🛡️ Sentinel: [CRITICAL] Fix XSS vulnerability in DescriptionPreview

[bobdivx]

🛡️ Sentinel: [CRITICAL] Fix XSS vulnerability in DescriptionPreview

🚨 Severity: CRITICAL
💡 Vulnerability: The DescriptionPreview component was directly rendering raw HTML or converted BBCode using dangerouslySetInnerHTML without proper sanitization. This could allow malicious users to inject script tags or other XSS vectors if they have control over the description input.
🎯 Impact: Attackers could execute arbitrary JavaScript within a user's browser context, potentially leading to session hijacking, stealing sensitive data, or taking actions on behalf of the user. Because this is an Astro SSR application, the lack of sanitization on the server could also lead to XSS payloads being injected into the initial HTML response.
🔧 Fix: Integrated isomorphic-dompurify to thoroughly sanitize the HTML string before injecting it into the DOM. The configuration explicitly allows only a safe subset of tags (like headings, bold, italic, code, img, links, etc.) and attributes. Using isomorphic-dompurify instead of standard dompurify guarantees protection runs consistently during both Server-Side Rendering (SSR) and Client-Side rendering, preventing hydration mismatches and early execution.
✅ Verification: The fix was manually verified, build and test commands were executed successfully (npm run build and npm run test).

A journal entry has been added to .jules/sentinel.md outlining the findings and mitigation.

---

PR created automatically by Jules for task 251337543513320501 started by @bobdivx

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
popcorn-client	Ready	Preview, Comment	Mar 8, 2026 7:32am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers a crucial security enhancement by resolving a critical XSS vulnerability within the DescriptionPreview component. The change ensures that all user-generated content displayed in the preview is thoroughly sanitized, thereby preventing malicious script injections and safeguarding user sessions and data. The solution leverages a robust, isomorphic sanitization library to maintain security across both server-side and client-side rendering environments.

Highlights

• Critical XSS Vulnerability Fixed: Addressed a critical Cross-Site Scripting (XSS) vulnerability in the DescriptionPreview component where unsanitized user-provided HTML/BBCode was rendered directly using dangerouslySetInnerHTML.
• Sanitization with isomorphic-dompurify: Integrated isomorphic-dompurify to sanitize HTML content before rendering, ensuring consistent XSS protection during both Server-Side Rendering (SSR) and Client-Side Rendering.
• Strict HTML Tag and Attribute Whitelisting: Configured DOMPurify to explicitly allow only a safe subset of HTML tags (e.g., headings, bold, italic, images, links) and attributes, minimizing the attack surface.
• Dependency Updates: Added dompurify, isomorphic-dompurify, and @types/dompurify to the project dependencies, along with other minor dependency updates.
• Documentation: A journal entry was added to .jules/sentinel.md outlining the vulnerability findings and the implemented mitigation strategy.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a journal entry documenting the critical XSS vulnerability and its mitigation.
• package-lock.json
  • Updated various package dependencies to their latest versions.
  • Added new dependencies for dompurify, isomorphic-dompurify, and @types/dompurify.
• package.json
  • Added dompurify, isomorphic-dompurify, and @types/dompurify to the project dependencies.
• src/components/upload/DescriptionPreview.tsx
  • Imported DOMPurify from isomorphic-dompurify.
  • Modified the sanitizePreviewHtml function to use DOMPurify.sanitize for XSS protection.
  • Defined a whitelist of ALLOWED_TAGS and ALLOWED_ATTR for sanitization.

Activity

• The pull request was automatically created by Jules.
• The task was initiated by @bobdivx.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a critical XSS vulnerability in the DescriptionPreview component by introducing isomorphic-dompurify to sanitize HTML before rendering. The fix is well-implemented. My review includes a high-severity suggestion to further enhance security by preventing tabnabbing attacks, and a medium-severity suggestion to clean up project dependencies.

[gemini-code-assist]

Allowing the target attribute can introduce a "tabnabbing" security vulnerability. When a link with target="_blank" is opened, the new page gains partial access to the original page, which can be exploited. While rel is in the allow-list, its presence isn't enforced for links with target="_blank". To mitigate this risk, I recommend removing target from the list of allowed attributes. This will cause all links to open in the same tab, which is safer for a preview component.

Suggested change

	ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'class', 'width', 'height', 'style', 'target', 'rel']
	ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'class', 'width', 'height', 'style', 'rel']

[gemini-code-assist]

There are a couple of opportunities to clean up the dependencies:

• The @types/dompurify package is deprecated and can be removed, as dompurify now ships its own types.
• The dompurify package is a transitive dependency of isomorphic-dompurify, so it can be removed as a direct dependency to avoid redundancy.

Removing these will clean up the project's dependencies.

Suggested change

	"@types/dompurify": "^3.2.0",
	"@types/qrcode": "^1.5.6",
	"astro": "^5.17.2",
	"bcryptjs": "^2.4.3",
	"daisyui": "^4.12.10",
	"dompurify": "^3.3.2",
	"hls.js": "^1.6.15",
	"html5-qrcode": "^2.3.8",
	"isomorphic-dompurify": "^3.0.0",
	"@types/qrcode": "^1.5.6",
	"astro": "^5.17.2",
	"bcryptjs": "^2.4.3",
	"daisyui": "^4.12.10",
	"hls.js": "^1.6.15",
	"html5-qrcode": "^2.3.8",
	"isomorphic-dompurify": "^3.0.0",