Skip to content

fix(#657): prevent HTML injection and XSS by sanitizing participant names#819

Open
Shan7Usmani wants to merge 4 commits into
shouri123:mainfrom
Shan7Usmani:main
Open

fix(#657): prevent HTML injection and XSS by sanitizing participant names#819
Shan7Usmani wants to merge 4 commits into
shouri123:mainfrom
Shan7Usmani:main

Conversation

@Shan7Usmani

@Shan7Usmani Shan7Usmani commented Jun 20, 2026

Copy link
Copy Markdown

Description

Prevent XSS vulnerabilities by ensuring all participant names are sanitized via \escapeHtml()\ before DOM insertion. Fixes a specific bug where the transcript initials derivation used raw (unescaped) speaker names, and hardens all rendering paths for defense-in-depth.

Fixes #657

Type of Change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • My changes generate no new warnings

Summary of Changes

Bug Fixes

  • *\createTranscriptEntryHTML()* — initials derivation and isAudio check now use the already-escaped \speaker\ variable instead of raw \entry.speaker\
  • Data attributes — replaced \escapeHtml\ with \sanitizeDataAttr\ for \data-speaker, \data-time, \data-message\ (attribute-context escaping)

Consolidation

  • *\src/utils/sanitize.ts* — deprecated \escapeHtml\ in favor of the canonical regex-based version in \domHelpers.ts\ (which is already used by all rendering code). Now re-exports with a deprecation JSDoc notice.

Defense-in-Depth

  • *\getEmptyStateHTML()* and *\ runcatedNoticeHtml()* — now escape their string parameters via \escapeHtml()\ to prevent future misuse

Tests

  • *\src/utils/domHelpers.test.ts* (new) — covers \escapeHtml\ with XSS payloads, attribute context, edge cases, \ ormatDuration, and \sanitizeTopicStatus\
  • *\src/utils/sanitize.test.ts* — updated to import \escapeHtml\ from canonical source; removed redundant DOM mock

XSS Audit

All 47 \innerHTML\ assignments across \dashboard.ts, \popup.ts, \onboarding.ts, \�piUsageDashboard.ts, and \storageDashboard.ts\ were reviewed. 0 active vulnerabilities found.

Summary by CodeRabbit

  • Security Improvements
    • Strengthened HTML escaping across dynamic dashboard UI text (including empty-state messaging) to reduce unsafe rendering risk.
    • Improved transcript safety by escaping speaker details, deriving initials from escaped content, and sanitizing transcript copy fields embedded in the UI.
  • Tests
    • Added/expanded test coverage for HTML escaping and related helper behaviors, including XSS regression scenarios and edge cases.
    • Adjusted sanitization tests to match the shared escaping behavior and expected outputs.
  • Documentation
    • Updated troubleshooting guidance and clarified common errors and how to inspect extension logs.

@Shan7Usmani Shan7Usmani requested a review from shouri123 as a code owner June 20, 2026 08:45
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Thank You for Contributing to Late-Meet

Please ensure that:

  • the issue was assigned to you before opening this PR
  • the PR references the related issue
  • your changes follow repository contribution guidelines
  • the project builds successfully before submission

Unassigned, duplicate, or low-quality PRs may be closed.

Thank you for contributing 💙

@github-actions github-actions Bot added gssoc Official GSSoC contribution issue gssoc:approved GSSoC: PR approved and scored type:code Type: Code change type:test Type: Test files bug Something isn't working size/M type:design Type: Design / UI / UX (Optional bonus) and removed gssoc Official GSSoC contribution issue gssoc:approved GSSoC: PR approved and scored labels Jun 20, 2026
@github-actions

Copy link
Copy Markdown
Contributor

👋 Thank you @Shan7Usmani for your contribution to Late-Meet!

✅ Verified: You are assigned to the linked issue #657.

Please review any automated suggestions or code review comments that may appear below! We will review your PR as soon as possible!


Please consider starring the repository ⭐ to show your support!

@coderabbitai

coderabbitai Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

escapeHtml now comes from domHelpers through a deprecated re-export in sanitize.ts. dashboard.ts escapes or sanitizes several untrusted render values, the utility tests expand escaping and helper coverage, and the README troubleshooting section is reorganized.

Changes

XSS Hardening and escapeHtml Migration

Layer / File(s) Summary
escapeHtml migration to domHelpers
src/utils/sanitize.ts
Removes the local escapeHtml implementation and re-exports the domHelpers version with deprecation notes.
Dashboard render path sanitization
src/dashboard.ts
Escapes the truncated notice key and empty-state message, derives transcript initials and audio classification from the escaped speaker, and sanitizes transcript copy-button data attributes.
EscapeHtml and helper tests
src/utils/domHelpers.test.ts, src/utils/sanitize.test.ts
Adds escaping and XSS regression coverage for escapeHtml, plus formatDuration and sanitizeTopicStatus assertions, and updates sanitize.test.ts to import escapeHtml from domHelpers.

