diff --git a/plans/002-stop-marking-json-attributes-trusted-html.md b/plans/002-stop-marking-json-attributes-trusted-html.md new file mode 100644 index 00000000..d8ec8673 --- /dev/null +++ b/plans/002-stop-marking-json-attributes-trusted-html.md @@ -0,0 +1,35 @@ +--- +finding: "Stop marking JSON attributes as trusted HTML" +catalog: "Security" +impact: "Provider-controlled strings can break quoted data attributes on the watch page, creating an HTML injection risk." +base_commit: "0d31d46" +--- + +## Effort + +S - localized template helper and tests. + +## Risk + +LOW - the intended behavior is still to serialize data for client-side parsing, but escaping must be handled by `html/template`. + +## Confidence + +HIGH - the current helper explicitly bypasses contextual escaping. + +## Evidence + +- `templates/funcs.go:37-42` marshals JSON and returns `template.HTMLAttr`. +- `templates/renderer.go:46-50` registers the helper as `json`. +- `templates/components/video_player.gohtml:10-12` embeds JSON inside single-quoted `data-*` attributes. +- `internal/playback/watch_data.go:181-188` copies provider subtitle labels into that serialized payload. + +## Resolution Approach + +Change the JSON serialization path so marshaled JSON is not marked as trusted `template.HTMLAttr`. Let `html/template` perform contextual escaping, or move larger JSON payloads into `