From e6ec050ec3921cfcf1503d349d7596cfc320f748 Mon Sep 17 00:00:00 2001
From: Pete Christianson <perter@gmail.com>
Date: Wed, 4 Mar 2026 00:42:08 -0800
Subject: [PATCH] Fix XSS in memory-browser-panel

Replace dangerouslySetInnerHTML with React elements for inline
formatting (bold/italic). New renderInlineFormatting() helper returns
React nodes instead of raw HTML strings, eliminating XSS risk from
user-controlled memory content.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../panels/memory-browser-panel.tsx           | 40 +++++++++++++------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/components/panels/memory-browser-panel.tsx b/src/components/panels/memory-browser-panel.tsx
index 7eeba6e..5980125 100644
--- a/src/components/panels/memory-browser-panel.tsx
+++ b/src/components/panels/memory-browser-panel.tsx
@@ -271,6 +271,30 @@ export function MemoryBrowserPanel() {
     ))
   }
 
+  const renderInlineFormatting = (text: string): React.ReactNode[] => {
+    const parts: React.ReactNode[] = []
+    const regex = /(\*\*.*?\*\*|\*.*?\*)/g
+    let lastIndex = 0
+    let match: RegExpExecArray | null
+    let key = 0
+    while ((match = regex.exec(text)) !== null) {
+      if (match.index > lastIndex) {
+        parts.push(text.slice(lastIndex, match.index))
+      }
+      const m = match[0]
+      if (m.startsWith('**') && m.endsWith('**')) {
+        parts.push(<strong key={key++}>{m.slice(2, -2)}</strong>)
+      } else if (m.startsWith('*') && m.endsWith('*')) {
+        parts.push(<em key={key++}>{m.slice(1, -1)}</em>)
+      }
+      lastIndex = regex.lastIndex
+    }
+    if (lastIndex < text.length) {
+      parts.push(text.slice(lastIndex))
+    }
+    return parts
+  }
+
   const renderMarkdown = (content: string) => {
     // Improved markdown rendering with proper line handling
     const lines = content.split('\n')
@@ -323,20 +347,10 @@ export function MemoryBrowserPanel() {
         elements.push(<div key={`${i}-space`} className="mb-2"></div>)
       } else if (trimmedLine.length > 0) {
         if (inList) inList = false
-        // Handle inline formatting — escape HTML entities first to prevent XSS
-        let content = trimmedLine
-          .replace(/&/g, '&amp;')
-          .replace(/</g, '&lt;')
-          .replace(/>/g, '&gt;')
-          .replace(/"/g, '&quot;')
-          .replace(/'/g, '&#039;')
-        // Simple bold formatting
-        content = content.replace(/\*\*(.*?)\*\*/g, '<strong>$1</strong>')
-        // Simple italic formatting
-        content = content.replace(/\*(.*?)\*/g, '<em>$1</em>')
-        
         elements.push(
-          <p key={`${i}-p`} className="mb-2" dangerouslySetInnerHTML={{ __html: content }}></p>
+          <p key={`${i}-p`} className="mb-2">
+            {renderInlineFormatting(trimmedLine)}
+          </p>
         )
       }
     }