fix: XSS vulnurability in Table HTML cell

[subrata71]

Description

Tip

Add a TL;DR when the description is longer than 500 words or extremely technical (helps the content, marketing, and DevRel team).

Please also include relevant motivation and context. List any dependencies that are required for this change. Add links to Notion, Figma or any other documents that might be relevant to the PR.

Fixes https://linear.app/appsmith/issue/V2-2922/critical-stored-xss-vulnerability-in-table-widget-allows-takeover
Fixes https://github.com/appsmithorg/appsmith/security/advisories/GHSA-5hw4-whxv-6794

Automation

/ok-to-test tags="@tag.Sanity"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/21703384270
Commit: aabd52b
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Thu, 05 Feb 2026 08:33:21 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Refactor
  • Improved HTML content handling in table widgets for enhanced parsing reliability.

[linear]

V2-2922 Critical Stored XSS vulnerability in Table Widget allows takeover

[coderabbitai]

Walkthrough

Two utility files in TableWidgetV2 replaced innerHTML-based DOM manipulation with DOMParser API. One file extracts HTML tag names; the other extracts text content from HTML strings. Both changes maintain existing functionality while adopting a safer parsing mechanism.

Changes

Cohort / File(s)	Summary
DOMParser HTML Parsing Refactor app/client/src/widgets/TableWidgetV2/component/cellComponents/HTMLCell/utils.tsx, app/client/src/widgets/TableWidgetV2/widget/derived.js	Replaced innerHTML DOM manipulation with DOMParser API for parsing HTML content. Tag name extraction and text content extraction both now use DOMParser instead of temporary div elements. Logic and return values remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🔐 Away with innerHTML's risky sway,
DOMParser steps in to save the day!
Safer parsing, cleaner code,
A modern API's noble road. 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR description includes issue references and test results, but lacks motivation, context, and dependencies details required by the template.	Add brief explanation of the XSS vulnerability, why DOMParser is safer, and confirm no dependencies are needed for this fix.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: XSS vulnerability in Table HTML cell' clearly summarizes the main security fix in the changeset, addressing the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/xss-in-table-widget

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[subrata71]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/21738483119.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 41539.
recreate: .

[github-actions]

Deploy-Preview-URL: https://ce-41539.dp.appsmith.com

[sondermanish]

LGTM