From 5699f5a9fa7337f28f63bc5ba38d745526032931 Mon Sep 17 00:00:00 2001
From: tomohiro86 <supersonic.dps@gmail.com>
Date: Thu, 7 May 2026 23:58:25 +0900
Subject: [PATCH] [DevTools] Fix XSS in standalone onError via innerHTML

Use textContent instead of template literal interpolation when
rendering error messages in the standalone DevTools shell to
prevent potential XSS from unescaped error message strings.
---
 packages/react-devtools-core/src/standalone.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/react-devtools-core/src/standalone.js b/packages/react-devtools-core/src/standalone.js
index 81f357751913..80ea51bc0246 100644
--- a/packages/react-devtools-core/src/standalone.js
+++ b/packages/react-devtools-core/src/standalone.js
@@ -195,11 +195,14 @@ function onError({code, message}: $FlowFixMe) {
         <div class="box-header">
           Unknown error
         </div>
-        <div class="box-content">
-          ${message}
-        </div>
+        <div class="box-content"></div>
       </div>
     `;
+    // Use textContent to avoid XSS from error message strings.
+    const contentNode = node.querySelector('.box-content');
+    if (contentNode !== null) {
+      contentNode.textContent = message;
+    }
   }
 }