finding_id: REV-2026-006
priority: P1
area: web-ui
kind: security
paths:
Summary
Escape bridge issue fields before rendering them into Web UI HTML.
Evidence
Global review finding REV-2026-006 identified external fields such as issue.message, rule, api, and field being inserted into unescaped innerHTML in web-ui/index.html.
Impact
A malicious API name or rule message can execute script in a browser viewing analysis results, compromising the Web UI session and bridge interaction.
Scope
Replace unsafe rendering with context-appropriate escaping or DOM text APIs for analysis results and manual grouping UI, and add browser regression coverage.
Out of scope
Web server bind policy and arbitrary static-file exposure, which are tracked by the blocking issues above.
Acceptance criteria
issue.message/rule/api/field 等外部字段不直接进入未转义 innerHTML
- 恶意 API 名称和 rule 文本不会执行脚本
- 分析结果和手动分组 UI 均覆盖
- 浏览器 E2E 捕获无
pageerror/脚本执行
Verification
Run browser E2E with payloads containing HTML and script-like text; assert rendered text is inert and no page error or script side effect occurs in either UI path.
Rollback
Revert the rendering changes while retaining the XSS regression fixtures and blocking automation until a safe rendering design is approved.
Dependencies
Blocked by REV-2026-001 (#12) and REV-2026-002 (#13). Do not add automation:ready until both dependencies are completed and design review is complete.
finding_id: REV-2026-006
priority: P1
area: web-ui
kind: security
paths:
blocked_by:
automation: needs-design
Summary
Escape bridge issue fields before rendering them into Web UI HTML.
Evidence
Global review finding REV-2026-006 identified external fields such as
issue.message,rule,api, andfieldbeing inserted into unescapedinnerHTMLinweb-ui/index.html.Impact
A malicious API name or rule message can execute script in a browser viewing analysis results, compromising the Web UI session and bridge interaction.
Scope
Replace unsafe rendering with context-appropriate escaping or DOM text APIs for analysis results and manual grouping UI, and add browser regression coverage.
Out of scope
Web server bind policy and arbitrary static-file exposure, which are tracked by the blocking issues above.
Acceptance criteria
issue.message/rule/api/field等外部字段不直接进入未转义innerHTMLpageerror/脚本执行Verification
Run browser E2E with payloads containing HTML and script-like text; assert rendered text is inert and no page error or script side effect occurs in either UI path.
Rollback
Revert the rendering changes while retaining the XSS regression fixtures and blocking automation until a safe rendering design is approved.
Dependencies
Blocked by REV-2026-001 (#12) and REV-2026-002 (#13). Do not add
automation:readyuntil both dependencies are completed and design review is complete.