From 989969375db60739a37d9c715c9c52b3d7a2d418 Mon Sep 17 00:00:00 2001
From: James <james@jongsma.me>
Date: Mon, 23 Mar 2026 00:36:06 -0400
Subject: [PATCH] TASK-019: Fix XSS vulnerability in DICOM series display

- Add html.EscapeString() to series_desc when building Series struct
- Prevents JavaScript injection via malicious DICOM metadata

Security impact: XSS payloads in series descriptions now render as harmless text.
---
 portal/api_client.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/portal/api_client.go b/portal/api_client.go
index 0b7a9d1..2aacc36 100644
--- a/portal/api_client.go
+++ b/portal/api_client.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"sort"
@@ -189,7 +190,7 @@ func fetchStudiesWithSeries(dossierHex string) ([]Study, error) {
 				for _, ser := range apiSeries {
 					s.Series = append(s.Series, Series{
 						ID:          ser.ID,
-						Description: ser.SeriesDesc,
+						Description: html.EscapeString(ser.SeriesDesc), // FIX TASK-019: XSS prevention
 						Modality:    ser.Modality,
 						SliceCount:  ser.SliceCount,
 					})