Fix 7 frontend security vulnerabilities (4 critical, 3 high)

- Escape all innerHTML assignments with user/external data across 12 JS files - Upgrade credential encryption: per-value IV, key moved to sessionStorage - Fix open redirect in TOTP auth via proper URL hostname validation - Remove sensitive DNS topology data from localStorage cache - Add security regression test suite (51 tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 01:29:04 -08:00
parent 59b6d7d360
commit 52577b11ed
13 changed files with 874 additions and 96 deletions
--- a/status/js/core/logs.js
+++ b/status/js/core/logs.js
@@ -138,7 +138,7 @@
        logsContent.innerHTML = `
          <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
            <div style="font-size: 1.2rem; margin-bottom: 8px;">⚠️ Error</div>
-            <div>${result.error}</div>
+            <div>${escapeHtml(result.error)}</div>
          </div>`;
        return;
      }
@@ -167,7 +167,7 @@
    } catch (error) {
      logsContent.innerHTML = `
        <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
-          Failed to fetch logs: ${error.message}
+          Failed to fetch logs: ${escapeHtml(error.message)}
        </div>`;
    }
  }
@@ -400,7 +400,7 @@
        logsContent.innerHTML = `
          <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
            <div style="font-size: 1.2rem; margin-bottom: 8px;">⚠️ Error</div>
-            <div>${result.error}</div>
+            <div>${escapeHtml(result.error)}</div>
          </div>`;
        return;
      }
@@ -429,7 +429,7 @@
    } catch (error) {
      logsContent.innerHTML = `
        <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
-          Failed to fetch logs: ${error.message}
+          Failed to fetch logs: ${escapeHtml(error.message)}
        </div>`;
    }
  }
@@ -544,7 +544,7 @@
        logsContent.innerHTML = `
          <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
            <div style="font-size: 1.2rem; margin-bottom: 8px;">⚠️ Error</div>
-            <div>${result.error}</div>
+            <div>${escapeHtml(result.error)}</div>
          </div>`;
        return;
      }
@@ -569,7 +569,7 @@
    } catch (error) {
      logsContent.innerHTML = `
        <div style="padding: 20px; text-align: center; color: var(--bad-fg);">
-          Failed to fetch logs: ${error.message}
+          Failed to fetch logs: ${escapeHtml(error.message)}
        </div>`;
    }
  }