🛡️ Sentinel: [HIGH] Fix XSS vulnerability in CitationAddModal

[aicoder2009]

🚨 Severity: HIGH
💡 Vulnerability: The CitationAddModal component was passing generatedCitation.html directly to dangerouslySetInnerHTML without prior sanitization, leading to a potential Cross-Site Scripting (XSS) vulnerability if the HTML was manipulated.
🎯 Impact: Attackers could execute arbitrary scripts in the user's session by crafting malicious citation payloads.
🔧 Fix: Integrated isomorphic-dompurify and used DOMPurify.sanitize() to filter the HTML before passing it to dangerouslySetInnerHTML, aligning with security practices used in the rest of the application.
✅ Verification: Ran pnpm test and ensured all tests passed successfully. A journal entry capturing this critical learning was added to .jules/sentinel.md.

---

PR created automatically by Jules for task 5313971321450276567 started by @aicoder2009

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
opencitation	Ready	Preview, Comment	May 1, 2026 6:09pm

[Copilot]

Pull request overview

Addresses a high-severity XSS risk in the wiki citation UI by sanitizing dynamically generated citation HTML before rendering it with React’s dangerouslySetInnerHTML.

Changes:

• Added isomorphic-dompurify usage to sanitize generatedCitation.html in CitationAddModal before rendering.
• Appended a new security learning entry to .jules/sentinel.md documenting the issue and prevention guidance.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/components/wiki/citation-add-modal.tsx	Sanitizes generated citation preview HTML via DOMPurify.sanitize() before rendering.
.jules/sentinel.md	Adds a dated journal entry describing the vulnerability and prevention guidance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This prevention guidance is phrased too broadly: not every dangerouslySetInnerHTML usage should be wrapped with DOMPurify (e.g., src/app/layout.tsx uses it for a static inline script). Suggest rewording to clarify this applies to rendering dynamic/untrusted HTML (like formatted citations).

Suggested change

	**Prevention:** All instances of `dangerouslySetInnerHTML` in the application must be explicitly wrapped with `DOMPurify.sanitize()` (via `isomorphic-dompurify`), even for preview components. This ensures defense-in-depth against XSS.
	**Prevention:** Any dynamic or untrusted HTML rendered via `dangerouslySetInnerHTML` (including formatted citation HTML and preview content) must be sanitized with `DOMPurify.sanitize()` via `isomorphic-dompurify` before rendering. This guidance applies to data-driven HTML, not necessarily to static, developer-controlled inline content.