Code Quality ADO extension downloading bogus projects list

In Azure DevOps when trying to configure dashboard I am trying to use Code Quality widget
It presents some fake list of projects with XSS attempts
https://sonarcloud.io/api/components/search_projects?ps=1

Returns always (contains XSS!)

{
  "paging": {
    "pageIndex": 1,
    "pageSize": 10,
    "total": 10000
  },
  "organizations": [],
  "components": [
    {
      "organization": "pavithrak4795",
      "key": "pavithrak4795_test",
      "name": "\"\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "reversescallop",
      "key": "reversescallop_a",
      "name": "\"\u003e\u003c/svg/onload\u003dalert(1)\u003e",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "ikhsanhaw",
      "key": "ikhsanhaw_cokss\"\u003e\u003ch1\u003eAA\u003c/h1\u003e",
      "name": "\"\u003e\u003cimg src\u003dx onerror\u003dalert(1)\u003e",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "1212121212",
      "key": "asdasdsadasdasdasdasdasd",
      "name": "\"\u003e\u003cimg src\u003dx onerror\u003dprompt(document.domain)\u003e",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "arun-sashi",
      "key": "arun_sashi_cat-sports-trading-cards\"",
      "name": "\"Cat Sports Trading Cards\"",
      "isFavorite": false,
      "tags": [
        "0.0.0"
      ],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "clm-public",
      "key": "\"corona-cdlp-frontend\"",
      "name": "\"corona-cdlp-frontend\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "pranaydua1987",
      "key": "pranaydua1987_demoProject1",
      "name": "\"demoProject1\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "eligibilityStatus": "COMPLETED",
      "eligible": true,
      "isNew": false
    },
    {
      "organization": "zepdev",
      "key": "zepdev_design-system-website",
      "name": "\"Design System Website\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "eligibilityStatus": "COMPLETED",
      "eligible": false,
      "isNew": false
    },
    {
      "organization": "vcamargo-github",
      "key": "vcamargo:dice-roller",
      "name": "\"Dice Roller\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    },
    {
      "organization": "madhii",
      "key": "\"dotnetpjct\"",
      "name": "\"dotnetpjct\"",
      "isFavorite": false,
      "tags": [],
      "visibility": "public",
      "isNew": false
    }
  ],
  "facets": []
}

Hey there.

Rather than bogus projects, these are a list of public projects on SonarCloud. It’s a good catch that these projects seem to be attempting an XSS attack (which is thwarted by SonarCloud and Azure DevOps). It’s not a great experience, and I’ll pass this feedback along.

If you’re logged into SonarCloud, you should also see My Projects when configuring the widget, which is a list of projects you have access to.