From e3d0577ba53ee7ccad69e6d296dee9916f02d733 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Sat, 4 Apr 2026 22:43:14 +0700
Subject: [PATCH] fix(security): overlay compile trace uses html insertion on
 trans

Compile error entries are inserted with `elem.innerHTML = entry.content`. Although the code encodes input first, safety depends on third-party transformation behavior (`anser` + `html-entities`) and future changes. A malformed or unexpected transformation path could reintroduce executable HTML.

Affected files: CompileErrorTrace.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 overlay/components/CompileErrorTrace.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/overlay/components/CompileErrorTrace.js b/overlay/components/CompileErrorTrace.js
index 4bbdf733..c2ae175e 100644
--- a/overlay/components/CompileErrorTrace.js
+++ b/overlay/components/CompileErrorTrace.js
@@ -51,7 +51,7 @@ function CompileErrorTrace(document, root, props) {
   for (let i = 0; i < entries.length; i += 1) {
     const entry = entries[i];
     const elem = document.createElement('span');
-    elem.innerHTML = entry.content;
+    elem.textContent = entities.decode(entry.content);
     elem.style.color = entry.fg ? `var(--color-${entry.fg})` : undefined;
     elem.style.wordBreak = 'break-word';
     switch (entry.decoration) {