app.js uses innerHTML in several places to render data from the API. While the backend validates dataset names and the data comes from a controlled source, if Lance file metadata is user-supplied (e.g., column names, string field values), there is a potential for HTML injection.
Affected areas:
- Health status display
- Schema field rendering
- Vector cell info
- Tooltip content
- Error messages
Proposed fix: Replace innerHTML with textContent for string values and createElement/appendChild for structured content. This is defense-in-depth: the risk is low today but the fix is straightforward.
app.jsusesinnerHTMLin several places to render data from the API. While the backend validates dataset names and the data comes from a controlled source, if Lance file metadata is user-supplied (e.g., column names, string field values), there is a potential for HTML injection.Affected areas:
Proposed fix: Replace
innerHTMLwithtextContentfor string values andcreateElement/appendChildfor structured content. This is defense-in-depth: the risk is low today but the fix is straightforward.