From 330ddc8f05a14a8699f672f1825ce4166841256f Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.example.org>
Date: Fri, 27 Feb 2026 11:39:47 -0800
Subject: [PATCH] L5: truncate token name and symbol to prevent UI abuse

Limit token name to 64 characters and symbol to 12 characters after
fetching from the contract. Prevents malicious contracts from injecting
excessively long strings into the UI.
---
 src/content/index.js   | 5 +----
 src/shared/balances.js | 4 ++++
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/content/index.js b/src/content/index.js
index ca0d31b..97cc779 100644
--- a/src/content/index.js
+++ b/src/content/index.js
@@ -24,10 +24,7 @@ storageApi.local.get("providerUUID", (res) => {
         uuid = crypto.randomUUID();
         storageApi.local.set({ providerUUID: uuid });
     }
-    window.postMessage(
-        { type: "AUTISTMASK_PROVIDER_UUID", uuid },
-        "*",
-    );
+    window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
 });
 
 // Relay requests from the page to the background script
diff --git a/src/shared/balances.js b/src/shared/balances.js
index 24f19a6..a758339 100644
--- a/src/shared/balances.js
+++ b/src/shared/balances.js
@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
         name = symbol;
     }
 
+    // Truncate name and symbol to prevent abuse via malicious contracts.
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
     log.infof("Token resolved:", symbol, "decimals", Number(decimals));
     return { name, symbol, decimals: Number(decimals) };
 }