Merge pull request #175 from rajbos/alert-autofix-22

Potential fix for code scanning alert no. 22: Client-side cross-site scripting

Author: rajbos

src/webview/diagnostics/main.ts

@@ -209,6 +209,17 @@ function getEditorStats(files: SessionFileDetails[]): { [key: string]: { count:
 	return stats;
 }
 
+function safeText(value: unknown): string {
+	if (value === null || value === undefined) {
+		return '';
+	}
+	if (typeof value === 'string') {
+		// Use existing HTML escaping to avoid XSS when inserting into innerHTML.
+		return escapeHtml(value);
+	}
+	return String(value);
+}
+
 function renderSessionTable(detailedFiles: SessionFileDetails[], isLoading: boolean = false): string {
 	if (isLoading) {
 		return `
@@ -234,7 +245,7 @@ function renderSessionTable(detailedFiles: SessionFileDetails[], isLoading: bool
 		: detailedFiles;
 
 	// Summary stats for filtered files
-	const totalInteractions = filteredFiles.reduce((sum, sf) => sum + sf.interactions, 0);
+	const totalInteractions = filteredFiles.reduce((sum, sf) => sum + Number(sf.interactions || 0), 0);
 	const totalContextRefs = filteredFiles.reduce((sum, sf) => sum + getTotalContextRefs(sf.contextReferences), 0);
 
 	// Sort filtered files