From 36f165807ad6e0f5937a1e5f5e59099ded8a2762 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:46:48 -0400
Subject: [PATCH] fix(topbar-strip): escape pageName() output before innerHTML
 insertion

---
 services/web-ui/public/js/topbar-strip.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/services/web-ui/public/js/topbar-strip.js b/services/web-ui/public/js/topbar-strip.js
index 50dc9cf..d79f58e 100644
--- a/services/web-ui/public/js/topbar-strip.js
+++ b/services/web-ui/public/js/topbar-strip.js
@@ -1,5 +1,9 @@
 // Operator status strip mounted at the top of every .main pane.
 (function () {
+  function esc(s) {
+    if (!s) return '';
+    return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
+  }
   function mount() {
     const main = document.querySelector('.main');
     if (!main || main.querySelector('.topbar-strip')) return;
@@ -11,7 +15,7 @@
       '<span class="ts-now" id="tsNow">00:00:00</span>' +
       '<span class="ts-sep"></span>' +
       '<span class="ts-label">Page</span>' +
-      '<span class="ts-value" id="tsPage">' + pageName() + '</span>' +
+      '<span class="ts-value" id="tsPage">' + esc(pageName()) + '</span>' +
       '<span class="ts-sep"></span>' +
       '<span class="ts-label">API</span>' +
       '<span class="ts-value" id="tsApi">--</span>';