From 1fd8b054814053692b99562e153a14e9706565b8 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Sat, 16 May 2026 17:10:48 -0700
Subject: [PATCH 1/2] fix(components): xss via dangerouslysetinnerhtml in
 embed-modal

The EmbedModal component uses dangerouslySetInnerHTML with the html prop without sanitization. If an attacker can control the html content, they can inject malicious scripts.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 src/components/embed-modal.jsx | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/components/embed-modal.jsx b/src/components/embed-modal.jsx
index fdd9c3ed7e..a5b1e80771 100644
--- a/src/components/embed-modal.jsx
+++ b/src/components/embed-modal.jsx
@@ -1,5 +1,7 @@
 import './embed-modal.css';
 
+import DOMPurify from 'dompurify';
+
 import { Trans, useLingui } from '@lingui/react/macro';
 
 import Icon from './icon';
@@ -23,7 +25,7 @@ function EmbedModal({ html, url, width, height, onClose = () => {} }) {
       </div>
       <div
         class="embed-content"
-        dangerouslySetInnerHTML={{ __html: html }}
+        dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(html) }}
         style={{
           '--width': width + 'px',
           '--height': height + 'px',

From fa0b40cc2b4d06a6f9be3997822648701881d2f1 Mon Sep 17 00:00:00 2001
From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com>
Date: Sun, 17 May 2026 00:11:35 +0000
Subject: [PATCH 2/2] [autofix.ci] apply automated fixes

---
 src/components/embed-modal.jsx | 3 +--
 src/locales/en.po              | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/components/embed-modal.jsx b/src/components/embed-modal.jsx
index a5b1e80771..f8a9cbdf27 100644
--- a/src/components/embed-modal.jsx
+++ b/src/components/embed-modal.jsx
@@ -1,8 +1,7 @@
 import './embed-modal.css';
 
-import DOMPurify from 'dompurify';
-
 import { Trans, useLingui } from '@lingui/react/macro';
+import DOMPurify from 'dompurify';
 
 import Icon from './icon';
 
diff --git a/src/locales/en.po b/src/locales/en.po
index 402c2eae81..6d11f9fcd2 100644
--- a/src/locales/en.po
+++ b/src/locales/en.po
@@ -275,7 +275,7 @@ msgstr "View post stats"
 #: src/components/custom-emojis-modal.jsx:282
 #: src/components/drafts.jsx:57
 #: src/components/edit-profile-sheet.jsx:262
-#: src/components/embed-modal.jsx:13
+#: src/components/embed-modal.jsx:14
 #: src/components/generic-accounts.jsx:151
 #: src/components/gif-picker-modal.jsx:71
 #: src/components/import-accounts-selection.jsx:81
@@ -894,7 +894,7 @@ msgstr "Add field"
 msgid "Save"
 msgstr ""
 
-#: src/components/embed-modal.jsx:18
+#: src/components/embed-modal.jsx:19
 msgid "Open in new window"
 msgstr ""