🛡️ Sentinel: [HIGH] Fix XSS by sanitizing go-readability output with bluemonday

[lucasew]

Severity: HIGH

Vulnerability:
Reflected Cross-Site Scripting (XSS). The application renders HTML content parsed by go-readability directly into the response without adequate sanitization. While go-readability cleans up page structure, it does not guarantee the removal of all malicious attributes (e.g., <img onerror=...>) or script tags, allowing an attacker to inject arbitrary JavaScript if a user visits a malicious URL processed by the service.

Impact:
An attacker could craft a malicious URL that, when processed by this service and viewed by a victim, executes JavaScript in the context of the victim's session. This could lead to cookie theft, redirection, or other client-side attacks.

Fix:
Implemented strict HTML sanitization using github.com/microcosm-cc/bluemonday with the UGCPolicy. The sanitization is applied in the handler immediately after the article content is rendered to the buffer, ensuring that all output formats (HTML, JSON, Markdown) are safe.

Verification:
Added a new test file api/xss_test.go with TestXSSPrevention.

• The test mocks a server serving malicious HTML (scripts, onerror handlers).
• It asserts that the response from the handler does not contain these vectors.
• Verified that go test ./api passes.

---

PR created automatically by Jules for task 14110619838270003521 started by @lucasew

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
articleparser	Ready	Preview, Comment	Feb 11, 2026 5:05am

[gemini-code-assist]

Summary of Changes

Hello @lucasew, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's security posture by mitigating a critical XSS vulnerability. It ensures that all content processed by the service is thoroughly sanitized before being presented to users, thereby preventing malicious script execution and safeguarding user sessions from potential client-side attacks.

Highlights

• Security Fix: Reflected XSS: Addressed a HIGH severity reflected Cross-Site Scripting (XSS) vulnerability where go-readability output was rendered directly without adequate sanitization, allowing for potential JavaScript injection.
• HTML Sanitization with Bluemonday: Implemented strict HTML sanitization using github.com/microcosm-cc/bluemonday with its UGCPolicy to strip out dangerous elements like scripts and event handlers from parsed content.
• Comprehensive XSS Prevention Test: Introduced a new test file, api/xss_test.go, which mocks a server serving malicious HTML and asserts that the handler's response is free of XSS vectors, ensuring the fix is effective.

Changelog

• .jules/sentinel.md
  • Added a new learning note emphasizing the importance of sanitizing output from parsing libraries like go-readability to prevent XSS.
• api/index.go
  • Imported the github.com/microcosm-cc/bluemonday library for HTML sanitization.
  • Initialized a global htmlSanitizer using bluemonday.UGCPolicy() to define a robust sanitization policy.
  • Applied the htmlSanitizer.SanitizeReader() function to the content buffer immediately after article rendering to ensure all output is XSS-safe.
• api/xss_test.go
  • Added a new test file api/xss_test.go containing TestXSSPrevention.
  • Implemented a test that mocks a server providing malicious HTML and verifies that the application's handler successfully sanitizes the content, removing XSS vectors.
• go.mod
  • Added github.com/microcosm-cc/bluemonday as a direct dependency.
  • Included indirect dependencies github.com/aymerick/douceur and github.com/gorilla/css required by bluemonday.
• go.sum
  • Updated module checksums to reflect the addition of github.com/microcosm-cc/bluemonday and its related indirect dependencies.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical Cross-Site Scripting (XSS) vulnerability by sanitizing the HTML output from go-readability using the bluemonday library. The introduction of the UGCPolicy is a solid choice for this use case. The addition of a new test case, TestXSSPrevention, is excellent as it specifically verifies that malicious vectors are removed, confirming the fix. My review includes a minor suggestion in the new test file to improve code maintainability by using a built-in Go function.

[gemini-code-assist]

This custom min function is unnecessary. Since the project uses Go 1.24.7 (as per go.mod), you can use the built-in min function that was introduced in Go 1.21. This improves code clarity and reduces maintenance by relying on the standard library. You can remove this function, and the call on line 64 will automatically use the built-in min.