From e82f79848d90693c661a35b9df4d55f1695bea9c Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 9 Mar 2026 16:19:33 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20DOM=20XSS=20vulnerability=20in=20error=20messages?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: praxstack <73683289+praxstack@users.noreply.github.com>
---
 public/index.html | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/public/index.html b/public/index.html
index 44fbbc0..5cb8b0a 100644
--- a/public/index.html
+++ b/public/index.html
@@ -840,7 +840,7 @@ <h4>💡 Quick Templates:</h4>
                 element.innerHTML = `
                     <div class="error-message">
                         <span>❌</span>
-                        <span>${message}</span>
+                        <span>${escapeHtml(message)}</span>
                         <button onclick="location.reload()" style="margin-left: 10px; padding: 4px 8px; background: #f85149; color: white; border: none; border-radius: 4px; cursor: pointer;">
                             🔄 Retry
                         </button>
@@ -1253,7 +1253,7 @@ <h3>No Staged Changes</h3>
             } catch (error) {
                 document.getElementById('fileList').innerHTML = `
                     <div class="error-message">
-                        Error loading files: ${error.message}
+                        Error loading files: ${escapeHtml(error.message)}
                     </div>
                 `;
             }
@@ -1284,7 +1284,7 @@ <h3>No Staged Changes</h3>
                     renderDiff(diffDiv, data.diff, file, data.parsedDiff);
                     updateFileStats(fileId, data.diff);
                 } catch (error) {
-                    diffDiv.innerHTML = `<div class="error-message">Error loading diff: ${error.message}</div>`;
+                    diffDiv.innerHTML = `<div class="error-message">Error loading diff: ${escapeHtml(error.message)}</div>`;
                 }
             } else {
                 renderDiff(diffDiv, allDiffs[file], file, allParsedDiffs[file]);
@@ -1550,7 +1550,7 @@ <h3>No Staged Changes</h3>
                 const container = document.querySelector('.container');
                 const errorDiv = document.createElement('div');
                 errorDiv.className = 'error-message';
-                errorDiv.innerHTML = `<strong>❌ Export Failed:</strong> ${error.message}`;
+                errorDiv.innerHTML = `<strong>❌ Export Failed:</strong> ${escapeHtml(error.message)}`;
                 container.insertBefore(errorDiv, container.firstChild);
 
                 setTimeout(() => {
@@ -1628,7 +1628,7 @@ <h3>No Staged Changes</h3>
                 const container = document.querySelector('.container');
                 const errorDiv = document.createElement('div');
                 errorDiv.className = 'error-message';
-                errorDiv.innerHTML = `<strong>❌ Individual Export Failed:</strong> ${error.message}`;
+                errorDiv.innerHTML = `<strong>❌ Individual Export Failed:</strong> ${escapeHtml(error.message)}`;
                 container.insertBefore(errorDiv, container.firstChild);
 
                 setTimeout(() => {