🔒 Fix DOM-based XSS in Settings Panel Webview

[iotserver24]

🎯 What: Fixed a DOM-based Cross-Site Scripting (XSS) vulnerability in the Settings Panel webview where user-controlled strings (profiles and model names) were injected into the DOM via innerHTML.
⚠️ Risk: An attacker could potentially execute malicious scripts within the webview context if they can influence the configuration data (e.g., by providing a malicious profile name), potentially leading to unauthorized actions or data theft within the extension.
🛡️ Solution: Replaced innerHTML string concatenation with secure DOM manipulation using document.createElement and textContent. Functional property assignments were used for event handlers (onclick) instead of string-based HTML attributes.

---

PR created automatically by Jules for task 1556068275947901371 started by @iotserver24

Summary by CodeRabbit

• Refactor
  • Improved the internal rendering logic of the settings panel UI for better code maintainability. No user-facing functionality changes.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a93962a9-47ec-406e-b754-87116d41cbb6

📥 Commits

Reviewing files that changed from the base of the PR and between 2208a6b and 4d75599.

📒 Files selected for processing (1)

• packages/ext/src/providers/settings-panel-provider.ts

---

📝 Walkthrough

Walkthrough

The settings panel provider refactors webview UI rendering in two locations: the active-profile dropdown and models list now use DOM element construction (createElement, appendChild) instead of HTML string concatenation and innerHTML assignment.

Changes

Settings Panel UI Rendering

Layer / File(s)	Summary
DOM Construction packages/ext/src/providers/settings-panel-provider.ts	Profile dropdown and models list are now populated by creating and appending DOM elements rather than building and assigning concatenated HTML strings. Profile selection marking and model click handlers are attached via properties instead of inline attributes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A rabbit hops through the DOM,
No more strings that cause alarm,
Elements spring forth with grace,
As the settings find their place. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides a clear explanation of what was fixed, the security risk, and the solution implemented. However, it lacks required sections from the template such as Type of Change, Testing checklist, and other standard sections.	Complete the description template by adding: Type of Change (bug fix), Related Issues, Testing section with checkboxes for tests run, and Checklist items confirming code review and testing performed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically identifies the main change: fixing a DOM-based XSS vulnerability in the Settings Panel Webview, which directly aligns with the changeset modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch security-fix-xss-settings-panel-1556068275947901371

---

_{Review rate limit: 9/10 reviews remaining, refill in 6 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR hardens the VS Code extension’s Settings Panel webview against DOM-based XSS by removing user-controlled string interpolation into innerHTML and replacing it with safe DOM node construction.

Changes:

• Replaced profile <select> option rendering from innerHTML string concatenation to document.createElement('option') + textContent.
• Replaced model list rendering from innerHTML + inline onclick HTML attributes to DOM elements with textContent and function-based click handlers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.