fix: escape ticket_id text content in dynamic events table

ticket_id was already escaped in the href attribute but the visible text (#<id>) used the raw value in an innerHTML template literal. Apply lt.escHtml() for defense-in-depth against a compromised ticket API. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix: add aria-required to s-reason field in suppressions form
2026-05-11 23:02:09 -04:00 · 2026-05-11 15:11:05 -04:00
2 changed files with 2 additions and 2 deletions
@@ -220,7 +220,7 @@ function updateEventsTable(events, totalActive) {
      ? GANDALF_CONFIG.ticket_web_url : 'http://t.lotusguild.org/ticket/';
    const ticket = e.ticket_id
      ? `<a href="${lt.escHtml(ticketBase)}${lt.escHtml(String(e.ticket_id))}" target="_blank"
-            class="ticket-link">#${e.ticket_id}</a>`
+            class="ticket-link">#${lt.escHtml(String(e.ticket_id))}</a>`
      : '–';
    const supBadge = e.is_suppressed
      ? `<span class="lt-badge badge-suppressed" title="Alert suppressed">🔕 sup</span>`
@@ -51,7 +51,7 @@
            <label class="lt-label" for="s-reason">Reason <span class="required">*</span></label>
            <input type="text" class="lt-input" id="s-reason" name="reason"
                   placeholder="e.g. Planned switch maintenance, replacing SFP on large1/enp43s0"
-                   required>
+                   required aria-required="true">
          </div>
        </div>
Author	SHA1	Message	Date
jared	d4f159ee7c	fix: escape ticket_id text content in dynamic events table Lint / Python (flake8) (push) Successful in 44s Details Lint / JS (eslint) (push) Successful in 8s Details Security / Python Security (bandit) (push) Successful in 42s Details Test / Python Tests (pytest) (push) Successful in 1m7s Details Lint / Notify on failure (push) Has been skipped Details Lint / Deploy (push) Successful in 3s Details ticket_id was already escaped in the href attribute but the visible text (#<id>) used the raw value in an innerHTML template literal. Apply lt.escHtml() for defense-in-depth against a compromised ticket API. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 23:02:09 -04:00
jared	61019418d3	fix: add aria-required to s-reason field in suppressions form Lint / Python (flake8) (push) Successful in 40s Details Lint / JS (eslint) (push) Successful in 7s Details Security / Python Security (bandit) (push) Successful in 57s Details Test / Python Tests (pytest) (push) Successful in 1m27s Details Lint / Notify on failure (push) Has been skipped Details Lint / Deploy (push) Successful in 6s Details The reason input had `required` for browser validation but was missing `aria-required="true"`, so screen readers did not announce it as required. Matches the fix already applied to the equivalent field in base.html. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 15:11:05 -04:00