diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000000..8c6bb63d4e
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-05-17 - Prevent XSS in generic UI components
+**Vulnerability:** XSS vulnerability in `showConfirmDialog` via unsafe `innerHTML` interpolation of `title` and `message`.
+**Learning:** Generic UI components that accept parameters often construct DOM elements using template literals and `innerHTML`, making them vulnerable if untrusted input is passed.
+**Prevention:** Always use `textContent` for text-only inputs, or sanitize HTML inputs using `DOMPurify` (e.g., `sanitizeHtml`) before injecting them into the DOM.
diff --git a/webui/js/confirmDialog.js b/webui/js/confirmDialog.js
index 6289af608b..74f8925a3b 100644
--- a/webui/js/confirmDialog.js
+++ b/webui/js/confirmDialog.js
@@ -1,6 +1,7 @@
 // Custom confirmation dialog. CSS in /css/modals.css
 
 import { callJsExtensions } from "/js/extensions.js";
+import { sanitizeHtml } from "/js/safe-markdown.js";
 
 const DIALOG_TYPES = {
   warning: { icon: 'warning', color: 'var(--color-warning, #f59e0b)' },
@@ -31,12 +32,12 @@ export function showConfirmDialog(options) {
     dialog.innerHTML = `
       <div class="confirm-dialog-header">
         <span class="confirm-dialog-icon material-symbols-outlined" style="color: ${typeConfig.color}">${typeConfig.icon}</span>
-        <span class="confirm-dialog-title">${title}</span>
+        <span class="confirm-dialog-title">${sanitizeHtml(title)}</span>
       </div>
-      <div class="confirm-dialog-body">${message}</div>
+      <div class="confirm-dialog-body">${sanitizeHtml(message)}</div>
       <div class="confirm-dialog-footer">
-        <button class="button cancel confirm-dialog-cancel">${cancelText}</button>
-        <button class="button confirm confirm-dialog-confirm">${confirmText}</button>
+        <button class="button cancel confirm-dialog-cancel">${sanitizeHtml(cancelText)}</button>
+        <button class="button confirm confirm-dialog-confirm">${sanitizeHtml(confirmText)}</button>
       </div>
     `;