From 280fc9dff27b1b60ba2aff63929fee8c5a019d09 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:30:54 -0400
Subject: [PATCH] fix: XSS in renderTags and stale api.js version in
 player.html
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tag values were inserted into innerHTML unsanitized — a tag containing
HTML would execute as markup. Switch to DOM-only construction for the
tag badges. Also bump api.js cache-buster to v=6.
---
 services/web-ui/public/player.html | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/services/web-ui/public/player.html b/services/web-ui/public/player.html
index 6cba698..31f1eed 100644
--- a/services/web-ui/public/player.html
+++ b/services/web-ui/public/player.html
@@ -304,7 +304,7 @@
         </footer>
     </div>
 
-    <script src="/js/api.js?v=5"></script>
+    <script src="/js/api.js?v=6"></script>
 <script src="/js/topbar-strip.js?v=1"></script>
     <script>
         // ============================================================
@@ -407,10 +407,17 @@
             playerState.tags.forEach((tag, index) => {
                 const badge = document.createElement('div');
                 badge.className = 'tag-badge';
-                badge.innerHTML = `
-                    <span>${tag}</span>
-                    <span class="tag-remove" onclick="removeTag(${index})">×</span>
-                `;
+
+                const tagSpan = document.createElement('span');
+                tagSpan.textContent = tag;
+
+                const removeSpan = document.createElement('span');
+                removeSpan.className = 'tag-remove';
+                removeSpan.textContent = '×';
+                removeSpan.onclick = () => removeTag(index);
+
+                badge.appendChild(tagSpan);
+                badge.appendChild(removeSpan);
                 container.appendChild(badge);
             });
         }