🛡️ Sentinel: [HIGH] Sanitize user input to prevent XSS in DescriptionPreview

[bobdivx]

🚨 Severity: HIGH
💡 Vulnerability: The DescriptionPreview.tsx component used dangerouslySetInnerHTML to render unescaped HTML content that originates from external sources or converted BBCode without proper sanitization.
🎯 Impact: If a malicious payload containing <script> or event handlers was uploaded, it would be executed when rendering the description, leading to a Cross-Site Scripting (XSS) vulnerability.
🔧 Fix: Introduced the dompurify library and utilized DOMPurify.sanitize() before passing the content to dangerouslySetInnerHTML. A check for typeof window !== 'undefined' ensures it does not crash during Server-Side Rendering (SSR).
✅ Verification: Verified by confirming the build command succeeds (npm run build) and the related vitest test runs correctly without regressions. No new failing tests were introduced.

Fixes #security

---

PR created automatically by Jules for task 13928272736517376950 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	Mar 7, 2026 7:19am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a critical security enhancement by implementing robust input sanitization for user-generated content displayed in the DescriptionPreview component. The change mitigates a high-severity Cross-Site Scripting (XSS) vulnerability, ensuring that potentially malicious HTML payloads are neutralized before rendering, thereby protecting users from script injection attacks. The solution also maintains compatibility with Server-Side Rendering environments.

Highlights

• Security Fix: Cross-Site Scripting (XSS): Addressed a high-severity XSS vulnerability in the DescriptionPreview.tsx component, which previously rendered unescaped HTML content from external sources or converted BBCode using dangerouslySetInnerHTML.
• Input Sanitization with DOMPurify: Integrated the dompurify library to sanitize HTML content before it is rendered, preventing malicious scripts from executing. The DOMPurify.sanitize() function is now applied to all HTML passed to dangerouslySetInnerHTML.
• Server-Side Rendering (SSR) Compatibility: Implemented a check for typeof window !== 'undefined' within the sanitization logic to ensure the application does not crash during Server-Side Rendering (SSR) when DOMPurify is used.
• Dependency Updates: Added dompurify and its corresponding TypeScript type definitions (@types/dompurify) to the project dependencies.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .astro/content.d.ts
  • Updated the relative import path for content.config.mjs.
• package-lock.json
  • Added dompurify and @types/dompurify as new dependencies.
  • Adjusted dev flags for several existing dependencies, removing dev: true from many and changing tslib to devOptional: true.
• package.json
  • Added dompurify and @types/dompurify to the project's dependencies.
• src/components/upload/DescriptionPreview.tsx
  • Imported the DOMPurify library.
  • Modified the sanitizePreviewHtml function to use DOMPurify.sanitize() for HTML content.
  • Added a typeof window !== 'undefined' check to ensure DOMPurify is only called in a browser environment, preventing SSR issues.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to fix a Cross-Site Scripting (XSS) vulnerability by introducing dompurify to sanitize user-provided descriptions. However, the current implementation critically bypasses sanitization during Server-Side Rendering (SSR), leaving the application vulnerable to XSS on initial page load, especially in frameworks like Astro. The sanitization logic needs to be updated to function correctly in both client-side and server-side environments. The dependency updates are appropriate.

[gemini-code-assist]

The sanitizePreviewHtml function, specifically the logic from lines 11-14, currently bypasses sanitization during Server-Side Rendering (SSR) because it relies on window being defined. This allows unsanitized HTML to be returned, creating a Cross-Site Scripting (XSS) vulnerability on initial page load, especially in frameworks like Astro. To properly address this, ensure sanitization is performed in both client and server environments. Consider using a library like isomorphic-dompurify or providing a DOM implementation to DOMPurify on the server.