From 41793907991b2f859b664a2b60af7972197f3c5d Mon Sep 17 00:00:00 2001 From: Garry Tan Date: Mon, 20 Apr 2026 11:06:54 +0800 Subject: [PATCH] fix(ui): escapeHtml must escape quote characters too MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit DOM text-node serialization escapes & < > but NOT " or '. Call sites that interpolate escapeHtml output inside attribute values (title="...", data-x="...") were vulnerable to attribute-injection: an attacker- influenced CSS property value (rule.selector, prop.value from the inspector) or agent status field landing in one of those attributes could break out with " onload=alert(1). Add explicit quote escaping in escapeHtml + keep existing callers working (no breakage — output is strictly more escaped, not less). Caught by claude adversarial subagent. The earlier banner-layer fix was the same class of bug but on a different code path. Co-Authored-By: Claude Opus 4.7 (1M context) --- extension/sidepanel.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/extension/sidepanel.js b/extension/sidepanel.js index 168e3d1a..b64c3f37 100644 --- a/extension/sidepanel.js +++ b/extension/sidepanel.js @@ -955,7 +955,13 @@ function addEntry(entry) { function escapeHtml(str) { const div = document.createElement('div'); div.textContent = str; - return div.innerHTML; + // DOM text-node serialization escapes &, <, > but NOT " or '. Call sites + // that interpolate escapeHtml output inside an attribute value (title="...", + // data-x="...") need those escaped too or an attacker-controlled value can + // break out of the attribute. Add both manually. + return div.innerHTML + .replace(/"/g, '"') + .replace(/'/g, '''); } // ─── SSE Connection ─────────────────────────────────────────────