fix: sanitize AI-generated content to prevent stored XSS #139

Merged

pook merged 1 commit from fix/116-sanitize-ai-generated-content into main 2026-04-09 06:14:18 -04:00

Conversation 0 Commits 1 Files changed 3 +120 -1

pook commented 2026-04-08 21:22:42 -04:00

Owner

Copy link

Summary

• Adds sanitizeGeneratedContent() utility that HTML-entity-encodes <, >, &, ", and ' in AI-generated document content
• Applied in document-generator.ts after receiving LLM output and before storing/returning, preventing stored XSS
• 11 unit tests covering malicious payloads (<script>, <img onerror>, nested tags, event handlers) and benign input (ampersands, quotes, Markdown syntax)

Closes #116

Test plan

• <script>alert(1)</script> encoded to safe entities
• <img onerror> XSS vectors neutralized
• Legitimate content with &, quotes correctly encoded
• Markdown syntax passes through unaffected
• All 11 unit tests pass

## Summary - Adds `sanitizeGeneratedContent()` utility that HTML-entity-encodes `<`, `>`, `&`, `"`, and `'` in AI-generated document content - Applied in `document-generator.ts` after receiving LLM output and before storing/returning, preventing stored XSS - 11 unit tests covering malicious payloads (`<script>`, `<img onerror>`, nested tags, event handlers) and benign input (ampersands, quotes, Markdown syntax) Closes #116 ## Test plan - [x] `<script>alert(1)</script>` encoded to safe entities - [x] `<img onerror>` XSS vectors neutralized - [x] Legitimate content with `&`, quotes correctly encoded - [x] Markdown syntax passes through unaffected - [x] All 11 unit tests pass

pook added 1 commit 2026-04-08 21:22:42 -04:00

fix: sanitize AI-generated content to prevent stored XSS (#116) ... f69d9b0248

AI-generated documents were rendered in user browsers without HTML entity
encoding, creating a stored XSS vector. This adds sanitization of <, >, &,
", and ' in all generated text fields before storage and response.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pook merged commit 23f7669819 into main 2026-04-09 06:14:12 -04:00

pook referenced this pull request from a commit 2026-04-09 06:14:13 -04:00

Merge pull request 'fix: sanitize AI-generated content to prevent stored XSS' (#139) from fix/116-sanitize-ai-generated-content into main

pook referenced this pull request 2026-04-09 06:15:40 -04:00

PR pipeline unblocked: 18 PRs merged, 48 remaining need rebase #254

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

agent-task

Task for autonomous agent execution

  

agent-task

Paperclip autonomous agent task

No labels

agent-task

agent-task

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pook/compliancebot!139

No description provided.