Fix multiple bugs: XSS vulnerabilities, operator precedence, event listener loss, race condition#2180
Merged
robgruen merged 8 commits intomicrosoft:mainfrom Apr 17, 2026
Merged
Conversation
…e condition
- Fix XSS in browserViewManager.ts: HTML-escape URLs and error messages
before interpolating into innerHTML via executeJavaScript (3 locations)
- Fix operator precedence bug in videoActionHandler.ts: `+` has higher
precedence than `??`, making `failure_reason ?? ""` dead code. Added
parentheses to correct the logic
- Fix unhandled promise rejection in setContent.ts: added .catch() handler
for CSS loading in iframe so content is still shown on fetch failure
- Fix event listener loss in setContent.ts: replaced `innerHTML +=` with
`insertAdjacentHTML("beforeend")` to avoid destroying existing DOM nodes
and their event listeners
- Fix race condition in webSocketAPI.ts: added `reconnecting` flag to
prevent multiple concurrent reconnection attempts on rapid socket closes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
hobostay
had a problem deploying
to
development-fork
GitHub Actions
Error
hobostay
had a problem deploying
to
development-fork
GitHub Actions
Error
robgruen
reviewed
Apr 10, 2026
Copilot AI
added a commit
that referenced
this pull request
Apr 16, 2026
Agent-Logs-Url: https://github.com/microsoft/TypeAgent/sessions/e65742f5-670a-4899-9452-a1f025baa47c Co-authored-by: robgruen <25374553+robgruen@users.noreply.github.com>
Copilot AI
added a commit
that referenced
this pull request
Apr 16, 2026
# Conflicts: # ts/packages/agents/video/src/videoActionHandler.ts # ts/packages/shell/src/main/browserViewManager.ts Co-authored-by: robgruen <25374553+robgruen@users.noreply.github.com>
3 tasks
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Failure
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Failure
robgruen
temporarily deployed
to
development-fork
GitHub Actions
Inactive
robgruen
temporarily deployed
to
development-fork
GitHub Actions
Inactive
Agent-Logs-Url: https://github.com/microsoft/TypeAgent/sessions/d6510a30-b468-42e7-8f55-54a2149c34f1 Co-authored-by: robgruen <25374553+robgruen@users.noreply.github.com>
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Error
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Error
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Error
robgruen
had a problem deploying
to
development-fork
GitHub Actions
Error
robgruen
temporarily deployed
to
development-fork
GitHub Actions
Inactive
robgruen
temporarily deployed
to
development-fork
GitHub Actions
Inactive
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix XSS in
browserViewManager.ts: Three locations directly interpolated URLs and error descriptions intodocument.body.innerHTMLviaexecuteJavaScriptwithout escaping. Malicious URLs containing<script>tags or HTML entities could execute arbitrary JavaScript in the Electron renderer. Fixed by HTML-escaping all interpolated values before use.Fix operator precedence bug in
videoActionHandler.ts: The expression"text" + statusData.failure_reason ?? ""evaluates as("text" + statusData.failure_reason) ?? ""because+has higher precedence than??. This makes the nullish coalescing operator dead code — whenfailure_reasonisundefined, the string"undefined"is displayed instead of an empty string. Added parentheses:(statusData.failure_reason ?? "").Fix unhandled promise rejection in
setContent.ts: ThePromise.all(promises).then(...)for loading CSS into iframes has no.catch()handler. If any CSS fetch fails, the iframe never getssrcdoccontent at all. Added a.catch()that renders the message content even without CSS.Fix event listener loss in
setContent.ts:contentElm.innerHTML += contentHtmlserializes and re-parses the entire DOM, destroying all existing event listeners on child elements (including previously-attached link click handlers). Replaced withinsertAdjacentHTML("beforeend")which preserves existing DOM nodes.Fix race condition in
webSocketAPI.ts: Theonclosehandler unconditionally callscreateWebSocket()whenautoReconnectis true. If the socket closes rapidly multiple times (e.g., network flapping), multiple concurrent reconnection attempts are spawned, potentially creating duplicate WebSocket connections. Added areconnectingflag to serialize reconnection attempts.Test plan
failure_reasonis undefined vs set🤖 Generated with Claude Code