mirror of
https://github.com/ChuckBuilds/LEDMatrix.git
synced 2026-05-06 23:03:31 +00:00
b361866679
* style: trim trailing whitespace and fix EOF in plugins_manager.js Autofix from pre-commit hooks (trailing-whitespace, end-of-file-fixer). No code logic changes — purely whitespace. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(security): escape user-controlled output in plugin action UI The plugin action result handlers in executePluginAction() injected data.message, data.output, and data.auth_url directly into innerHTML template literals without escaping. A plugin's action handler returning malicious content (e.g., from a third-party plugin or compromised upstream) could execute arbitrary JavaScript in the web UI context. Wrap user-controlled strings in escapeHtml() at all four sites: - Step-2 (continuation) error path (message + output) - OAuth flow auth_url (link href + display text, with http:// guard) - Step-1 simple-success output - Step-1 failure path (message + output) The escapeHtml() helper is already defined in this file and used elsewhere (validation errors, plugin store cards). Co-Authored-By: 5ymb01 <5ymb01@users.noreply.github.com> Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: 5ymb01 <5ymb01@users.noreply.github.com> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>