fix: sanitize event type text in Gmail dropdown (calcom#27533)

pedroccastro · web-flow · commit 5dfa1dfd74fa · 2026-02-04T02:10:04.000+05:30
- Add shared escapeHtml utility function
 - Apply text sanitization to title/description in content.ts
 - Refactor linkedin.ts to use shared utility
diff --git a/companion/extension/entrypoints/content.ts b/companion/extension/entrypoints/content.ts
@@ -1,6 +1,7 @@
 /// <reference types="chrome" />
 import { initGoogleCalendarIntegration } from "../lib/google-calendar";
 import { initLinkedInIntegration } from "../lib/linkedin";
+import { escapeHtml } from "../lib/utils";
 
 /**
  * Development-only logging utility for content scripts.
@@ -964,7 +965,7 @@ export default defineContentScript({
 
                   contentWrapper.innerHTML = `
                     <div style="display: flex; align-items: center; margin-bottom: 6px; overflow: hidden;">
-                      <span style="color: #3c4043; font-weight: 500; font-size: 14px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block;">${title}</span>
+                      <span style="color: #3c4043; font-weight: 500; font-size: 14px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block;">${escapeHtml(title)}</span>
                     </div>
                     <div style="display: flex; align-items: center; gap: 8px; overflow: hidden;">
                       <span style="
@@ -983,7 +984,7 @@ export default defineContentScript({
                       </span>
                       ${
                         description
-                          ? `<span style="color: #5f6368; font-size: 12px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; flex: 1; min-width: 0;">${description}</span>`
+                          ? `<span style="color: #5f6368; font-size: 12px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; flex: 1; min-width: 0;">${escapeHtml(description)}</span>`
                           : ""
                       }
                     </div>
@@ -1714,7 +1715,7 @@ export default defineContentScript({
 
               contentWrapper.innerHTML = `
                 <div style="display: flex; align-items: center; margin-bottom: 6px; overflow: hidden;">
-                  <span style="color: #3c4043; font-weight: 500; font-size: 14px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block;">${title}</span>
+                  <span style="color: #3c4043; font-weight: 500; font-size: 14px; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; display: block;">${escapeHtml(title)}</span>
                 </div>
                 <div style="display: flex; align-items: center; gap: 8px; overflow: hidden;">
                   <span style="
@@ -1733,7 +1734,7 @@ export default defineContentScript({
                   </span>
                   ${
                     description
-                      ? `<span style="color: #5f6368; font-size: 12px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; flex: 1; min-width: 0;">${description}</span>`
+                      ? `<span style="color: #5f6368; font-size: 12px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; flex: 1; min-width: 0;">${escapeHtml(description)}</span>`
                       : ""
                   }
                 </div>
diff --git a/companion/extension/lib/linkedin.ts b/companion/extension/lib/linkedin.ts
@@ -1,4 +1,5 @@
 /// <reference types="chrome" />
+import { escapeHtml } from "./utils";
 
 // LinkedIn integration: inject a Cal.com scheduling button in LinkedIn messaging
 
@@ -951,15 +952,6 @@ export function initLinkedInIntegration() {
   }
 
   // ============================================================================
-  // Utility Functions
-  // ============================================================================
-
-  function escapeHtml(text: string): string {
-    const div = document.createElement("div");
-    div.textContent = text;
-    return div.innerHTML;
-  }
-
   // ============================================================================
   // Initialization
   // ============================================================================
diff --git a/companion/extension/lib/utils.ts b/companion/extension/lib/utils.ts
@@ -0,0 +1,10 @@
+/**
+ * Escapes HTML special characters to prevent XSS attacks.
+ * Uses the browser's built-in text encoding via textContent.
+ */
+export function escapeHtml(text: string): string {
+  if (typeof text !== "string") return "";
+  const div = document.createElement("div");
+  div.textContent = text;
+  return div.innerHTML;
+}
