fix(web): prevent XSS in OAuth consent screen toast message

msukkari · claude · msukkari · commit 6cfe552a27bf · 2026-04-17T19:40:21.000-07:00
Replace dynamic `result.message` interpolation with a static string to fix CodeQL alert #33 (js/xss-through-exception, CWE-79/CWE-116). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/packages/web/src/app/oauth/authorize/components/consentScreen.tsx b/packages/web/src/app/oauth/authorize/components/consentScreen.tsx
@@ -50,7 +50,7 @@ export function ConsentScreen({
             window.location.href = result;
         } else {
             toast({
-                description: `❌ Failed to approve authorization. ${result.message}`,
+                description: '❌ Failed to approve authorization. Please try again.',
             });
         }
         setPending(null);

Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,7 @@ export function ConsentScreen({`
`50`	`50`	`window.location.href = result;`
`51`	`51`	`} else {`
`52`	`52`	`toast({`
`53`		- description: `❌ Failed to approve authorization. ${result.message}`,
	`53`	`+ description: '❌ Failed to approve authorization. Please try again.',`
`54`	`54`	`});`
`55`	`55`	`}`
`56`	`56`	`setPending(null);`