From 2bb731c7fc80860ead1efe48dc83f0c7e952c872 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:11:06 -0400
Subject: [PATCH] fix(users): prevent JS injection in delete onclick handlers
 for users/groups

confirmDeleteUser and confirmDeleteGroup were building onclick handlers
like onclick="confirmDeleteUser('id','NAME')" using esc() which doesn't
escape single quotes.  Usernames or group names containing ' would break
the JS string; a crafted value like `'; alert(1)//` is stored XSS.

Fix: use JSON.stringify(value) to produce a properly-escaped double-quoted
JS string literal, then esc() to HTML-encode the surrounding quotes for
safe embedding in the HTML attribute.  Same technique now used in both
renderUsers() and renderGroups().
---
 services/web-ui/public/users.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/web-ui/public/users.html b/services/web-ui/public/users.html
index 000d0ab..aad53c9 100644
--- a/services/web-ui/public/users.html
+++ b/services/web-ui/public/users.html
@@ -320,7 +320,7 @@
         <td>
           <div style="display:flex;gap:var(--sp-1);justify-content:flex-end;">
             <button class="btn btn-ghost btn-sm" onclick="editUser('${u.id}')">Edit</button>
-            <button class="btn btn-danger btn-sm" onclick="confirmDeleteUser('${u.id}','${esc(u.username)}')">Delete</button>
+            <button class="btn btn-danger btn-sm" onclick="confirmDeleteUser('${u.id}',${esc(JSON.stringify(u.username))})">Delete</button>
           </div>
         </td>
       </tr>`).join('');
@@ -427,7 +427,7 @@
         <td>
           <div style="display:flex;gap:var(--sp-1);justify-content:flex-end;">
             <button class="btn btn-ghost btn-sm" onclick="editGroup('${g.id}')">Edit</button>
-            <button class="btn btn-danger btn-sm" onclick="confirmDeleteGroup('${g.id}','${esc(g.name)}')">Delete</button>
+            <button class="btn btn-danger btn-sm" onclick="confirmDeleteGroup('${g.id}',${esc(JSON.stringify(g.name))})">Delete</button>
           </div>
         </td>
       </tr>`).join('');
@@ -572,4 +572,4 @@
 </script>
 <script src="js/auth-guard.js"></script>
 </body>
-</html>
\ No newline at end of file
+</html>