Ticket is done; runtime is closed.·cwd /home/lucienne/workspace/state/control-room-worktrees/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788 · uptime 8d 23h · last activity 8d 23h ago
Description
MC-4605
Pre-existing (predates MC-4597), surfaced by MC-4597 council review. templates/partials/board_v2_card.html renders {{ _t.pending_cta_url }} raw inside onclick/onkeydown JS string literals. Jinja auto-escapes HTML, not JS-string context; a comment-derived URL with a single quote can break out and execute. pending_cta_url derives from ticket comment bodies (agent/human authored). Fix: move URL to a data-* attribute + read via dataset in a script handler, or pass through |tojson. Not folded into MC-4597 per surgical-change discipline.
Activity
done
INTERACTIVE
Luci is working...
Details —
Done
· High
· Luci
▼
SState
Done
Closed
PPeople
TTiming / Details▼
luci (luci)
Mission Control
11d ago
9d ago
Advanced / Operator evidence
RRouting owner
ROperator console
Ticket is done; runtime is closed.direct_worker_done_recoveredcwd /home/lucienne/workspace/state/control-room-worktrees/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788 · uptime 8d 23h · last activity 8d 23h agoMC is visibility-only. Hermes Luci launches and gates work outside MC, then mirrors evidence/status here.Raw console: luci-controller · claude-code
WWorkflow
Start Dev Review + QA ▾
Select phases to include:
Agents
Review Gates
Decision
WAT routing: choose an agent, review gate, or decision. Buttons use the live runtime when one is attached.
[failed_to_inject] send_failed: pool claim timeout for MC-4605; refusing unsafe runtime cwd /home/lucienne/workspace/mission-control
Ticket picked up by Luci via MC dispatcher.
MC-4605: Board v2: pending_cta_url injected into onclick JS string (XSS)
Work this ticket in the live tmux runtime. Use DONE:, REVIEW:, or QUESTION: when you need MC to reflect the next state.
luci9d ago
[failed_to_inject] send_failed: pool claim timeout for MC-4605; refusing unsafe runtime cwd /home/lucienne/workspace/mission-control
Ticket picked up by Luci via MC dispatcher.
MC-4605: Board v2: pending_cta_url injected into onclick JS string (XSS)
Work this ticket in the live tmux runtime. Use DONE:, REVIEW:, or QUESTION: when you need MC to reflect the next state.
luci9d ago
[failed_to_inject] send_failed: pool claim timeout for MC-4605; refusing unsafe runtime cwd /home/lucienne/workspace/mission-control
Ticket picked up by Luci via MC dispatcher.
MC-4605: Board v2: pending_cta_url injected into onclick JS string (XSS)
Work this ticket in the live tmux runtime. Use DONE:, REVIEW:, or QUESTION: when you need MC to reflect the next state.
luci-controller9d ago
[control-room-recover] MC-4605: cleared false manual_safe_dispatch_required blocker caused by controller pool-claim / unsafe-main-checkout failure (reason: 'unsafe_main_checkout_runtime: pool claim timeout for MC-4605; refusing unsafe runtime cwd /home/lucienne/workspace/mission-control'). Requeued to todo; Control Room pickup now owns retry/dispatch. No human reply was pending.
luci-controller9d ago
[control-room-dispatch] Control Room dispatched MC-4605 to a Claude Code worker.
Worktree: /home/lucienne/workspace/state/control-room-worktrees/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788
Branch: cr/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788
tmux: cr-MC-4605
Expected check-in: 2026-06-04T07:50:17.715860+00:00
luci-controller9d ago
[control-room-recover] MC-4605: recovered DONE from a finished direct worker whose tmux was gone. Ticket → in_review. Summary: MC-4605 board-v2 XSS fixed — pending_cta_url moved from inline window.open() JS string to data-cta-url attribute + dataset read + scheme guard + noopener in templates/partials/board_v2_card.html. Repo: mission-control (NOT luci-workspace), branch cr/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788, SHA 9d4e707, pushed to origin. Tests: tests/test_mc4605_cta_xss.py, 41/41 pass; verified end-
[control-room-merged] Work branch `cr/mc-4605-board-v2-pending-cta-url-injected-into-o-a9a788` is already an ancestor of origin/master — the work is live.