Skip to content

Emtemf/api-codegen REV-2026-006: Escape bridge issue fields before rendering HTML #17

Description

@Emtemf

finding_id: REV-2026-006
priority: P1
area: web-ui
kind: security
paths:


Summary

Escape bridge issue fields before rendering them into Web UI HTML.

Evidence

Global review finding REV-2026-006 identified external fields such as issue.message, rule, api, and field being inserted into unescaped innerHTML in web-ui/index.html.

Impact

A malicious API name or rule message can execute script in a browser viewing analysis results, compromising the Web UI session and bridge interaction.

Scope

Replace unsafe rendering with context-appropriate escaping or DOM text APIs for analysis results and manual grouping UI, and add browser regression coverage.

Out of scope

Web server bind policy and arbitrary static-file exposure, which are tracked by the blocking issues above.

Acceptance criteria

  • issue.message/rule/api/field 等外部字段不直接进入未转义 innerHTML
  • 恶意 API 名称和 rule 文本不会执行脚本
  • 分析结果和手动分组 UI 均覆盖
  • 浏览器 E2E 捕获无 pageerror/脚本执行

Verification

Run browser E2E with payloads containing HTML and script-like text; assert rendered text is inert and no page error or script side effect occurs in either UI path.

Rollback

Revert the rendering changes while retaining the XSS regression fixtures and blocking automation until a safe rendering design is approved.

Dependencies

Blocked by REV-2026-001 (#12) and REV-2026-002 (#13). Do not add automation:ready until both dependencies are completed and design review is complete.

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions