From 191a3682582704606dc1bef39921d78ece1ed9dc Mon Sep 17 00:00:00 2001
From: koko210Serve <koko.yordanov@proton.me>
Date: Sat, 28 Feb 2026 23:32:28 +0200
Subject: [PATCH] fix: prevent XSS in addChatMessage by using textContent for
 user input

- Escape sender name via escapeHtml in innerHTML template
- Set message content via textContent instead of innerHTML injection
- Prevents HTML/script injection from user input or LLM responses
---
 bot/static/index.html | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/bot/static/index.html b/bot/static/index.html
index 7faf356..c82a801 100644
--- a/bot/static/index.html
+++ b/bot/static/index.html
@@ -5024,12 +5024,15 @@ function addChatMessage(sender, content, isError = false) {
   
   messageDiv.innerHTML = `
     <div class="chat-message-header">
-      <span class="chat-message-sender">${sender}</span>
+      <span class="chat-message-sender">${escapeHtml(sender)}</span>
       <span class="chat-message-time">${timestamp}</span>
     </div>
-    <div class="chat-message-content">${content}</div>
+    <div class="chat-message-content"></div>
   `;
   
+  // Set content via textContent to prevent XSS
+  messageDiv.querySelector('.chat-message-content').textContent = content;
+  
   chatMessages.appendChild(messageDiv);
   
   // Scroll to bottom