chore(ui): prevent script execution in Toolbox UI rendering

[threatpointer]

Defensive Security Hardening: Prevent Script Execution in Toolbox UI Rendering

Note: This issue was identified during security research and reviewed previously.
While typical deployments operate within a trusted configuration model, addressing this behavior was recommended as a defense-in-depth improvement. This PR describes the implemented fix.

Overview

This change improves the safety of the GenAI Toolbox UI by preventing unintended JavaScript execution when rendering values derived from tool configuration files.

Previously, certain fields from tool definitions were rendered directly into HTML contexts without escaping. As a result, tool definitions containing embedded HTML or script payloads could trigger JavaScript execution when viewed in the dashboard. While this occurs within the same trust boundary as the configuration owner, escaping these values by default avoids unexpected execution and improves robustness.

Changes Implemented

1. New Utility

• Added sanitize.js which exports a strict escapeHtml() function.
• Escapes dangerous characters: &, <, >, ", ', /, `.
• Performs strict type checking, rendering null and undefined values as empty strings.

2. Input Handling

• Updated internal/server/static/js/toolDisplay.js to wrap tool.name and tool.description with escapeHtml() prior to rendering them into the DOM.

3. Error Handling

• Updated internal/server/static/js/loadTools.js to sanitize error messages that may reflect user-controlled or derived input before rendering.

Validation

• Verified behavior using tool definition files containing common script execution vectors.
• Confirmed that embedded HTML and script payloads are rendered as literal text.
• Verified that standard and existing tool definitions continue to render correctly without functional regression.

Notes

This change is a defense-in-depth hardening measure.
It does not modify the existing trust model or intended usage patterns, but ensures safer default rendering behavior and avoids unintended script execution in the UI.

Attribution

Contributor: Mohammed Tanveer (threatpointer)

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello @threatpointer, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the GenAI Toolbox UI by implementing defensive measures against unintended JavaScript execution. It addresses a potential cross-site scripting (XSS) vulnerability by ensuring that user-controlled data, such as tool names, descriptions, and error messages, are properly HTML-escaped before being rendered in the browser. This change improves the robustness and safety of the UI, aligning with defense-in-depth security principles without altering the existing trust model.

Highlights

• Introduced HTML Escaping Utility: A new sanitize.js file has been added, providing a strict escapeHtml() function to prevent script execution by encoding dangerous HTML characters such as &, <, >, ", ', and `.
• Sanitized Tool Display: The toolDisplay.js file now uses escapeHtml() to safely render tool.name and tool.description, ensuring that any embedded HTML or script payloads are displayed as literal text rather than being executed.
• Secured Error Message Rendering: Error messages in loadTools.js are now sanitized with escapeHtml() before being displayed in the UI, mitigating potential Cross-Site Scripting (XSS) vulnerabilities from user-controlled or derived input.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a security hardening measure by escaping potentially unsafe values before rendering them as HTML in the UI, which is a great improvement. The new sanitize.js utility is well-implemented, and its application in loadTools.js and toolDisplay.js correctly addresses the identified XSS vectors in error messages, tool names, and descriptions. I have one suggestion to improve the sanitize.js utility for better performance. Additionally, during the review, I identified a similar potential XSS vulnerability in a related part of the code that is not part of this PR's changes. The createGoogleAuthMethodItem function in internal/server/static/js/auth.js renders authProfileName directly into HTML without escaping. Since this PR's goal is to harden the UI, it would be beneficial to address this as well to ensure comprehensive protection.

[threatpointer]

Based on code review comments, updated the PR to also sanitize authProfileName in createGoogleAuthMethodItem() within auth.js.

The escapeHtml() utility is now applied consistently across all user-facing string interpolations.

[Yuan325]

@threatpointer Thank you for your contribution! :)

[Yuan325]

/gcbrun

[Yuan325]

/gcbrun

[Yuan325]

/gcbrun