Skip to content

fix(site): close DOM-XSS in the deployed trace.js#12

Merged
Thormatt merged 1 commit into
mainfrom
fix/site-trace-xss
Jun 12, 2026
Merged

fix(site): close DOM-XSS in the deployed trace.js#12
Thormatt merged 1 commit into
mainfrom
fix/site-trace-xss

Conversation

@Thormatt

@Thormatt Thormatt commented Jun 12, 2026

Copy link
Copy Markdown
Owner

The verification artifact's site/trace.js read claim titles back via .textContent (entities decoded) then re-injected them through innerHTML when building the ledger and verdict pill — re-opening the DOM-XSS that server-side escaping closes. The rendering asset copy was fixed in #10; the site/ source-of-truth original (deployed to the demo site) was missed. Now builds the row/pill with createElement + textContent only.

Also gitignores the .playwright-mcp/ browser-verification artifacts.

🤖 Generated with Claude Code

@Thormatt @claude
fix(site): close DOM-XSS in the deployed trace.js
228da83 
The verification artifact's trace.js read claim titles back via
.textContent (entities decoded) and re-injected them through
innerHTML when building the ledger and verdict pill — re-opening the
XSS the server-side escaping closes. The rendering asset copy was
fixed in PR #10; the site/ source-of-truth original was missed. Build
the row/pill with createElement + textContent only. Also gitignore
the .playwright-mcp browser-verification artifacts.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Thormatt Thormatt merged commit a1112ec into main Jun 12, 2026
3 checks passed
@Thormatt Thormatt deleted the fix/site-trace-xss branch June 12, 2026 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Thormatt