From 0ea491c1aa9f2d9389e8ae358dc5df785975a8b2 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
<161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 04:48:56 +0000
Subject: [PATCH] Fix XSS vulnerability in VerificationRequest events
Co-authored-by: kevinaboos <1139460+kevinaboos@users.noreply.github.com>
---
.jules/sentinel.md | 4 ++++
src/event_preview.rs | 2 +-
src/home/room_screen.rs | 2 +-
3 files changed, 6 insertions(+), 2 deletions(-)
create mode 100644 .jules/sentinel.md
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 000000000..fb55411af
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-05-20 - [XSS vulnerability in VerificationRequest events]
+ **Vulnerability:** Unescaped HTML injection in VerificationRequest message preview and display.
+ **Learning:** User-controlled input in matrix events was directly interpolated into HTML strings via format!.
+ **Prevention:** Ensure all user input is sanitized using htmlize::escape_text before being used in format strings passed to show_html.
diff --git a/src/event_preview.rs b/src/event_preview.rs
index be1581e6b..e2f499e51 100644
--- a/src/event_preview.rs
+++ b/src/event_preview.rs
@@ -285,7 +285,7 @@ fn text_preview_of_message(
}
MessageType::VerificationRequest(verification) => format!(
"[Verification Request] to user {}",
- verification.to,
+ htmlize::escape_text(verification.to.as_str()),
),
MessageType::Video(video) => format!(
"[Video]: {}",
diff --git a/src/home/room_screen.rs b/src/home/room_screen.rs
index 852f4c0fa..e7e48a82d 100644
--- a/src/home/room_screen.rs
+++ b/src/home/room_screen.rs
@@ -3377,7 +3377,7 @@ fn populate_message_view(
format: MessageFormat::Html,
body: format!(
"Sent a verification request to {}.
(Supported methods: {})",
- verification.to,
+ htmlize::escape_text(verification.to.as_str()),
verification.methods
.iter()
.map(|m| m.as_str())