Bug Description

Multiple XSS (Cross-Site Scripting) vulnerabilities exist in scrumHelper.js where user-controlled data from GitHub/GitLab API responses (PR titles, issue titles, commit messages, project/repo names) is injected directly into HTML via template literals without sanitization.

An escapeHtml() function already exists at line 1119 but is never called anywhere in the report rendering logic.

Note: Issue #524 covers XSS in popup.js. This issue is specifically about scrumHelper.js, which renders the actual scrum report content, a separate and equally critical attack surface.

Root Cause

All report HTML is built using unescaped template literal interpolation:

// PR/MR titles (lines 1783, 1794, 1807, 1817, 1820)
li = `<li><i>(${project})</i> - ${prAction} ... ${title}</a>...`;

// Commit messages (lines 1788, 1800-1801)
li += `<span>${commit.messageHeadline}</span>`;

// Issue titles (lines 1829-1838, 1851-1863)
li = `... <a href='${html_url}'>${title}</a>...`;

// Reviewed PR titles (lines 1464-1470, 1481-1488)
prText += "..." + pr_arr.title + "...";

The values title, project, commit.messageHeadline, and html_url all come directly from the GitHub/GitLab API and can contain attacker-controlled content.

Expected Behavior

All API-sourced strings should be escaped before HTML insertion using the existing escapeHtml() function (line 1119), preventing script execution.

Actual Behavior

Malicious HTML in PR titles, issue titles, commit messages, or repository names executes as JavaScript within the extension context or the email client compose window (when using "Insert to Email").

Affected Locations

Contribution Checklist

• I have searched existing issues to ensure this bug hasn't been reported
• I have provided clear reproduction steps
• I have included relevant environment details
• I have described both expected and actual behavior