From 87f878ee6b2567725bb3014a39c5d5e9a4be7379 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 28 Mar 2026 13:42:27 -0400
Subject: [PATCH] Fix XSS: escape user_name and created_at in reply DOM
 injection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

submitReply() built a replyDiv.innerHTML template literal using
data.user_name (API response) without escaping — an attacker-controlled
display name could inject arbitrary HTML. Fix: wrap all API-sourced
string values in lt.escHtml() within the template.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 assets/js/ticket.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/assets/js/ticket.js b/assets/js/ticket.js
index 4a05c51..6ac03bd 100644
--- a/assets/js/ticket.js
+++ b/assets/js/ticket.js
@@ -1374,10 +1374,10 @@ function submitReply(parentCommentId) {
                     <div class="thread-line"></div>
                     <div class="comment-content">
                         <div class="comment-header">
-                            <span class="comment-user">${data.user_name}</span>
-                            <span class="comment-date">${data.created_at}</span>
+                            <span class="comment-user">${lt.escHtml(data.user_name)}</span>
+                            <span class="comment-date">${lt.escHtml(data.created_at)}</span>
                             <div class="comment-actions">
-                                ${newDepth < 3 ? `<button type="button" class="comment-action-btn reply-btn" data-action="reply-comment" data-comment-id="${data.comment_id}" data-user="${data.user_name}" title="Reply">↩</button>` : ''}
+                                ${newDepth < 3 ? `<button type="button" class="comment-action-btn reply-btn" data-action="reply-comment" data-comment-id="${data.comment_id}" data-user="${lt.escHtml(data.user_name)}" title="Reply">↩</button>` : ''}
                                 <button type="button" class="comment-action-btn edit-btn" data-action="edit-comment" data-comment-id="${data.comment_id}" title="Edit">[ EDIT ]</button>
                                 <button type="button" class="comment-action-btn delete-btn" data-action="delete-comment" data-comment-id="${data.comment_id}" title="Delete">[ DEL ]</button>
                             </div>