security(browser-extension): fix DOM-based XSS vulnerability (#838)

2026-05-20 00:56:41 +00:00 · 2026-05-11 11:26:42 +02:00 · 2026-05-11 11:26:42 +02:00 · d6b7ab1da1
commit d6b7ab1da1
parent 982632a173
3 changed files with 10 additions and 15 deletions
--- a/apps/browser-extension/entrypoints/content/chatgpt.ts
+++ b/apps/browser-extension/entrypoints/content/chatgpt.ts
@ -159,7 +159,7 @@ async function getRelatedMemoriesForChatGPT(actionSource: string) {
 		if (response?.success && response?.data) {
 			const promptElement = document.getElementById("prompt-textarea")
 			if (promptElement) {
-				promptElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${response.data}</div>`
+				promptElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${response.data}`
 				console.log(
 					"Prompt element dataset:",
 					promptElement.dataset.supermemories,
@ -471,7 +471,7 @@ function updateChatGPTIconFeedback(

 				const promptElement = document.getElementById("prompt-textarea")
 				if (promptElement) {
-					promptElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					promptElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}

 				content
@ -647,7 +647,7 @@ function setupChatGPTPromptCapture() {
 			promptTextarea &&
 			!promptContent.includes("Supermemories of user")
 		) {
-			promptTextarea.innerHTML = `${promptTextarea.innerHTML} ${storedMemories}`
+			promptTextarea.appendChild(document.createTextNode(storedMemories))
 			promptContent = promptTextarea.textContent || ""
 		}

--- a/apps/browser-extension/entrypoints/content/claude.ts
+++ b/apps/browser-extension/entrypoints/content/claude.ts
@ -230,7 +230,7 @@ async function getRelatedMemoriesForClaude(actionSource: string) {
 			) as HTMLElement

 			if (textareaElement) {
-				textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${response.data}</div>`
+				textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${response.data}`
 				console.log(
 					"Text element dataset:",
 					textareaElement.dataset.supermemories,
@ -442,7 +442,7 @@ function updateClaudeIconFeedback(
 					'div[contenteditable="true"]',
 				) as HTMLElement
 				if (textareaElement) {
-					textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}

 				content
@ -520,7 +520,7 @@ function setupClaudePromptCapture() {
 			contentEditableDiv &&
 			!promptContent.includes("Supermemories of user")
 		) {
-			contentEditableDiv.innerHTML = `${contentEditableDiv.innerHTML} ${storedMemories}`
+			contentEditableDiv.appendChild(document.createTextNode(storedMemories))
 			promptContent =
 				contentEditableDiv.textContent || contentEditableDiv.innerText || ""
 		}
--- a/apps/browser-extension/entrypoints/content/t3.ts
+++ b/apps/browser-extension/entrypoints/content/t3.ts
@ -238,13 +238,8 @@ async function getRelatedMemoriesForT3(actionSource: string) {
 			}

 			if (textareaElement) {
-				if (textareaElement.tagName === "TEXTAREA") {
-					;(textareaElement as HTMLTextAreaElement).dataset.supermemories =
-						`<br>Supermemories of user (only for the reference): ${response.data}</br>`
-				} else {
-					;(textareaElement as HTMLElement).dataset.supermemories =
-						`<br>Supermemories of user (only for the reference): ${response.data}</br>`
-				}
+				textareaElement.dataset.supermemories =
+					`\n\nSupermemories of user (only for the reference): ${response.data}`

 				iconElement.dataset.memoriesData = response.data

@ -450,7 +445,7 @@ function updateT3IconFeedback(
 					(document.querySelector("textarea") as HTMLTextAreaElement) ||
 					(document.querySelector('div[contenteditable="true"]') as HTMLElement)
 				if (textareaElement) {
-					textareaElement.dataset.supermemories = `<div>Supermemories of user (only for the reference): ${updatedMemories}</div>`
+					textareaElement.dataset.supermemories = `\n\nSupermemories of user (only for the reference): ${updatedMemories}`
 				}

 				content
@ -537,7 +532,7 @@ function setupT3PromptCapture() {
 					`${promptContent} ${storedMemories}`
 				promptContent = (textareaElement as HTMLTextAreaElement).value
 			} else {
-				textareaElement.innerHTML = `${textareaElement.innerHTML} ${storedMemories}`
+				textareaElement.appendChild(document.createTextNode(storedMemories))
 				promptContent =
 					textareaElement.textContent || textareaElement.innerText || ""
 			}