ID: 93a2b028-d93 Priority: 95 Type: one_shot Status: resolved
Critical XSS vulnerabilities (H-1, H-2, H-3) in api.py. User-controlled data from database embedded in HTML without escaping. Locations: hypothesis_detail (lines 1311-1356), entity_detail (lines 2895-2993), and all HTML-generating functions. Import html.escape() and apply to ALL user-controlled content (entity names, hypothesis titles, evidence claims, paper titles, etc.) before embedding in HTML. See docs/planning/security_audit_2026-04-02.md for full details.
api.py; broad html.escape() coverage already exists, but several Exchange, hypothesis detail, and entity detail HTML builders still used raw IDs/metadata in URL attributes or labels._html_text() and _url_segment() helpers for text/attribute escaping and URL path segment encoding.tests/test_html_output_safety.py regression coverage for script payload escaping and URL segment encoding.Evidence: Verified _html_text() and _url_segment() helpers exist at api.py:177-184 on origin/main. html module imported on line 7. entity_detail validates input with regex whitelist before rendering. tests/test_html_output_safety.py passes (2/2 tests, run 2026-04-24). All three originally flagged vulnerability sites (hypothesis_detail, entity_detail, evidence rendering) confirmed hardened.
Commit on main: Work was squash-merged via prior task branch orchestra/task/93a2b028-xss-html-escaping. The helpers _html_text() and _url_segment() are present on origin/main (verified via git show origin/main:api.py | grep _html_text).
One-line summary: XSS helpers and html.escape coverage fully in place on main; regression tests pass 2/2.