project-robius · kevinaboos · May 20, 2026
diff --git a/.jules/sentinel.md b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2026-05-20 - [XSS vulnerability in VerificationRequest events]
+ **Vulnerability:** Unescaped HTML injection in VerificationRequest message preview and display.
+ **Learning:** User-controlled input in matrix events was directly interpolated into HTML strings via format!.
+ **Prevention:** Ensure all user input is sanitized using htmlize::escape_text before being used in format strings passed to show_html.
diff --git a/src/event_preview.rs b/src/event_preview.rs
@@ -285,7 +285,7 @@ fn text_preview_of_message(
         }
         MessageType::VerificationRequest(verification) => format!(
             "[Verification Request] <i>to user {}</i>",
-            verification.to,
+            htmlize::escape_text(verification.to.as_str()),
         ),
         MessageType::Video(video) => format!(
             "[Video]: <i>{}</i>",

diff --git a/src/home/room_screen.rs b/src/home/room_screen.rs
@@ -3377,7 +3377,7 @@ fn populate_message_view(
                             format: MessageFormat::Html,
                             body: format!(
                                 "<i>Sent a <b>verification request</b> to {}.<br>(Supported methods: {})</i>",
-                                verification.to,
+                                htmlize::escape_text(verification.to.as_str()),
                                 verification.methods
                                     .iter()
                                     .map(|m| m.as_str())