[FIXED] XSS risk in dangerouslySetInnerHTML usage

[Tsukieomie]

Security Issue: Potential XSS in HTML Rendering

Severity: HIGH → FIXED ✅
Location: Multiple files with dangerouslySetInnerHTML

Description

Multiple components used dangerouslySetInnerHTML without sanitization, creating potential XSS vulnerabilities.

Status

✅ RESOLVED - Added DOMPurify sanitization

Files Updated

1. src/renderer/features/ui/agent-tool-call.tsx - subtitle HTML
2. src/renderer/features/ui/agent-edit-tool.tsx - syntax highlighted code
3. src/renderer/components/chat-markdown-renderer.tsx - code block HTML

Changes Made

• Installed dompurify and @types/dompurify
• Added DOMPurify.sanitize() to all dangerouslySetInnerHTML usages
• HTML now sanitized before rendering

Code Example

// Before
dangerouslySetInnerHTML={{ __html: htmlContent }}

// After
dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(htmlContent) }}

Defense in Depth

While the HTML comes from trusted Shiki library, DOMPurify provides additional security layer in case:

• Shiki library is compromised
• User-generated content reaches rendering path
• Future code changes introduce vulnerabilities

This issue can be closed as resolved.

Labels: security, fixed, xss