From 2f3d5d37833bf737ea46934db213e41514ed0f31 Mon Sep 17 00:00:00 2001 From: agent_coder Date: Thu, 2 Jul 2026 06:19:26 +0300 Subject: [PATCH] docs: fix escapeAttr comment count (three, not four) (#274 review) The regex strips three attribute-breaking chars (" < >); the JSDoc said four. Co-Authored-By: Claude Opus 4.8 (1M context) --- apps/server/src/core/ai-chat/ai-chat.prompt.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/server/src/core/ai-chat/ai-chat.prompt.ts b/apps/server/src/core/ai-chat/ai-chat.prompt.ts index 52fbee3b..d2b44e15 100644 --- a/apps/server/src/core/ai-chat/ai-chat.prompt.ts +++ b/apps/server/src/core/ai-chat/ai-chat.prompt.ts @@ -97,7 +97,7 @@ const PAGE_CHANGED_NOTE = * can steer the title of the page user A has open — an unescaped `"`/`<`/`>` or a * newline in the title would let them break out of the attribute and inject * pseudo-tags (`x">…`) or extra lines into user A's system prompt. We - * strip the four attribute-breaking characters (double quote, angle brackets) and + * strip the three attribute-breaking characters (double quote, angle brackets) and * collapse any newline/CR/tab to a single space so the value stays a single inert * attribute token. Cross-user prompt-injection defense (#274 review F1). */