Skip to content

Improve HTML escaping in Vomnibar suggestions#4900

Open
ademuri wants to merge 1 commit into
philc:masterfrom
ademuri:escape
Open

Improve HTML escaping in Vomnibar suggestions#4900
ademuri wants to merge 1 commit into
philc:masterfrom
ademuri:escape

Conversation

@ademuri
Copy link
Copy Markdown
Contributor

@ademuri ademuri commented Apr 30, 2026

Description

This change hardens the Vomnibar against potential HTML injection by:

  • Updating Utils.escapeHtml to escape all special characters (&, <, >, ", ').
  • Ensuring this.description is escaped in Suggestion.generateHtml.
  • Adding unit tests for Utils.escapeHtml and Suggestion descriptions.

While these fields were mostly safe due to being rendered in text nodes or being user-configured, these improvements align with best practices and provide defense-in-depth.

This change escapes HTML in custom search engine descriptions

@ademuri
Improve HTML escaping in Vomnibar suggestions
c04ad76 
This change hardens the Vomnibar against potential HTML injection by:
- Updating Utils.escapeHtml to escape all special characters (&, <, >, ", ').
- Ensuring this.description is properly escaped in Suggestion.generateHtml.
- Adding unit tests for Utils.escapeHtml and Suggestion descriptions.

While these fields were mostly safe due to being rendered in text nodes or being user-configured, these improvements align with best practices and provide defense-in-depth.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ademuri