Skip to content

[backport core/1.38] fix: prevent XSS vulnerability in context menu labels#8922

Merged
pythongosssss merged 1 commit intocore/1.38from
backport-8887-to-core-1.38
Feb 17, 2026
Merged

[backport core/1.38] fix: prevent XSS vulnerability in context menu labels#8922
pythongosssss merged 1 commit intocore/1.38from
backport-8887-to-core-1.38

Conversation

@comfy-pr-bot
Copy link
Member

@comfy-pr-bot comfy-pr-bot commented Feb 16, 2026
edited by sync-by-unito bot
Loading

Backport of #8887 to core/1.38

Automatically created by backport workflow.

┆Issue is synchronized with this Notion page by Unito

@DrJKL @claude @github-actions
fix: prevent XSS vulnerability in context menu labels (#8887)
950e93c 
Replace innerHTML with textContent when setting context menu item labels
to prevent XSS attacks via malicious filenames. This fixes a security
vulnerability where filenames like "<img src=x onerror=alert()>" could
execute arbitrary JavaScript when displayed in dropdowns.

https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

## Summary

<!-- One sentence describing what changed and why. -->

## Changes

- **What**: <!-- Core functionality added/modified -->
- **Breaking**: <!-- Any breaking changes (if none, remove this line)
-->
- **Dependencies**: <!-- New dependencies (if none, remove this line)
-->

## Review Focus

<!-- Critical design decisions or edge cases that need attention -->

<!-- If this PR fixes an issue, uncomment and update the line below -->
<!-- Fixes #ISSUE_NUMBER -->

## Screenshots (if applicable)

<!-- Add screenshots or video recording to help explain your changes -->

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-8887-fix-prevent-XSS-vulnerability-in-context-menu-labels-3086d73d365081ccbe3cdb35cd7e5cb1)
by [Unito](https://www.unito.io)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: github-actions <github-actions@github.com>
@comfy-pr-bot comfy-pr-bot added the backport Backporting a PR onto a release candidate label Feb 16, 2026
@comfy-pr-bot comfy-pr-bot requested a review from a team as a code owner February 16, 2026 23:31
@comfy-pr-bot comfy-pr-bot added the backport Backporting a PR onto a release candidate label Feb 16, 2026
@comfy-pr-bot comfy-pr-bot mentioned this pull request Feb 16, 2026
Merged
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Feb 16, 2026
@github-actions
Copy link

github-actions bot commented Feb 16, 2026
edited
Loading

🎨 Storybook Build Status

Build completed successfully!

⏰ Completed at: 02/16/2026, 11:32:56 PM UTC

🔗 Links

🎉 Your Storybook is ready for review!

@github-actions
Copy link

github-actions bot commented Feb 16, 2026
edited
Loading

🎭 Playwright Tests: ✅ Passed

Results: 507 passed, 0 failed, 0 flaky, 8 skipped (Total: 515)

📊 Browser Reports
  • chromium: View Report (✅ 495 / ❌ 0 / ⚠️ 0 / ⏭️ 8)
  • chromium-2x: View Report (✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
  • chromium-0.5x: View Report (✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
  • mobile-chrome: View Report (✅ 9 / ❌ 0 / ⚠️ 0 / ⏭️ 0)

@pythongosssss pythongosssss merged commit 841cf55 into core/1.38 Feb 17, 2026
36 of 37 checks passed
@pythongosssss pythongosssss deleted the backport-8887-to-core-1.38 branch February 17, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pythongosssss pythongosssss pythongosssss approved these changes

Assignees

@pythongosssss pythongosssss

Labels

backport Backporting a PR onto a release candidate size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@comfy-pr-bot @pythongosssss @DrJKL