[BUG] security vulnerability

Remote HTML injection into extension UI (potential RCE in extension context)

The extension fetches an update “notice” from https://ext.scriptcat.org/ and renders it as raw HTML via React dangerouslySetInnerHTML.
Evidence:
- Fetch: src/pages/popup/App.tsx:369
- Render: src/pages/popup/App.tsx:485
- Same update-check fetch in SW: src/app/service/service_worker/index.ts:113
Impact: if ext.scriptcat.org is compromised, misconfigured, or a malicious insider controls responses, they can
inject scriptable HTML into the extension UI. In an extension with broad permissions (tabs/cookies/<all_urls>),
that’s effectively a “developer-controlled remote code execution / data exfil” channel.
Recommended mitigation: do not render server-provided HTML. Render as plain text, or sanitize with a strict
allowlist (no script, no event handlers, no javascript: URLs, no inline styles) before display.

This potential RCE vulnerability is so severe that I will not use Scriptcat because of it.

n/a

n/a

No response