From f0cba6ecd4d176d8dffaf34e3db779d27251dea9 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Sat, 13 Jun 2026 05:36:07 +0000
Subject: [PATCH] Fix DOM-based XSS in showToast functions

Co-authored-by: arumes31 <114224498+arumes31@users.noreply.github.com>
---
 .jules/sentinel.md                         | 5 +++++
 cmd/server/templates/admin_management.html | 2 +-
 cmd/server/templates/excluded.html         | 2 +-
 cmd/server/templates/settings.html         | 2 +-
 cmd/server/templates/whitelist.html        | 2 +-
 5 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
index 0bc6dbd..1b6ff7e 100644
--- a/.jules/sentinel.md
+++ b/.jules/sentinel.md
@@ -31,3 +31,8 @@
 **Vulnerability:** CRLF Injection (CWE-93) / Email Content Injection
 **Learning:** Interpolating untrusted data (like IP addresses, block reasons, or actor names) directly into email headers or the `Subject` line without sanitization allows an attacker to inject CR/LF characters. This can be used to terminate headers prematurely and inject additional headers (e.g., `Bcc`, `Reply-To`) or even replace the entire email body.
 **Prevention:** Always sanitize any input destined for a network header or a delimited protocol. Using a `strings.NewReplacer("\r", "", "\n", "")` to strip line-break characters ensures that untrusted content remains confined to its intended field and cannot "break out" to inject new headers.
+
+## 2026-06-13 - [DOM-based XSS in Toast Notifications]
+**Vulnerability:** DOM-based Cross-Site Scripting (XSS) (CWE-79)
+**Learning:** Using `innerHTML` with string interpolation to dynamically construct HTML elements using untrusted data allows the browser to execute embedded `<script>` tags or malicious event handlers. The application was rendering `toast.innerHTML = \`<span>${message}</span>\`;` where `message` could contain data from server error responses.
+**Prevention:** Avoid `innerHTML` for any content that includes user-supplied or untrusted strings. Instead, use DOM methods like `document.createElement()` and set data using safe properties like `textContent` or `innerText`, which automatically escape HTML entities.
diff --git a/cmd/server/templates/admin_management.html b/cmd/server/templates/admin_management.html
index abb3030..493360e 100644
--- a/cmd/server/templates/admin_management.html
+++ b/cmd/server/templates/admin_management.html
@@ -349,7 +349,7 @@ <h3 style="margin-top: 0;">Change Password</h3>
             const container = document.getElementById('toast-container');
             const toast = document.createElement('div');
             toast.className = `toast ${type}`;
-            toast.innerHTML = `<span>${message}</span>`;
+            const span = document.createElement("span"); span.textContent = message; toast.appendChild(span);
             container.appendChild(toast);
             setTimeout(() => {
                 toast.style.opacity = '0';
diff --git a/cmd/server/templates/excluded.html b/cmd/server/templates/excluded.html
index 76deb95..cc0927e 100644
--- a/cmd/server/templates/excluded.html
+++ b/cmd/server/templates/excluded.html
@@ -384,7 +384,7 @@ <h3 style="margin: 0; color: #fff;">External Dynamic Sources</h3>
             const container = document.getElementById('toast-container');
             const toast = document.createElement('div');
             toast.className = `toast ${type}`;
-            toast.innerHTML = `<span>${message}</span>`;
+            const span = document.createElement("span"); span.textContent = message; toast.appendChild(span);
             container.appendChild(toast);
             setTimeout(() => {
                 toast.style.opacity = '0';
diff --git a/cmd/server/templates/settings.html b/cmd/server/templates/settings.html
index a7813d4..95796b9 100644
--- a/cmd/server/templates/settings.html
+++ b/cmd/server/templates/settings.html
@@ -620,7 +620,7 @@ <h4 style="color: var(--vibrant-red); margin-top: 2rem; margin-bottom: 0.5rem;">
             const container = document.getElementById('toast-container');
             const toast = document.createElement('div');
             toast.className = `toast ${type}`;
-            toast.innerHTML = `<span>${message}</span>`;
+            const span = document.createElement("span"); span.textContent = message; toast.appendChild(span);
             container.appendChild(toast);
             setTimeout(() => {
                 toast.style.opacity = '0';
diff --git a/cmd/server/templates/whitelist.html b/cmd/server/templates/whitelist.html
index 930ded3..3bcd3a0 100644
--- a/cmd/server/templates/whitelist.html
+++ b/cmd/server/templates/whitelist.html
@@ -218,7 +218,7 @@ <h2>IP Whitelist</h2>
             function showToast(message, type = 'success') {
                 const container = document.getElementById('toast-container');            const toast = document.createElement('div');
             toast.className = `toast ${type}`;
-            toast.innerHTML = `<span>${message}</span>`;
+            const span = document.createElement("span"); span.textContent = message; toast.appendChild(span);
             container.appendChild(toast);
             setTimeout(() => {
                 toast.style.opacity = '0';