From cdaaffb043375fe668ae0aa92ecae59f0b3dc5d6 Mon Sep 17 00:00:00 2001
From: Sameer <142401625+sameer6pre@users.noreply.github.com>
Date: Tue, 2 Sep 2025 10:05:18 +0530
Subject: [PATCH] Update orbit-app/src/components/CommentsSection.jsx in branch
 Precogs-fix-zc9esz8h

---
 orbit-app/src/components/CommentsSection.jsx | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/orbit-app/src/components/CommentsSection.jsx b/orbit-app/src/components/CommentsSection.jsx
index 6fe0c21..f38546c 100644
--- a/orbit-app/src/components/CommentsSection.jsx
+++ b/orbit-app/src/components/CommentsSection.jsx
@@ -30,6 +30,16 @@ function CommentsSection() {
       });
   };
 
+  // FIX: Helper function to escape HTML special characters
+  function escapeHtml(unsafe) {
+    return unsafe
+      .replace(/&/g, "&amp;")
+      .replace(/</g, "&lt;")
+      .replace(/>/g, "&gt;")
+      .replace(/\"/g, "&quot;")
+      .replace(/'/g, "&#039;");
+  }
+
   return (
     <div>
       <h2>Comments</h2>
@@ -44,11 +54,13 @@ function CommentsSection() {
 
       <div className="comments-list">
         {commentsList.map((cmt, index) => (
-          <div key={index} dangerouslySetInnerHTML={{ __html: cmt.comment }} />
+          // FIX: Render comment as plain text, escaping HTML
+          <div key={index}>{escapeHtml(cmt.comment)}</div>
         ))}
       </div>
     </div>
   );
 }
+// FIX EXPLANATION: This fix removes the use of 'dangerouslySetInnerHTML' and instead escapes HTML special characters in user comments before rendering. This prevents any injected HTML or JavaScript from being interpreted by the browser, fully mitigating XSS. For production, consider using a robust library like 'dompurify' for sanitization if HTML formatting is required.
 
 export default CommentsSection;