🛡️ Sentinel: [HIGH] Fix XSS vulnerability in DescriptionPreview

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: Cross-Site Scripting (XSS) vulnerability found in DescriptionPreview.tsx. User-provided descriptions containing raw HTML could be executed because the component directly set dangerouslySetInnerHTML while only utilizing a regex to replace {} characters.
🎯 Impact: An attacker could submit malicious BBCode or HTML descriptions, executing arbitrary javascript in the context of the user's application, leading to potential data theft, session hijacking, or other attacks.
🔧 Fix: Installed isomorphic-dompurify and updated sanitizePreviewHtml in src/components/upload/DescriptionPreview.tsx to sanitize the HTML utilizing DOMPurify.sanitize() before it is rendered by Preact. Added critical security learning to .jules/sentinel.md.
✅ Verification: Verified that tests pass (via npm test) and captured visual verification of application launch using a Playwright script. The codebase does not have standard formatting or linting scripts configured.

---

PR created automatically by Jules for task 1544456048733979116 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	Mar 17, 2026 7:20am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical XSS vulnerability in the DescriptionPreview component. Previously, user-provided descriptions containing raw HTML were not adequately sanitized, posing a significant security risk. The changes introduce a dedicated sanitization library to ensure that all user-generated content is safely rendered, thereby protecting against potential data theft and session hijacking.

Highlights

• Security Fix: Fixed a high-severity Cross-Site Scripting (XSS) vulnerability in the DescriptionPreview component, preventing malicious script execution from user-provided descriptions.
• HTML Sanitization: Implemented robust HTML sanitization using the isomorphic-dompurify library to safely process user-generated content before rendering.
• Documentation: Added a new security learning entry to .jules/sentinel.md documenting the XSS vulnerability and the importance of proper HTML sanitization.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a new security learning entry detailing the XSS vulnerability and the importance of proper HTML sanitization.
• package-lock.json
  • Added isomorphic-dompurify and its associated dependencies.
  • Updated various existing package dependencies to newer versions.
  • Removed dev: true flags from several dependency entries.
• package.json
  • Added isomorphic-dompurify as a new dependency.
• src/components/upload/DescriptionPreview.tsx
  • Imported DOMPurify from isomorphic-dompurify.
  • Updated the sanitizePreviewHtml function to use DOMPurify.sanitize() for comprehensive HTML sanitization.

Activity

• The pull request was automatically created by Jules for task 1544456048733979116, initiated by @bobdivx.
• Verification steps included passing npm test and visual confirmation via a Playwright script.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses a high-severity Cross-Site Scripting (XSS) vulnerability in the DescriptionPreview component. The fix correctly introduces isomorphic-dompurify to sanitize HTML content before it's rendered, which is a robust solution. The changes are well-contained and the addition of a security learning document is a great practice. One point of attention is that installing the new dependency has triggered updates to several other packages, including a major version bump for the transitive dependency @exodus/bytes, which carries a risk of unintended side effects.

[gemini-code-assist]

The dependency updates include a major version bump for @exodus/bytes (from 1.8.0 to 1.15.0), which is a transitive dependency. Major version upgrades can introduce breaking changes. To mitigate the risk of unintended regressions, consider using npm's overrides feature in package.json to lock @exodus/bytes to a version within the previous major range, if compatible.