From ed3251f2cb2b2f6af25ccfd030eadbbeecf25da4 Mon Sep 17 00:00:00 2001
From: SoClose <33631880+SoClosee@users.noreply.github.com>
Date: Wed, 4 Mar 2026 02:12:50 +0100
Subject: [PATCH] fix: sanitize log messages to prevent XSS vulnerabilities

---
 app.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app.py b/app.py
index f5a4b9a..fc3ea11 100644
--- a/app.py
+++ b/app.py
@@ -115,8 +115,10 @@
 
 
 def _log(msg: str) -> None:
+    import html
+    sanitized_msg = html.escape(msg)
     ts = datetime.now().strftime("%H:%M:%S")
-    st.session_state["logs"].append(f"[{ts}] {msg}")
+    st.session_state["logs"].append(f"[{ts}] {sanitized_msg}")
 
 
 # ---------------------------------------------------------------------------