From 461a6e6b18eb37429778847a5c5e06c022f28359 Mon Sep 17 00:00:00 2001
From: Garry Tan <garrytan@gmail.com>
Date: Mon, 20 Apr 2026 07:17:07 +0800
Subject: [PATCH] fix(ui): use textContent for security banner layer labels

Was `div.innerHTML = \`<span>\${label}</span>...\`` with label coming
from an event field. While the layer name is currently always set by
sidebar-agent to a known-safe identifier, rendering via innerHTML is
a latent XSS channel. Switch to document.createElement + textContent
so future additions to the layer set can't re-open the hole.

Caught by pre-landing review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 extension/sidepanel.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/extension/sidepanel.js b/extension/sidepanel.js
index cb11d244..168e3d1a 100644
--- a/extension/sidepanel.js
+++ b/extension/sidepanel.js
@@ -156,7 +156,14 @@ function showSecurityBanner(event) {
       const score = Number(row.confidence).toFixed(2);
       const div = document.createElement('div');
       div.className = 'security-banner-layer';
-      div.innerHTML = `<span class="security-banner-layer-name">${label}</span><span class="security-banner-layer-score">${score}</span>`;
+      const nameSpan = document.createElement('span');
+      nameSpan.className = 'security-banner-layer-name';
+      nameSpan.textContent = label;
+      const scoreSpan = document.createElement('span');
+      scoreSpan.className = 'security-banner-layer-score';
+      scoreSpan.textContent = score;
+      div.appendChild(nameSpan);
+      div.appendChild(scoreSpan);
       layersEl.appendChild(div);
     }
   }