fix(security): replace innerHTML with DOM APIs for file upload preview

Yuriy Bezsonov · Yuriy Bezsonov · commit f5c2a0f80c23 · 2026-05-01T11:44:13.000+02:00
Use createElement/textContent instead of innerHTML with user input (file.name) to eliminate XSS through DOM vulnerability. Resolves code scanning alerts #41-46.
diff --git a/samples/quality-assurance/ai-agent/src/main/resources/templates/chat-working.html b/samples/quality-assurance/ai-agent/src/main/resources/templates/chat-working.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
diff --git a/samples/quality-assurance/ai-agent/src/main/resources/templates/chat.html b/samples/quality-assurance/ai-agent/src/main/resources/templates/chat.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
diff --git a/samples/security/apikey/ai-agent/src/main/resources/templates/chat-working.html b/samples/security/apikey/ai-agent/src/main/resources/templates/chat-working.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
diff --git a/samples/security/apikey/ai-agent/src/main/resources/templates/chat.html b/samples/security/apikey/ai-agent/src/main/resources/templates/chat.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
diff --git a/samples/security/oauth/ai-agent/src/main/resources/templates/chat-working.html b/samples/security/oauth/ai-agent/src/main/resources/templates/chat-working.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
diff --git a/samples/security/oauth/ai-agent/src/main/resources/templates/chat.html b/samples/security/oauth/ai-agent/src/main/resources/templates/chat.html
@@ -341,15 +341,28 @@ <h1 class="text-3xl font-bold text-dev-accent">🤖 AI Agent</h1>
                 messageDiv.innerHTML = `
                     <div class="ml-auto flex">
                         <div class="message-bubble-user rounded-lg p-3 max-w-3xl">
-                            <button class="copy-button" data-copy-text="File attached: ${escapeHtml(file.name)}">📋</button>
-                            <p class="text-light-text dark:text-dev-text mb-2">📎 File attached: ${escapeHtml(file.name)}</p>
-                            <img src="${imageUrl}" alt="${escapeHtml(file.name)}" class="max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition" onclick="openImageModal('${imageUrl}')" />
                         </div>
                         <div class="w-10 h-10 rounded-full bg-dev-secondary bg-opacity-20 flex items-center justify-center ml-3">
                             <span class="text-lg">👤</span>
                         </div>
                     </div>
                 `;
+                const bubble = messageDiv.querySelector('.message-bubble-user');
+                const copyBtn = document.createElement('button');
+                copyBtn.className = 'copy-button';
+                copyBtn.dataset.copyText = 'File attached: ' + file.name;
+                copyBtn.textContent = '📋';
+                bubble.appendChild(copyBtn);
+                const p = document.createElement('p');
+                p.className = 'text-light-text dark:text-dev-text mb-2';
+                p.textContent = '📎 File attached: ' + file.name;
+                bubble.appendChild(p);
+                const img = document.createElement('img');
+                img.src = imageUrl;
+                img.alt = file.name;
+                img.className = 'max-w-full max-h-64 rounded border border-light-border dark:border-dev-border cursor-pointer hover:opacity-80 transition';
+                img.addEventListener('click', function() { openImageModal(imageUrl); });
+                bubble.appendChild(img);
                 messageContainer.appendChild(messageDiv);
                 messageContainer.scrollTop = messageContainer.scrollHeight;
             }
