Issue
src/components/ui/chart.tsx:81 uses dangerouslySetInnerHTML to render chart content:
<div dangerouslySetInnerHTML={{ __html: ... }} />Why this matters
If any chart data (labels, tooltips, axis values) comes from user-submitted content like course names, professor names, or review text, malicious HTML could be injected. Even if data is currently from trusted sources, this creates a persistent XSS vector if the data source changes in the future.
Fix
Use DOMPurify or sanitize at the data layer before passing to the chart component.
Issue
src/components/ui/chart.tsx:81usesdangerouslySetInnerHTMLto render chart content:Why this matters
If any chart data (labels, tooltips, axis values) comes from user-submitted content like course names, professor names, or review text, malicious HTML could be injected. Even if data is currently from trusted sources, this creates a persistent XSS vector if the data source changes in the future.
Fix
Use DOMPurify or sanitize at the data layer before passing to the chart component.