🛡️ Sentinel: HIGH Fix XSS in Research Consent Form

[daggerstuff]

🚨 Severity: HIGH
💡 Vulnerability: The ResearchConsentForm renders HTML content from the consent management service directly into the DOM via dangerouslySetInnerHTML. If the consent document contains malicious <script> tags, event handlers (on*), or javascript: URIs, it could lead to Cross-Site Scripting (XSS).
🔧 Fix: Integrated the dompurify library to sanitize the HTML document text before rendering it, mitigating potential XSS injection attacks securely and reliably.
✅ Verification: Reviewers can safely test the fix by generating a mock consent document containing <script>alert(1)</script> or <img src=x onerror=alert(1)> and observing that the payloads are stripped from the rendered view. All automated unit tests and linting passed locally.

---

PR created automatically by Jules for task 7051865183378578142 started by @daggerstuff

---

Summary by cubic

Sanitizes consent HTML in ResearchConsentForm to prevent XSS when rendering third‑party content. Integrates dompurify so scripts, event handlers, and javascript: URLs are removed.

• Bug Fixes

  • Sanitize HTML from the consent service before using dangerouslySetInnerHTML, blocking <script> tags, on* handlers, and javascript: links.

• Dependencies

  • Add dompurify.

^{Written for commit 10948c1. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
pixelated	Ready	Preview, Comment	Mar 31, 2026 9:57pm

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[charliecreates]

No diff was provided, so I can’t review the actual implementation or validate the XSS mitigation. Please include/paste the diff (or the modified file snippets) to get actionable, line-level feedback.

Summary of changes

Summary of changes

• No code diff/content was provided in the prompt (<dxFiles/> is empty and the Diff section contains no hunks), so there are no observable modifications to summarize.
• Based on PR context only (not verifiable here), the intended change is to sanitize consent HTML (e.g., via dompurify) before rendering with dangerouslySetInnerHTML to mitigate XSS in ResearchConsentForm.