mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-19 11:15:24 -04:00
nopoz
076e8c93c9
chatRenderer.js built the model-info popup HTML by concatenating the model name (from the LLM response's model/answered_by field) into popup.innerHTML without escaping, so a model advertised as an HTML/script payload executed when the user clicked the role label. Wrap both insertions with the uiModule.esc() helper the same function already uses. Also apply existing escape helpers at two latent sinks flagged by CodeQL, fed only by self-authored/server values today: document-tab title via _esc(), and the calendar event background URL (escape the double quote that would otherwise break out of the style="..." attribute).