README troubleshooting updates

Layer / File(s) Summary
Troubleshooting and shortcut wording
README.md
Replaces the troubleshooting table with scenario-specific subsections and rewrites the global shortcuts note and heading.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • shouri123/Late-Meet#543: The dashboard XSS hardening and escapeHtml migration touch the same sanitization paths described in this PR.
  • shouri123/Late-Meet#835: This PR updates the same README.md troubleshooting and global shortcuts sections.

Suggested reviewers

  • shouri123

Poem

🐇 I hopped through tags with careful feet,
And made the sneaky scripts retreat.
The speaker names now sparkle bright,
In domHelpers they’re tucked in tight.
A carrot for the safe and sound—
No stray <script> shall sneak around.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The README troubleshooting updates are unrelated to issue #657's sanitization fix and appear out of scope. Move the README troubleshooting edits to a separate documentation PR so this change stays focused on XSS sanitization.
Docstring Coverage ⚠️ Warning Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: sanitizing participant names to prevent HTML injection and XSS.
Linked Issues check ✅ Passed The PR applies escaping and sanitization to participant-name rendering paths, matching issue #657's XSS mitigation goal.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/dashboard.ts`:
- Around line 1099-1103: The data attributes for the copy-transcript-btn button
(data-speaker, data-time, data-message) are receiving already-escaped values
(speaker, timeStr, and text from lines 1076-1077 and 1088) and passing them
through sanitizeDataAttr(), causing double-encoding. Remove the
sanitizeDataAttr() calls and pass the raw unescaped values directly to the data
attributes, or if the raw values are not available in scope, retrieve them
before they were escaped and pass those raw values to sanitizeDataAttr()
instead.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0aacd107-872b-452b-a6ed-3275135935ce

📥 Commits

Reviewing files that changed from the base of the PR and between eed5d5e and 7dce66a.

📒 Files selected for processing (4)
  • src/dashboard.ts
  • src/utils/domHelpers.test.ts
  • src/utils/sanitize.test.ts
  • src/utils/sanitize.ts

Comment thread src/dashboard.ts
…icipant names

- Fix initials derivation in createTranscriptEntryHTML to use escaped speaker
- Use sanitizeDataAttr for data-* attributes instead of escapeHtml
- Consolidate duplicate escapeHtml: deprecate sanitize.ts version, keep domHelpers.ts canonical
- Harden getEmptyStateHTML and truncatedNoticeHtml with escapeHtml for defense-in-depth
- Add domHelpers.test.ts with XSS, attribute-context, and regression tests
- Update sanitize.test.ts to import escapeHtml from canonical source
- Remove redundant DOM mock from sanitize.test.ts

Audit result: 0 active XSS vulnerabilities across all 47 innerHTML assignments.
@Shan7Usmani

Copy link
Copy Markdown
Author

@shouri123 all 4 PRs (#819, #820, #821, #822) have been rebased on latest main and all checks are passing. Could a maintainer please review and merge when you get a chance? These have been open since June 8 — would really appreciate a look. Thanks! 🙏

@github-actions github-actions Bot added the type:docs Type: Documentation label Jun 30, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
README.md (1)

984-984: 📐 Maintainability & Code Quality | 🔵 Trivial

Use consistent branding: "Late-Meet" or "Late Meet".

Line 984 uses "Late-Meet" (hyphenated), while line 1032 uses "Late Meet" (unhyphenated). Pick one form and use it throughout the README for consistency.

Also applies to: 1032-1032

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 984, The README uses inconsistent product branding with
both “Late-Meet” and “Late Meet”; choose one canonical form and update the
affected README text to use it consistently everywhere. Locate the
introductory/setup wording in the README and the later section that references
the product name, then replace the alternate spelling so the same branding
appears throughout.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@README.md`:
- Line 984: The README uses inconsistent product branding with both “Late-Meet”
and “Late Meet”; choose one canonical form and update the affected README text
to use it consistently everywhere. Locate the introductory/setup wording in the
README and the later section that references the product name, then replace the
alternate spelling so the same branding appears throughout.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b1fbcf5-55cd-482b-b663-a9252714901f

📥 Commits

Reviewing files that changed from the base of the PR and between 86256fa and 6cd8014.

📒 Files selected for processing (1)
  • README.md

@github-actions github-actions Bot removed the type:docs Type: Documentation label Jun 30, 2026
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size/M type:code Type: Code change type:design Type: Design / UI / UX (Optional bonus) type:test Type: Test files

Projects

None yet

Development

Successfully merging this pull request may close these issues.

fix: Prevent HTML injection and XSS by sanitizing participant names before rendering

2 participants