Metadata
| Status | done |
|---|---|
| Assigned | agent-1491 |
| Agent identity | f51439356729d112a6c404803d88015d5b44832c6c584c62b96732b63c2b0c7e |
| Created | 2026-05-02T02:34:35.806526207+00:00 |
| Started | 2026-05-02T02:39:22.690239845+00:00 |
| Completed | 2026-05-02T03:02:46.158986557+00:00 |
| Tags | bug, wg-html, xss, security, eval-scheduled |
| Eval score | 0.90 |
| └ blocking impact | 0.90 |
| └ completeness | 0.94 |
| └ coordination overhead | 0.92 |
| └ correctness | 0.94 |
| └ downstream usability | 0.88 |
| └ efficiency | 0.88 |
| └ intent fidelity | 0.94 |
| └ style adherence | 0.92 |
Description
Description
The integration test tests/integration_html.rs::description_html_is_escaped fails on main: the new <div id="desc-pretty" class="description-rendered"> block (added by polish-wg-html) renders the task description through pulldown-cmark and writes the result raw — letting <script>alert('pwn')</script> through. The companion <pre id="desc-raw"> correctly escapes, but the "pretty" view does not.
Reproduction:
cargo test --release --test integration_html description_html_is_escaped
Likely fix: post-process pulldown-cmark output through an HTML sanitizer (e.g. ammonia crate) that strips <script> and dangerous attributes before injecting into the page. Apply on the per-task page render path and any other place description_html is emitted.
Found while working on fix-android-firefox-wg-html-font-fallback.
Validation
- cargo test --release --test integration_html description_html_is_escaped passes
- No regressions in cargo test --release --test integration_html
- Sanitizer also blocks , <object>, javascript: URLs in href attrs, and onclick/onload event handlers</li> <li><input disabled="" type="checkbox"/> Add at least one test for each new sanitizer rule</li> </ul>
Depends on
Required by
- (none)
Log
- 2026-05-02T02:39:19.058959308+00:00 Lightweight assignment: agent=Careful Programmer (f5143935), exec_mode=full, context_scope=task, reason=Security-critical XSS fix with 4 validation points requires careful implementation and comprehensive testing; Careful Programmer's Careful tradeoff and strong track record (0.80 score, 532 tasks) matches the correctness-critical nature.
- 2026-05-02T02:39:22.690245856+00:00 Spawned by coordinator --executor claude --model opus
- 2026-05-02T02:39:35.101818560+00:00 Starting work — exploring src/html.rs and integration test for XSS vector
- 2026-05-02T03:01:52.306238363+00:00 Implemented XSS hardening: added ammonia=4 sanitizer in src/html.rs::markdown_to_html, with explicit url_schemes allowlist (http/https/mailto/tel/ftp/ftps) and rm_tags for script/iframe/object/embed/style. 7 new sanitizer tests added in tests/integration_html.rs (iframe, object+embed, javascript: URL in markdown link, javascript: URL in raw anchor, onclick, onload, safe-markdown preservation). All 43 integration_html tests pass.
- 2026-05-02T03:02:35.779036056+00:00 Committed: b61e7f8d1 — pushed to remote (branch wg/agent-1491/fix-xss-in)
- 2026-05-02T03:02:46.158992027+00:00 Task pending eval (agent reported done; awaiting `.evaluate-*` to score)
- 2026-05-02T03:06:15.501007024+00:00 PendingEval → Done (evaluator passed; downstream unblocks)