From efd16dcfa773022a88ff56adddbc3cbc22ae2266 Mon Sep 17 00:00:00 2001
From: Akhilesh Arora <akhildawra@gmail.com>
Date: Thu, 9 Apr 2026 00:01:23 +0200
Subject: [PATCH] security(browser-extension): fix DOM-based XSS in content
 scripts

---
 .../entrypoints/content/chatgpt.ts                  |  6 +++---
 .../browser-extension/entrypoints/content/claude.ts |  6 +++---
 apps/browser-extension/entrypoints/content/t3.ts    | 13 ++++---------
 3 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/apps/browser-extension/entrypoints/content/chatgpt.ts b/apps/browser-extension/entrypoints/content/chatgpt.ts
index 51a04736d..7c3d28aaa 100644
--- a/apps/browser-extension/entrypoints/content/chatgpt.ts
+++ b/apps/browser-extension/entrypoints/content/chatgpt.ts
@@ -159,7 +159,7 @@ async function getRelatedMemoriesForChatGPT(actionSource: string) {
 		if (response?.success && response?.data) {
 			const promptElement = document.getElementById("prompt-textarea")
 			if (promptElement) {
-				promptElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${response.data}</div>`
+				promptElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${response.data}`
 				console.log(
 					"Prompt element dataset:",
 					promptElement.dataset.supermemories,
@@ -471,7 +471,7 @@ function updateChatGPTIconFeedback(
 
 				const promptElement = document.getElementById("prompt-textarea")
 				if (promptElement) {
-					promptElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					promptElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}
 
 				content
@@ -647,7 +647,7 @@ function setupChatGPTPromptCapture() {
 			promptTextarea &&
 			!promptContent.includes("Supermemories of user")
 		) {
-			promptTextarea.innerHTML = `${promptTextarea.innerHTML} ${storedMemories}`
+			promptTextarea.appendChild(document.createTextNode(storedMemories))
 			promptContent = promptTextarea.textContent || ""
 		}
 
diff --git a/apps/browser-extension/entrypoints/content/claude.ts b/apps/browser-extension/entrypoints/content/claude.ts
index 01016a403..d124c84a0 100644
--- a/apps/browser-extension/entrypoints/content/claude.ts
+++ b/apps/browser-extension/entrypoints/content/claude.ts
@@ -230,7 +230,7 @@ async function getRelatedMemoriesForClaude(actionSource: string) {
 			) as HTMLElement
 
 			if (textareaElement) {
-				textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${response.data}</div>`
+				textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${response.data}`
 				console.log(
 					"Text element dataset:",
 					textareaElement.dataset.supermemories,
@@ -442,7 +442,7 @@ function updateClaudeIconFeedback(
 					'div[contenteditable="true"]',
 				) as HTMLElement
 				if (textareaElement) {
-					textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}
 
 				content
@@ -520,7 +520,7 @@ function setupClaudePromptCapture() {
 			contentEditableDiv &&
 			!promptContent.includes("Supermemories of user")
 		) {
-			contentEditableDiv.innerHTML = `${contentEditableDiv.innerHTML} ${storedMemories}`
+			contentEditableDiv.appendChild(document.createTextNode(storedMemories))
 			promptContent =
 				contentEditableDiv.textContent || contentEditableDiv.innerText || ""
 		}
diff --git a/apps/browser-extension/entrypoints/content/t3.ts b/apps/browser-extension/entrypoints/content/t3.ts
index 4d284a358..e0b97e3fb 100644
--- a/apps/browser-extension/entrypoints/content/t3.ts
+++ b/apps/browser-extension/entrypoints/content/t3.ts
@@ -238,13 +238,8 @@ async function getRelatedMemoriesForT3(actionSource: string) {
 			}
 
 			if (textareaElement) {
-				if (textareaElement.tagName === "TEXTAREA") {
-					;(textareaElement as HTMLTextAreaElement).dataset.supermemories =
-						`<br>Supermemories of user (only for the reference): ${response.data}</br>`
-				} else {
-					;(textareaElement as HTMLElement).dataset.supermemories =
-						`<br>Supermemories of user (only for the reference): ${response.data}</br>`
-				}
+				textareaElement.dataset.supermemories =
+					`\n\nSupermemories of user (only for the reference): ${response.data}`
 
 				iconElement.dataset.memoriesData = response.data
 
@@ -450,7 +445,7 @@ function updateT3IconFeedback(
 					(document.querySelector("textarea") as HTMLTextAreaElement) ||
 					(document.querySelector('div[contenteditable="true"]') as HTMLElement)
 				if (textareaElement) {
-					textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}
 
 				content
@@ -537,7 +532,7 @@ function setupT3PromptCapture() {
 					`${promptContent} ${storedMemories}`
 				promptContent = (textareaElement as HTMLTextAreaElement).value
 			} else {
-				textareaElement.innerHTML = `${textareaElement.innerHTML} ${storedMemories}`
+				textareaElement.appendChild(document.createTextNode(storedMemories))
 				promptContent =
 					textareaElement.textContent || textareaElement.innerText || ""
 			}