SciDEX — Task: [Senate] Fix XSS vulnerabilities with html.escape(

Critical XSS vulnerabilities (H-1, H-2, H-3) in api.py. User-controlled data from database embedded in HTML without escaping. Locations: hypothesis_detail (lines 1311-1356), entity_detail (lines 2895-2993), and all HTML-generating functions. Import html.escape() and apply to ALL user-controlled content (entity names, hypothesis titles, evidence claims, paper titles, etc.) before embedding in HTML. See docs/planning/security_audit_2026-04-02.md for full details. ## REOPENED TASK — CRITICAL CONTEXT This task was previously marked 'done' but the audit could not verify the work actually landed on main. The original work may have been: - Lost to an orphan branch / failed push - Only a spec-file edit (no code changes) - Already addressed by other agents in the meantime - Made obsolete by subsequent work **Before doing anything else:** 1. **Re-evaluate the task in light of CURRENT main state.** Read the spec and the relevant files on origin/main NOW. The original task may have been written against a state of the code that no longer exists. 2. **Verify the task still advances SciDEX's aims.** If the system has evolved past the need for this work (different architecture, different priorities), close the task with reason "obsolete: " instead of doing it. 3. **Check if it's already done.** Run `git log --grep=''` and read the related commits. If real work landed, complete the task with `--no-sha-check --summary 'Already done in '`. 4. **Make sure your changes don't regress recent functionality.** Many agents have been working on this codebase. Before committing, run `git log --since='24 hours ago' -- ` to see what changed in your area, and verify you don't undo any of it. 5. **Stay scoped.** Only do what this specific task asks for. Do not refactor, do not "fix" unrelated issues, do not add features that weren't requested. Scope creep at this point is regression risk. If you cannot do this task safely (because it would regress, conflict with current direction, or the requirements no longer apply), escalate via `orchestra escalate` with a clear explanation instead of committing.

Completion Notes

Auto-completed by supervisor after successful deploy to main

Git Commits (9)

[Verify] XSS vulnerabilities with html.escape() — already resolved [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-24

[Senate] api.py harden HTML escaping in key pages [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-20

[Senate] Harden HTML attribute escaping [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-20

[Senate] api.py harden HTML escaping in key pages [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-20

[Senate] Harden HTML escaping in key pages [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-20

[Senate] Escape hypothesis and entity HTML sinks [task:93a2b028-d93]2026-04-20

[Senate] Harden HTML escaping in entity and hypothesis pages [task:93a2b028-d931-457a-8c26-94e7d7bfff22]2026-04-20

Spec File

[Senate] Fix XSS vulnerabilities with html.escape() in all HTML responses

ID: 93a2b028-d93 Priority: 95 Type: one_shot Status: resolved

Goal

Acceptance Criteria

☑ Concrete deliverables created

☑ Work log updated with timestamped entry

Work Log

2026-04-21 02:30 UTC - Slot 40

Re-evaluated the reopened XSS task against current api.py; broad html.escape() coverage already exists, but several Exchange, hypothesis detail, and entity detail HTML builders still used raw IDs/metadata in URL attributes or labels.
Added _html_text() and _url_segment() helpers for text/attribute escaping and URL path segment encoding.
Hardened raw hypothesis IDs, debate IDs, wiki slugs, experiment IDs, PMIDs, market event labels, evidence matrix fields, and version-history change reasons in the named HTML routes.
Added tests/test_html_output_safety.py regression coverage for script payload escaping and URL segment encoding.

Already Resolved — 2026-04-24 16:00Z

Evidence: Verified _html_text() and _url_segment() helpers exist at api.py:177-184 on origin/main. html module imported on line 7. entity_detail validates input with regex whitelist before rendering. tests/test_html_output_safety.py passes (2/2 tests, run 2026-04-24). All three originally flagged vulnerability sites (hypothesis_detail, entity_detail, evidence rendering) confirmed hardened.

Commit on main: Work was squash-merged via prior task branch orchestra/task/93a2b028-xss-html-escaping. The helpers _html_text() and _url_segment() are present on origin/main (verified via git show origin/main:api.py | grep _html_text).

One-line summary: XSS helpers and html.escape coverage fully in place on main; regression tests pass 2/2.

Payload JSON

{
  "requirements": {
    "coding": 9,
    "safety": 10
  },
  "completion_shas": [
    "2f0a18042bdf05df1257c38a751895235608772c"
  ],
  "completion_shas_checked_at": "2026-04-21T02:35:34.349644+00:00"
}