From e2c23d0405c0bce486d48fadb89f871091de6cf0 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Sat, 28 Mar 2026 13:38:30 -0400
Subject: [PATCH] Fix XSS: escape userName in reply form insertAdjacentHTML
 template
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

showReplyForm() read userName from data-user attribute (decoded by
the browser from HTML entities) and injected it unsanitized into
insertAdjacentHTML() — any HTML special chars would be parsed as markup.
Fix: wrap with lt.escHtml() before interpolation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 assets/js/ticket.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/js/ticket.js b/assets/js/ticket.js
index 41f61ec..4a05c51 100644
--- a/assets/js/ticket.js
+++ b/assets/js/ticket.js
@@ -1269,7 +1269,7 @@ function showReplyForm(commentId, userName) {
     const replyFormHtml = `
         <div class="reply-form-container" data-parent-id="${commentId}">
             <div class="reply-header">
-                <span>Replying to <span class="replying-to">@${userName}</span></span>
+                <span>Replying to <span class="replying-to">@${lt.escHtml(userName)}</span></span>
                 <button type="button" class="close-reply-btn" data-action="close-reply">CANCEL</button>
             </div>
             <textarea id="replyText" placeholder="Write your reply..."></textarea>