From fe97be20d2cbeb24d3bdb600f631cef9ae6c08d5 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sun, 17 May 2026 08:55:08 +0000
Subject: [PATCH] Fix XSS vulnerability in confirmDialog.js by applying
 DOMPurify

Sanitized the interpolated inputs to dialog.innerHTML using sanitizeHtml.

Co-authored-by: thirdeyenation <133812267+thirdeyenation@users.noreply.github.com>
---
 .jules/sentinel.md        | 4 ++++
 webui/js/confirmDialog.js | 9 +++++----
 2 files changed, 9 insertions(+), 4 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000000..8c6bb63d4e
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-05-17 - Prevent XSS in generic UI components
+**Vulnerability:** XSS vulnerability in `showConfirmDialog` via unsafe `innerHTML` interpolation of `title` and `message`.
+**Learning:** Generic UI components that accept parameters often construct DOM elements using template literals and `innerHTML`, making them vulnerable if untrusted input is passed.
+**Prevention:** Always use `textContent` for text-only inputs, or sanitize HTML inputs using `DOMPurify` (e.g., `sanitizeHtml`) before injecting them into the DOM.
diff --git a/webui/js/confirmDialog.js b/webui/js/confirmDialog.js
index 6289af608b..74f8925a3b 100644
--- a/webui/js/confirmDialog.js
+++ b/webui/js/confirmDialog.js
@@ -1,6 +1,7 @@
 // Custom confirmation dialog. CSS in /css/modals.css
 
 import { callJsExtensions } from "/js/extensions.js";
+import { sanitizeHtml } from "/js/safe-markdown.js";
 
 const DIALOG_TYPES = {
   warning: { icon: 'warning', color: 'var(--color-warning, #f59e0b)' },
@@ -31,12 +32,12 @@ export function showConfirmDialog(options) {
     dialog.innerHTML = `
       <div class="confirm-dialog-header">
         <span class="confirm-dialog-icon material-symbols-outlined" style="color: ${typeConfig.color}">${typeConfig.icon}</span>
-        <span class="confirm-dialog-title">${title}</span>
+        <span class="confirm-dialog-title">${sanitizeHtml(title)}</span>
       </div>
-      <div class="confirm-dialog-body">${message}</div>
+      <div class="confirm-dialog-body">${sanitizeHtml(message)}</div>
       <div class="confirm-dialog-footer">
-        <button class="button cancel confirm-dialog-cancel">${cancelText}</button>
-        <button class="button confirm confirm-dialog-confirm">${confirmText}</button>
+        <button class="button cancel confirm-dialog-cancel">${sanitizeHtml(cancelText)}</button>
+        <button class="button confirm confirm-dialog-confirm">${sanitizeHtml(confirmText)}</button>
       </div>
     `;