Fix multiple bugs: XSS vulnerabilities, operator precedence, event listener loss, race condition#2180
Open
hobostay wants to merge 1 commit intomicrosoft:mainfrom
Open
Fix multiple bugs: XSS vulnerabilities, operator precedence, event listener loss, race condition#2180hobostay wants to merge 1 commit intomicrosoft:mainfrom
hobostay wants to merge 1 commit intomicrosoft:mainfrom
Conversation
…e condition
- Fix XSS in browserViewManager.ts: HTML-escape URLs and error messages
before interpolating into innerHTML via executeJavaScript (3 locations)
- Fix operator precedence bug in videoActionHandler.ts: `+` has higher
precedence than `??`, making `failure_reason ?? ""` dead code. Added
parentheses to correct the logic
- Fix unhandled promise rejection in setContent.ts: added .catch() handler
for CSS loading in iframe so content is still shown on fetch failure
- Fix event listener loss in setContent.ts: replaced `innerHTML +=` with
`insertAdjacentHTML("beforeend")` to avoid destroying existing DOM nodes
and their event listeners
- Fix race condition in webSocketAPI.ts: added `reconnecting` flag to
prevent multiple concurrent reconnection attempts on rapid socket closes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hobostay
requested a deployment
to
development-fork
GitHub Actions
Waiting
hobostay
requested a deployment
to
development-fork
GitHub Actions
Waiting
robgruen
reviewed
Apr 10, 2026
| // only show the error if it's for the page the user was asking | ||
| // it's possible some other resource failed to load (image, script, etc.) | ||
| if (validatedURL === options.url) { | ||
| const safeUrl = options.url |
Collaborator
There was a problem hiding this comment.
Since this is pattern is repeated for safeErr, can we make this a utility method somewhere and call it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix XSS in
browserViewManager.ts: Three locations directly interpolated URLs and error descriptions intodocument.body.innerHTMLviaexecuteJavaScriptwithout escaping. Malicious URLs containing<script>tags or HTML entities could execute arbitrary JavaScript in the Electron renderer. Fixed by HTML-escaping all interpolated values before use.Fix operator precedence bug in
videoActionHandler.ts: The expression"text" + statusData.failure_reason ?? ""evaluates as("text" + statusData.failure_reason) ?? ""because+has higher precedence than??. This makes the nullish coalescing operator dead code — whenfailure_reasonisundefined, the string"undefined"is displayed instead of an empty string. Added parentheses:(statusData.failure_reason ?? "").Fix unhandled promise rejection in
setContent.ts: ThePromise.all(promises).then(...)for loading CSS into iframes has no.catch()handler. If any CSS fetch fails, the iframe never getssrcdoccontent at all. Added a.catch()that renders the message content even without CSS.Fix event listener loss in
setContent.ts:contentElm.innerHTML += contentHtmlserializes and re-parses the entire DOM, destroying all existing event listeners on child elements (including previously-attached link click handlers). Replaced withinsertAdjacentHTML("beforeend")which preserves existing DOM nodes.Fix race condition in
webSocketAPI.ts: Theonclosehandler unconditionally callscreateWebSocket()whenautoReconnectis true. If the socket closes rapidly multiple times (e.g., network flapping), multiple concurrent reconnection attempts are spawned, potentially creating duplicate WebSocket connections. Added areconnectingflag to serialize reconnection attempts.Test plan
failure_reasonis undefined vs set🤖 Generated with Claude Code