Problem
internal/web/static/index.html: Multiple `innerHTML` assignments use raw data. While `escapeHtml()` exists, it is not used consistently across all dynamic content insertion points, particularly in the agent chat message rendering and tooltip construction.
Impact
Potential XSS vulnerability if the server or local LLM returns content with embedded HTML/script tags.
Fix
Audit all `innerHTML` assignments and ensure `escapeHtml()` is applied consistently, or switch to `textContent` where HTML rendering isn't needed.
Problem
internal/web/static/index.html: Multiple `innerHTML` assignments use raw data. While `escapeHtml()` exists, it is not used consistently across all dynamic content insertion points, particularly in the agent chat message rendering and tooltip construction.Impact
Potential XSS vulnerability if the server or local LLM returns content with embedded HTML/script tags.
Fix
Audit all `innerHTML` assignments and ensure `escapeHtml()` is applied consistently, or switch to `textContent` where HTML rendering isn't needed.