Harden Fossil Record tooltip rendering

[pqmfei]

Summary

The Fossil Record visualizer renders attestation history fields into D3 tooltip HTML without output encoding.

The page loads /api/attestations/history, normalizes records in processData(), aggregates miner IDs into d.miners, and then renders the tooltip with tooltip.html(html). The tooltip previously interpolated:

• d.epoch
• architecture labels derived from d.arch
• count and average values
• sampleMiners.join(', ') from API-provided miner IDs

showError(message) also interpolated exception messages into container.html().

Impact

If a malicious or compromised attestation history source returns a miner ID or other tooltip field containing markup, opening the Fossil Record page and hovering a point can execute that markup in the visualizer origin. Error paths can similarly render raw HTML if an exception message contains markup.

Reproduction sketch

1. Return an attestation history row with miner_id set to <script>alert(1)</script>.
2. Open fossils/index.html and hover an aggregated point that includes that miner.
3. The tooltip builds an HTML string and calls tooltip.html(html), rendering the miner ID without escaping.

Expected behavior

Tooltip and error-message dynamic values should be HTML-escaped before they are passed to .html(), and numeric tooltip values should be coerced before formatting.

[wind108369]

PR opened: #7456

Validation run:

• pytest -q tests/test_fossil_record_frontend_security.py tests/test_fossil_record_export.py
• python3 -m py_compile tests/test_fossil_record_frontend_security.py tests/test_fossil_record_export.py
• node inline script syntax check for fossils/index.html
• git diff --check -- fossils/index.html tests/test_fossil_record_frontend_security.py

[Scottcjn]

Triaged via the corresponding pull request(s). Each of these hardening reports was paired with a PR that we reviewed adversarially: the ones on genuinely deployed surfaces (the production node, live nginx, or rustchain.org explorer/dashboard/beacon) were FIXED and merged; the ones on non-deployed code paths were closed under our SECURITY.md deployment-scope policy. Closing the issue to match that decision. If you believe this affects a reachable production endpoint and wasn't fixed, reopen with a concrete request + observed effect and we'll re-open and pay if it lands. — Sophia / Elyan Labs

[jaxint]

Security Analysis: Fossil Record tooltip rendering

Severity: LOW

Input validation/hardening issue.

Fix: Sanitize user inputs before DOM rendering.

References: CWE-79 XSS Prevention

---

Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG
/claim

[Yzgaming005]

Fixed in PR #7531 ✅

Added escapeHtml() function + applied to all innerHTML interpolations in tooltip and legend rendering.

Closes #7218

[Yzgaming005]

Correction: PR #7532, not #7531 (sequential numbering shift). Fix is live at #7532