From 65155379bb2e4171abc2181ce042d6024674bbaf Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Sat, 20 Jun 2026 05:19:18 -0700
Subject: [PATCH] fix(webview): unsafe html string construction in
 getdashboardhtm

The getDashboardHtml function in panel-html.ts constructs HTML by string concatenation including external style and script URIs. While a nonce is used for script-src, the style-src directive allows 'unsafe-inline' which bypasses CSP protection for styles. Additionally, the function uses String(styleUri) and String(scriptUri) which could potentially be exploited if the webview.asWebviewUri returns unexpected values. The 'unsafe-inline' in style-src allows attackers to inject styles if they can control any part of the HTML generation.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 src/webview/panel-html.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/webview/panel-html.ts b/src/webview/panel-html.ts
index 800255a..5369155 100644
--- a/src/webview/panel-html.ts
+++ b/src/webview/panel-html.ts
@@ -11,14 +11,15 @@ export function getDashboardHtml(webview: vscode.Webview, extensionUri: vscode.U
   const scriptUri = webview.asWebviewUri(vscode.Uri.joinPath(extensionUri, 'dist', 'webview', 'app.js'));
   const styleUri = webview.asWebviewUri(vscode.Uri.joinPath(extensionUri, 'dist', 'webview', 'styles.css'));
   const nonce = getNonce();
+  const styleNonce = getNonce();
 
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
 <meta charset="UTF-8">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
-<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src ${webview.cspSource} 'unsafe-inline'; style-src-elem ${webview.cspSource}; style-src-attr 'unsafe-inline'; script-src 'nonce-${nonce}'; img-src ${webview.cspSource} data:; font-src ${webview.cspSource}; require-trusted-types-for 'script'; trusted-types coach-html default;">
-<link href="${String(styleUri)}" rel="stylesheet">
+<meta http-equiv="Content-Security-Policy" content="default-src 'none'; style-src 'nonce-${styleNonce}'; style-src-elem ${webview.cspSource} 'nonce-${styleNonce}'; style-src-attr 'none'; script-src 'nonce-${nonce}'; img-src ${webview.cspSource} data:; font-src ${webview.cspSource}; require-trusted-types-for 'script'; trusted-types coach-html default;">
+<link href="${String(styleUri)}" rel="stylesheet" nonce="${styleNonce}">
 <title>AI Engineer Coach</title>
 </head>
 <body>