daub-ui

Significant client-side security risk: this module injects untrusted HTML from a fetched JSON file directly into the DOM via preview.innerHTML, enabling DOM-based XSS if components.json can be influenced. Clipboard copying of c.html increases user-impact and social-engineering potential. No direct indicators of stealthy malware behavior (exfiltration/crypto/backdoor logic) are present in this snippet beyond the XSS-capable injection and reliance on a global initializer.

No clear indicators of classic supply-chain malware (no network exfiltration, credential access, or obfuscated backdoor logic) were observed in this module. However, the CustomHTML renderer accepts raw HTML and removes only script tags via regex before inserting the remainder into the DOM with createContextualFragment, which is a strong DOM XSS risk whenever p.html is not fully trusted/sanitized by a robust sanitizer. CSS injection via p.css and direct href assignment also add security risk. This code should be treated as security-sensitive, and any use with untrusted content requires strict sanitization/allowlisting and safe URL handling.

No clear evidence of stealth malware/backdoor networking is present in this fragment, but there is a high-risk execution pathway: model-generated CustomHTML/JS and DOM/CSS injection into a preview, plus window-global state assignment (parseStateDefs) and broad postMessage targetOrigin ('*'). This is likely intentional functionality, yet it substantially increases the impact of any malicious or compromised model output (or malicious user-provided content flowing into the pipeline). Recommend strict sandboxing for the preview iframe (unique origin, no same-origin access), strong sanitization/allowlisting for CustomHTML html/css, and eliminating/locking down execution of any model-provided JS.