From d4f159ee7c8b4ab24cce3a91becdcec4627abfee Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Mon, 11 May 2026 23:02:09 -0400
Subject: [PATCH] fix: escape ticket_id text content in dynamic events table

ticket_id was already escaped in the href attribute but the visible
text (#<id>) used the raw value in an innerHTML template literal.
Apply lt.escHtml() for defense-in-depth against a compromised ticket API.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 static/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/static/app.js b/static/app.js
index 2697fbf..998db04 100644
--- a/static/app.js
+++ b/static/app.js
@@ -220,7 +220,7 @@ function updateEventsTable(events, totalActive) {
       ? GANDALF_CONFIG.ticket_web_url : 'http://t.lotusguild.org/ticket/';
     const ticket = e.ticket_id
       ? `<a href="${lt.escHtml(ticketBase)}${lt.escHtml(String(e.ticket_id))}" target="_blank"
-            class="ticket-link">#${e.ticket_id}</a>`
+            class="ticket-link">#${lt.escHtml(String(e.ticket_id))}</a>`
       : '–';
     const supBadge = e.is_suppressed
       ? `<span class="lt-badge badge-suppressed" title="Alert suppressed">🔕 sup</span>`