You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While reviewing #4464, the code-reviewer flagged a second, pre-existing code path in `server/public/adagents-builder.html` around lines 5402-5413 (the legacy "quick-add" form, separate from the main builder state):
It interpolates `agent.url`, `agent.authorized_for`, and property IDs straight into `innerHTML` with no `escapeHtml()`. The path consumes an `adagents.json` fetched by domain — a malicious file can XSS the admin user.
Work
Decide whether the quick-add form is still needed (the main builder flow has eclipsed it).
If kept: rewrite to use the v3 shape and route the output through `escapeHtml()` consistently.
If retired: delete the legacy form.
Why
Pre-existing risk; pulled into focus by the v3 migration. Worth a dedicated PR rather than bundling into the v3-validity fix.
Follow-up from PR #4464.
While reviewing #4464, the code-reviewer flagged a second, pre-existing code path in `server/public/adagents-builder.html` around lines 5402-5413 (the legacy "quick-add" form, separate from the main builder state):
Work
Why
Pre-existing risk; pulled into focus by the v3 migration. Worth a dedicated PR rather than bundling into the v3-validity fix.