🛡️ Sentinel: [HIGH] Fix DOM XSS vulnerability in error messages

[praxstack]

🚨 Severity: HIGH
💡 Vulnerability: Unescaped error messages from catch blocks and server responses were interpolated directly into the DOM using .innerHTML, allowing for Cross-Site Scripting (XSS) if error messages were manipulated or included malicious content from the file system, API endpoints, or intercepted requests.
🎯 Impact: An attacker could execute arbitrary JavaScript in the context of the code review application if an error string was maliciously crafted.
🔧 Fix: Applied the existing escapeHtml() function to error.message strings before they are interpolated into the template literals for DOM insertion across public/index.html.
✅ Verification: Playwright script executed overriding API responses with error payload containing XSS injection, confirmed payload was correctly rendered as text on the frontend instead of executing. All existing unit and server tests successfully passed.

---

PR created automatically by Jules for task 5929121902709727448 started by @praxstack

Summary by CodeRabbit

• Bug Fixes
  • Enhanced error message rendering across application UI components to ensure proper content display and handling in scenarios including staged changes, load states, and export operations.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

Error messages in the HTML template are now wrapped with escapeHtml() before insertion into the DOM. This prevents HTML injection vulnerabilities across multiple error rendering blocks while maintaining existing control flow and error handling logic.

Changes

Cohort / File(s)	Summary
Error Message Sanitization public/index.html	Wrapped error message interpolations with escapeHtml() function across multiple error blocks (no staged changes, loading diffs, export failures, etc.) to prevent HTML injection attacks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit hops through the code with glee,
Escaping HTML for all to see,
No injections shall pass this day,
Error messages safe in every way! 🛡️

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing a DOM XSS vulnerability in error messages, which aligns with the changeset's primary objective of escaping error messages to prevent HTML injection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-fix-dom-xss-error-message-5929121902709727448

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

public/index.html (2)

878-886: Consider escaping in NotificationSystem for defense-in-depth.

While current usages of NotificationSystem.show() only pass hardcoded strings, the message parameter is inserted into the DOM via innerHTML without escaping. For consistency with the XSS hardening in this PR, consider escaping here as well to prevent future misuse.

🛡️ Suggested defensive improvement

             notification.innerHTML = `
                     <div style="display: flex; align-items: center; gap: 8px;">
                         <span>${this.getIcon(type)}</span>
-                        <span>${message}</span>
+                        <span>${escapeHtml(message)}</span>
                         <button onclick="this.parentElement.parentElement.remove()" style="background: none; border: none; color: white; cursor: pointer; font-size: 16px; margin-left: auto;">×</button>
                     </div>
                 `;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@public/index.html` around lines 878 - 886, The NotificationSystem currently
injects the unescaped message into the DOM via innerHTML in the show
implementation; change it to construct the DOM nodes instead (or escape the
message) so user content is never inserted as raw HTML: create the container and
icon span using this.getIcon(type) as before, create a separate message span and
set its textContent (or run the message through an HTML-escape helper) and
append a close button that removes the notification, then attach the assembled
nodes to notification instead of using innerHTML; update
NotificationSystem.show() (and any helper like getIcon if it returns HTML)
accordingly to ensure messages are inserted safely.

---

1642-1646: Solid escapeHtml implementation using browser-native encoding.

This DOM-based approach is a secure and efficient pattern. The browser's textContent→innerHTML conversion handles all HTML special characters correctly.

One minor consideration: if text is null or undefined (e.g., when error.message is undefined), this will display the literal string "null" or "undefined" in the UI rather than a more user-friendly fallback.

🔧 Optional: Add fallback for undefined/null error messages

 function escapeHtml(text) {
+    if (text == null) {
+        return 'An unknown error occurred';
+    }
     const div = document.createElement('div');
-    div.textContent = text;
+    div.textContent = String(text);
     return div.innerHTML;
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@public/index.html` around lines 1642 - 1646, The escapeHtml function
currently uses a DOM-based encoding but will render the literal
"null"/"undefined" if called with null/undefined (e.g., error.message). Update
escapeHtml to coerce its input to a safe fallback before encoding (for example
treat null/undefined as an empty string or "Unknown error") so div.textContent
never receives null/undefined; keep the DOM textContent→innerHTML approach and
only change the initial text normalization in escapeHtml.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@public/index.html`:
- Around line 878-886: The NotificationSystem currently injects the unescaped
message into the DOM via innerHTML in the show implementation; change it to
construct the DOM nodes instead (or escape the message) so user content is never
inserted as raw HTML: create the container and icon span using
this.getIcon(type) as before, create a separate message span and set its
textContent (or run the message through an HTML-escape helper) and append a
close button that removes the notification, then attach the assembled nodes to
notification instead of using innerHTML; update NotificationSystem.show() (and
any helper like getIcon if it returns HTML) accordingly to ensure messages are
inserted safely.
- Around line 1642-1646: The escapeHtml function currently uses a DOM-based
encoding but will render the literal "null"/"undefined" if called with
null/undefined (e.g., error.message). Update escapeHtml to coerce its input to a
safe fallback before encoding (for example treat null/undefined as an empty
string or "Unknown error") so div.textContent never receives null/undefined;
keep the DOM textContent→innerHTML approach and only change the initial text
normalization in escapeHtml.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: aae15a8e-12a7-4202-9934-adffca05cde3

📥 Commits

Reviewing files that changed from the base of the PR and between 55c95d0 and e82f798.

📒 Files selected for processing (1)

• public/index.html