airkjw/claude-mem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MAESTRO: Add DOMPurify XSS defense-in-depth to TerminalPreview (closes PR #896)

Browse Source 
PR #896 identified a valid XSS concern in TerminalPreview.tsx but was
broken (missing DOMPurify import and dependency). The existing
escapeXML:true on AnsiToHtml already mitigates the vector, but
DOMPurify adds defense-in-depth sanitization.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Alex Newman
2026-02-05 18:14:46 -05:00
parent e6af8d207a
commit d0b4c7ee59
5 changed files with 27 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Auto Run Docs/PR-Triage/PR-Triage-03.md
+2 -1
View File
@@ -14,4 +14,5 @@ Two PRs fix the same CORS vulnerability (worker allows `Access-Control-Allow-Ori
## XSS Vulnerability in Viewer UI
- [ ] Review PR #896 (`[Security] Fix HIGH vulnerability: V-003` by @orbisai0security). File: `src/ui/viewer/components/TerminalPreview.tsx`. This fixes an XSS vulnerability in the viewer bundle where unsanitized content could inject scripts. Steps: (1) `gh pr checkout 896` (2) Review the TerminalPreview.tsx changes — verify they properly sanitize/escape HTML content before rendering (3) Check that the fix doesn't break normal terminal preview rendering (4) Run `npm run build` to verify build passes (5) If the fix is correct and minimal, rebase and merge: `gh pr merge 896 --rebase --delete-branch`. **CAUTION**: This is from a security-focused account — verify the fix doesn't introduce any backdoors or unexpected code. Review every line carefully.
- [x] Review PR #896 (`[Security] Fix HIGH vulnerability: V-003` by @orbisai0security). File: `src/ui/viewer/components/TerminalPreview.tsx`. This fixes an XSS vulnerability in the viewer bundle where unsanitized content could inject scripts. Steps: (1) `gh pr checkout 896` (2) Review the TerminalPreview.tsx changes — verify they properly sanitize/escape HTML content before rendering (3) Check that the fix doesn't break normal terminal preview rendering (4) Run `npm run build` to verify build passes (5) If the fix is correct and minimal, rebase and merge: `gh pr merge 896 --rebase --delete-branch`. **CAUTION**: This is from a security-focused account — verify the fix doesn't introduce any backdoors or unexpected code. Review every line carefully.
> ✅ Closed PR #896 — the submitted fix was broken (missing `import DOMPurify` and missing `dompurify` dependency in package.json, so it wouldn't compile). Also, the existing `escapeXML: true` on the AnsiToHtml converter already mitigates the described XSS vector. Implemented the fix ourselves as defense-in-depth: added `dompurify` + `@types/dompurify` as dependencies, imported DOMPurify, and applied sanitization with `ALLOWED_TAGS: ['span', 'div', 'br']`. Build passes, all existing tests pass.