From 9f7cb91cc25dd4ef31377aff14ea2aaa0fa5c9f0 Mon Sep 17 00:00:00 2001
From: ZGaetano <zgaetano@wilddragon.net>
Date: Tue, 19 May 2026 00:27:31 -0400
Subject: [PATCH] fix: prevent JS injection via token name in confirmRevoke
 onclick

Token names containing single quotes (e.g. "O'Brien's key") broke the
onclick attribute string by closing the JS string literal early.
Apply JSON.stringify+esc pattern so name is safely embedded as a
JSON string literal instead of a raw single-quoted string.
---
 services/web-ui/public/api-tokens.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/services/web-ui/public/api-tokens.html b/services/web-ui/public/api-tokens.html
index 5c2e6dc..a2db18c 100644
--- a/services/web-ui/public/api-tokens.html
+++ b/services/web-ui/public/api-tokens.html
@@ -226,7 +226,7 @@
 
 <div class="toast-container" id="toastContainer" aria-live="polite"></div>
 
-<script src="js/api.js"></script>
+<script src="js/api.js?v=6"></script>
 <script>
   let latestToken = null;
 
@@ -271,7 +271,7 @@
               &nbsp;·&nbsp; Expires: ${isExpired ? '<span style="color:var(--status-red)">Expired</span>' : expires}
             </div>
           </div>
-          <button class="btn btn-danger btn-sm" onclick="confirmRevoke('${t.id}','${esc(t.name)}')">Revoke</button>
+          <button class="btn btn-danger btn-sm" onclick="confirmRevoke('${t.id}',${esc(JSON.stringify(t.name))})">Revoke</button>
         </div>`;
     }).join('');
   }
@@ -349,4 +349,4 @@
 </script>
 <script src="js/auth-guard.js"></script>
 </body>
-</html>
\ No newline at end of file
+</html>