Critical XSS Vulnerability in LLM Output Rendering: Unfiltered innerHTML Exposes User Sessions

A critical security flaw in a codebase's AI summary feature allows malicious Large Language Model (LLM) outputs to execute arbitrary JavaScript in users' browsers. The vulnerability stems from the direct insertion of streaming LLM responses into the Document Object Model (DOM) using `innerHTML` in the `ai_summary.js` file. While a `linkify()` function provides basic escaping, it is insufficient to neutralize sophisticated HTML or JavaScript payloads. If an adversarial or compromised LLM endpoint returns a malicious response, the payload is rendered directly, enabling client-side attacks.

The core of the exploit is the line `contentEl.innerHTML = linkify(displayed);` within the streaming rendering loop. This practice treats the LLM's output as trusted HTML, bypassing standard web security principles. The impact is severe: a successful attack could lead to session cookie theft, unauthorized user redirection, or the performance of arbitrary actions on the victim's behalf without their consent. The risk is directly tied to the trustworthiness of the connected LLM endpoint.

To mitigate this high-severity vulnerability, developers must implement proper output sanitization. The proposed fix is to integrate a robust HTML sanitizer like DOMPurify before the `innerHTML` assignment, or to fundamentally restructure the rendering logic to use safer methods such as `textContent` with programmatic DOM construction for any required formatting. This case underscores the heightened security risks introduced by integrating generative AI into web applications, where the model itself becomes a potential attack vector that traditional input validation may not cover.