Skip to content

Escape dynamic scan result text in UI rendering#8

Merged
Therosin merged 2 commits intodevelopfrom
codex/update-setresults-for-html-escaping
Mar 1, 2026
Merged

Escape dynamic scan result text in UI rendering#8
Therosin merged 2 commits intodevelopfrom
codex/update-setresults-for-html-escaping

Conversation

@Therosin
Copy link
Member

@Therosin Therosin commented Mar 1, 2026

Motivation

  • Prevent HTML interpretation or injection when displaying dynamic scan/clean results so filenames and rename paths render literally in the results list.
  • Preserve existing trusted generated UI text (section headers and counts) while ensuring all user-controlled strings are escaped before interpolation.

Description

  • Added an escapeHtml(value) helper inside the embedded UI script to escape &, <, >, ", and ' before rendering.
  • Updated setResults(data) to call escapeHtml for all dynamic values shown in result rows (rename.from, rename.to, and removal file entries) before assigning innerHTML.
  • Documented a manual UI regression-check in README.md instructing how to verify literal rendering for filenames containing < and >.

Testing

  • Ran deno task test (via deno test -A), which failed in this environment due to an external JSR package metadata fetch error for @std/assert@1.0.19 and not because of local code changes.
  • Attempted an automated UI page check via the bundled Playwright helper, which failed because no local web server was available to serve the UI; a manual verification step is documented in README.md.

Codex Task

Copilot AI review requested due to automatic review settings March 1, 2026 14:42
Copilot AI reviewed Mar 1, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the embedded UI results rendering to prevent HTML interpretation/injection when displaying scan/clean outputs (e.g., file paths and rename directives), ensuring user-controlled strings are shown literally.

Changes:

  • Added an escapeHtml(value) helper to escape HTML special characters before rendering dynamic content.
  • Updated setResults(data) to escape rename.from, rename.to, and removal file entries before assigning innerHTML.
  • Added a manual UI regression-check section to the README.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
main.ts Escapes user-controlled scan results before injecting markup into the results list.
README.md Documents a manual regression check for literal rendering of special characters in results.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@Therosin Therosin merged commit 901524b into develop Mar 1, 2026
2 checks passed
@Therosin Therosin deleted the codex/update-setresults-for-html-escaping branch March 1, 2026 14:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Therosin