From 6043814b9ca84ba7beafe48d011e5d7b875556a4 Mon Sep 17 00:00:00 2001
From: Rob Bos <rajbos@users.noreply.github.com>
Date: Mon, 2 Feb 2026 21:18:01 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 22: Client-side
 cross-site scripting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/webview/diagnostics/main.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/webview/diagnostics/main.ts b/src/webview/diagnostics/main.ts
index 97e9a06..27b02f1 100644
--- a/src/webview/diagnostics/main.ts
+++ b/src/webview/diagnostics/main.ts
@@ -209,6 +209,17 @@ function getEditorStats(files: SessionFileDetails[]): { [key: string]: { count:
 	return stats;
 }
 
+function safeText(value: unknown): string {
+	if (value === null || value === undefined) {
+		return '';
+	}
+	if (typeof value === 'string') {
+		// Use existing HTML escaping to avoid XSS when inserting into innerHTML.
+		return escapeHtml(value);
+	}
+	return String(value);
+}
+
 function renderSessionTable(detailedFiles: SessionFileDetails[], isLoading: boolean = false): string {
 	if (isLoading) {
 		return `
@@ -234,7 +245,7 @@ function renderSessionTable(detailedFiles: SessionFileDetails[], isLoading: bool
 		: detailedFiles;
 	
 	// Summary stats for filtered files
-	const totalInteractions = filteredFiles.reduce((sum, sf) => sum + sf.interactions, 0);
+	const totalInteractions = filteredFiles.reduce((sum, sf) => sum + Number(sf.interactions || 0), 0);
 	const totalContextRefs = filteredFiles.reduce((sum, sf) => sum + getTotalContextRefs(sf.contextReferences), 0);
 	
 	// Sort filtered files