From 76b0a5e05e81fdad37a1e294653aba24bbf35a00 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:46:12 -0400
Subject: [PATCH] fix(recorders): escape d.error in renderProbeResult to
 prevent XSS

---
 services/web-ui/public/recorders.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/services/web-ui/public/recorders.html b/services/web-ui/public/recorders.html
index 70322da..92d3d57 100644
--- a/services/web-ui/public/recorders.html
+++ b/services/web-ui/public/recorders.html
@@ -823,7 +823,7 @@
     if (!d.ok) {
       host.style.borderColor = 'oklch(62% 0.22 25 / 0.5)';
       host.style.background = 'oklch(62% 0.22 25 / 0.08)';
-      host.innerHTML = '<div style="color:var(--status-red);font-weight:500;margin-bottom:4px">No signal detected</div><div style="color:var(--text-secondary);white-space:pre-wrap">' + (d.error || 'Unknown error') + '</div>';
+      host.innerHTML = '<div style="color:var(--status-red);font-weight:500;margin-bottom:4px">No signal detected</div><div style="color:var(--text-secondary);white-space:pre-wrap">' + esc(d.error || 'Unknown error') + '</div>';
       return;
     }
     host.style.borderColor = 'oklch(68% 0.18 148 / 0.5)';