🛡️ Sentinel: [HIGH] Fix Stored XSS in HTML Output

[lucasew]

🚨 Severity: HIGH
💡 Vulnerability: Stored Cross-Site Scripting (XSS) in HTML output. The application was rendering HTML content from go-readability without adequate sanitization, allowing malicious tags (like <img onerror>) to execute scripts.
🎯 Impact: Attackers could inject arbitrary scripts into the readability view, potentially stealing cookies, redirecting users, or performing actions on their behalf.
🔧 Fix: Integrated github.com/microcosm-cc/bluemonday with UGCPolicy to sanitize the HTML content before rendering it in formatHTML and formatJSON.
✅ Verification: Added api/xss_test.go which reproduces the vulnerability and verifies that the fix strips malicious tags while preserving safe content. Verified via go test ./api.

---

PR created automatically by Jules for task 10982974786704419970 started by @lucasew

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
articleparser	Ready	Preview, Comment	Jan 27, 2026 7:29am

[gemini-code-assist]

Summary of Changes

Hello @lucasew, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a high-severity Stored Cross-Site Scripting (XSS) vulnerability by implementing robust HTML sanitization. It integrates the bluemonday library to clean potentially malicious HTML content before it is displayed to users or serialized into JSON responses. This significantly enhances the application's security posture by preventing the injection and execution of arbitrary scripts, ensuring that all user-controlled HTML output is safe.

Highlights

• Stored XSS Vulnerability Fix: The application was vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitization of HTML content originating from the go-readability library. This allowed malicious tags (e.g., <img onerror>) to execute scripts. The fix integrates github.com/microcosm-cc/bluemonday with its UGCPolicy to explicitly sanitize HTML content before it is rendered in formatHTML and formatJSON.
• New XSS Test Case: A new test file, api/xss_test.go, has been added. This test reproduces the identified XSS vulnerability and verifies that the bluemonday sanitizer effectively strips malicious tags and attributes (like <script>, onerror, and javascript: URIs) while preserving safe HTML content, ensuring the fix is robust.
• Documentation Update: The .jules/sentinel.md file has been updated with a new entry detailing the Stored XSS vulnerability, the lessons learned about relying solely on parsing libraries for security, and the prevention strategy implemented using bluemonday.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses a stored XSS vulnerability by introducing HTML sanitization using bluemonday. The implementation is sound, applying sanitization to both HTML and JSON outputs. The addition of a new test file to verify the fix is a great step. I've suggested an improvement to the test to also cover the JSON output format, ensuring the fix is fully validated.

[gemini-code-assist]

The security fix for XSS was applied to both formatHTML and formatJSON. This test currently only validates the formatHTML output. To ensure complete test coverage for the fix, you should also verify the output of formatJSON.

A good way to achieve this is by refactoring the test to be table-driven, which would allow you to easily test multiple formatters with the same setup logic. This also makes it easier to add tests for other formatters in the future.

import (
	"bytes"
	"context"
	"encoding/json"
	"io"
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"
)

func TestXSSVulnerability(t *testing.T) {
	// Malicious HTML payload
	htmlBody := `
<!DOCTYPE html>
<html>
<head><title>XSS Test</title></head>
<body>
	<h1>XSS Test</h1>
	<p>Safe content</p>
	<script>alert('XSS')</script>
	<img src="x" onerror="alert('img XSS')">
	<a href="javascript:alert('link XSS')">Click me</a>
</body>
</html>`

	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		if _, err := w.Write([]byte(htmlBody)); err != nil {
			t.Errorf("failed to write response: %v", err)
		}
	}))
	defer srv.Close()

	// Override httpClient
	oldClient := httpClient
	httpClient = srv.Client()
	defer func() { httpClient = oldClient }()

	u, err := url.Parse(srv.URL)
	if err != nil {
		t.Fatalf("failed to parse server URL: %v", err)
	}

	ctx := context.Background()
	req := httptest.NewRequest("GET", "/", nil)

	// Fetch and parse
	art, err := fetchAndParse(ctx, u, req)
	if err != nil {
		t.Fatalf("fetchAndParse failed: %v", err)
	}

	contentBuf := &bytes.Buffer{}
	if err := art.RenderHTML(contentBuf); err != nil {
		t.Fatalf("failed to render HTML: %v", err)
	}

	testCases := []struct {
		name       string
		formatFunc formatHandler
		getContent func(t *testing.T, resp *http.Response) string
	}{
		{
			name:       "HTML format",
			formatFunc: formatHTML,
			getContent: func(t *testing.T, resp *http.Response) string {
				body, err := io.ReadAll(resp.Body)
				if err != nil {
					t.Fatalf("failed to read response body: %v", err)
				}
				return string(body)
			},
		},
		{
			name:       "JSON format",
			formatFunc: formatJSON,
			getContent: func(t *testing.T, resp *http.Response) string {
				var data map[string]string
				if err := json.NewDecoder(resp.Body).Decode(&data); err != nil {
					t.Fatalf("failed to decode json response: %v", err)
				}
				return data["content"]
			},
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			rec := httptest.NewRecorder()
			tc.formatFunc(rec, art, contentBuf)
			content := tc.getContent(t, rec.Result())

			// Check for XSS vectors
			t.Logf("Rendered content in %s: %s", tc.name, content)

			if strings.Contains(content, "<script>") {
				t.Error("VULNERABILITY: <script> tag not stripped")
			}
			if strings.Contains(content, "onerror") {
				t.Error("VULNERABILITY: onerror handler not stripped")
			}
			if strings.Contains(content, "javascript:") {
				t.Error("VULNERABILITY: javascript: URI not stripped")
			}
		})
	}
}