fix(eventViewer): remove double HTML encoding of ampersands#29
Open
mecham-lynn wants to merge 8 commits intomasterfrom
Open
fix(eventViewer): remove double HTML encoding of ampersands#29mecham-lynn wants to merge 8 commits intomasterfrom
mecham-lynn wants to merge 8 commits intomasterfrom
Conversation
…ped ampersands
The event viewer was using jQuery's $('<div/>').text(...).html() to
HTML-encode the JSON payload before rendering it in JSX. Since React
already escapes text content when rendering with {detailString}, this
caused double-encoding — ampersands appeared as & instead of &.
Removed the jQuery encoding step so JSON.stringify output is passed
directly to React, which handles escaping correctly.
Task: ES-2911
The event viewer was HTML-encoding JSON payloads via jQuery and then
rendering them with React's {text} interpolation, which escapes HTML
entities a second time. This caused ampersands to display as &
and also prevented S3 links from rendering as clickable <a> tags.
Switch to dangerouslySetInnerHTML so the pre-encoded HTML (with
jQuery's XSS-safe entity encoding) is rendered directly by the
browser. This fixes both the double-encoded ampersands and the
broken S3 link rendering.
Task: ES-2911
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
…mpersands Revert dangerouslySetInnerHTML approach in favor of a simpler fix: just remove the jQuery .text().html() encoding and let React's built-in JSX escaping handle XSS protection. This avoids the fragility of dangerouslySetInnerHTML with external event data. S3 link rendering (already broken before this change) is left as-is since React escapes the <a> tags injected by the regex replacement. This can be addressed separately if needed. Task: ES-2911
Covers local dev setup, architecture, coding conventions, build/deploy, domain context, and known gotchas for the bus-ui (Leo Botmon) project. Task: ES-2911 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Task: ES-2911 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The view template now falls back to leo.cognito.id when CognitoId is not injected via CloudFormation, enabling local development. Task: ES-2911 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lity Bundling aws-sdk into Lambda zips (required for Node 20 runtime) increases cold start memory usage. 256MB is no longer sufficient. Task: ES-2911 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
$('<div/>').text(...).html()) that caused ampersand characters to display as&on the event view pageTask Reference
Changes Made
ui/js/components/tabs/eventViewer.jsx(line 424): Replaced$('<div/>').text(JSON.stringify(detail, null, 4)).html()withJSON.stringify(detail, null, 4)Root Cause
The event viewer was HTML-encoding JSON payload text via jQuery before passing it to a React
<pre>element. Since React auto-escapes text content in JSX expressions ({detailString}), the&characters were being escaped twice: first by jQuery (&→&) and then displayed literally by React.Testing
&characters&(not&)<,>,") still display correctly in event payloadsChecklist
Note
Medium Risk
Moderate risk because it changes runtime bootstrap config for Cognito/region selection and increases Lambda memory allocations, which can affect authentication behavior and cost/performance characteristics.
Overview
Fixes event payload rendering in
eventViewer.jsxby removing the jQuery HTML-encoding step and rendering the rawJSON.stringifyoutput so characters like&no longer display as&.Updates the HTML bootstrap in
views/indexto accept additional sources for Cognito ID and region (fallback toleo.cognito.idandleo.region). Separately bumps configured Lambda memory from 256MB to 512MB across multiple API handlers (cron/bot CRUD, event settings, logs, settings, SNS, and system endpoints), and adds new agent documentation viaAGENTS.md(referenced byCLAUDE.md).Written by Cursor Bugbot for commit 5b26c64. This will update automatically on new commits. Configure here.