EXECUTION]: Multiple documentation examples demonstrate insecure DOM manipulation patterns that create a surface for Client-Side Remote Code Execution (XSS):
references/2023-12-19-stimulus-outlets-api.mduses string-based replacement (replaceAll) on an HTML template string to inject variable data before usinginsertAdjacentHTMLto modify the DOM.references/2023-10-24-stimulus-keyboardevent-101.md,references/2023-12-05-stimulus-auto-sorting.md, andreferences/2024-05-07-stimulus-target-callbacks.mdutilizeinnerHTMLto update or clear the DOM using variable inputs or data-driven templates without sanitization.
Audit Metadata