From fa3cc49b2752d1da2987993ed7056424989c4d6b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 25 Jun 2026 12:34:36 +0000
Subject: [PATCH 1/2] Fix DOM-based XSS on home page pool table

Channel/zone/valve names are copied verbatim from bus payloads and were
injected into the home page via innerHTML, allowing script execution in
the viewer's browser if a name contained HTML. Build the table cells with
textContent instead so bus-derived strings are never parsed as markup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AkBZ1XBd8VUSDgN7JYAzhq
---
 main/web_handlers.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/main/web_handlers.c b/main/web_handlers.c
index ed387d6..9ad3af9 100644
--- a/main/web_handlers.c
+++ b/main/web_handlers.c
@@ -287,7 +287,9 @@ static esp_err_t home_get_handler(httpd_req_t *req)
         "const tb=document.getElementById('pool-body');"
         "rows.forEach(([k,v])=>{"
         "const tr=document.createElement('tr');"
-        "tr.innerHTML='<th>'+k+'</th><td>'+v+'</td>';"
+        "const th=document.createElement('th');th.textContent=k;"
+        "const td=document.createElement('td');td.textContent=v;"
+        "tr.appendChild(th);tr.appendChild(td);"
         "tb.appendChild(tr);});"
         "document.getElementById('pool-loading').hidden=true;"
         "document.getElementById('pool-table').removeAttribute('hidden');"

From b3b0a6fda0c220f3b39b15be76602a98bc91bd5b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 25 Jun 2026 12:36:53 +0000
Subject: [PATCH 2/2] Add changelog entry for home page XSS fix

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AkBZ1XBd8VUSDgN7JYAzhq
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 974f3f3..91cf6eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Fixed
 ### Deprecated
 ### Security
+- Fixed a DOM-based XSS on the home page: channel/zone/valve names read from the bus were injected into the pool status table via `innerHTML`. They are now set with `textContent` so bus-derived strings can never be parsed as HTML/script.
 
 ## [1.6.0] - 2026-06-16
 ### Changed