Koko210/miku-discord
1
0
Fork 0
Code Issues 34 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: prevent XSS in addChatMessage by using textContent for user input

Browse Source 
- Escape sender name via escapeHtml in innerHTML template
- Set message content via textContent instead of innerHTML injection
- Prevents HTML/script injection from user input or LLM responses
This commit is contained in:
koko210Serve
2026-02-28 23:32:28 +02:00
parent 7a10206617
commit 191a368258
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
bot/static/index.html
View File

@@ -5024,12 +5024,15 @@ function addChatMessage(sender, content, isError = false) {
messageDiv.innerHTML = ` messageDiv.innerHTML = `
<div class="chat-message-header"> <div class="chat-message-header">
<span class="chat-message-sender">${sender}</span> <span class="chat-message-sender">${escapeHtml(sender)}</span>
<span class="chat-message-time">${timestamp}</span> <span class="chat-message-time">${timestamp}</span>
</div> </div>
<div class="chat-message-content">${content}</div> <div class="chat-message-content"></div>
`; `;
// Set content via textContent to prevent XSS
messageDiv.querySelector('.chat-message-content').textContent = content;
chatMessages.appendChild(messageDiv); chatMessages.appendChild(messageDiv);
// Scroll to bottom // Scroll to bottom