🛡️ Sentinel: [HIGH] Fix XSS vulnerability in DescriptionPreview

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: Unsanitized HTML rendering via dangerouslySetInnerHTML in the DescriptionPreview component. The component accepts a raw HTML string (html prop) or processes a BBCode input into HTML and sets it directly, exposing the application to Cross-Site Scripting (XSS).
🎯 Impact: If an attacker provides malicious HTML or BBCode (such as injecting <script> tags or malicious event handlers like onload), it could execute arbitrary JavaScript within the user's browser/Tauri view, leading to session hijacking, data theft, or arbitrary actions on behalf of the user.
🔧 Fix: Imported and integrated isomorphic-dompurify to sanitize all HTML strings before they are injected into the DOM. This library was chosen because the application uses Astro/Preact and might render on the server where a standard dompurify without window would fail.
✅ Verification: Ran npm test. Verified that DOMPurify.sanitize() correctly strips executable scripts while preserving safe formatting tags (like headings and formatting elements mapped to CSS classes).

---

PR created automatically by Jules for task 10285653423355465837 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	Mar 12, 2026 7:18am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical high-severity Cross-Site Scripting (XSS) vulnerability within the DescriptionPreview component. By introducing robust HTML sanitization using the isomorphic-dompurify library, the application is now protected against malicious script injection through unsanitized HTML or BBCode inputs. This change significantly improves the security posture of the application by ensuring that all user-generated content rendered in the preview is safe and free from executable code. Additionally, various development and runtime dependencies have been updated to their latest stable versions.

Highlights

• XSS Vulnerability Remediation: Integrated isomorphic-dompurify into the DescriptionPreview component to sanitize all HTML content, effectively preventing Cross-Site Scripting (XSS) attacks.
• Dependency Management: Updated vitest and several other project dependencies to their latest versions, enhancing stability and security.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• package-lock.json
  • Introduced isomorphic-dompurify and its transitive dependencies, including dompurify and jsdom.
  • Updated vitest and its associated packages to 4.0.18.
  • Updated @asamuzakjp/dom-selector and @csstools/css-syntax-patches-for-csstree.
  • Revised dependency metadata by removing dev: true flags from numerous entries, streamlining the dependency graph.
• package.json
  • Added isomorphic-dompurify as a new dependency.
  • Updated vitest to version 4.0.18.
• src/components/upload/DescriptionPreview.tsx
  • Imported the DOMPurify library.
  • Modified the sanitizePreviewHtml function to utilize DOMPurify.sanitize() for all incoming HTML, ensuring content safety.

Activity

• PR created automatically by Jules for task 10285653423355465837 started by @bobdivx.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses a high-severity XSS vulnerability in the DescriptionPreview component by introducing isomorphic-dompurify to sanitize HTML before rendering. The implementation is correct and follows security best practices. I've pointed out one medium-severity issue where the fix causes a minor functional regression for the [center] BBCode tag, and I've suggested a way to resolve it.

[gemini-code-assist]

This change correctly fixes the XSS vulnerability by sanitizing the HTML. However, it introduces a functional regression: the [center] BBCode tag will no longer center text content.

This is because DOMPurify.sanitize() strips inline style attributes by default for security reasons. The bbcodeToHtml function (in src/lib/bbcode-to-html.ts) generates an inline style="text-align:center" for the [center] tag, which will now be removed.

While the component's CSS in PREVIEW_CLASS has styles for .bbcode-center, they only center block-level elements, not inline text.

A good solution would be to handle all styling via CSS classes instead of inline styles. You could consider adding a text-center utility class to the styles for .bbcode-center within the PREVIEW_CLASS constant. This would align with modern security and CSS best practices.