From 857576dbe4e7e1536b594cc64331161618d99dfc Mon Sep 17 00:00:00 2001
From: heaprc <9023404+0xh3xa@users.noreply.github.com>
Date: Sat, 5 Apr 2025 00:18:54 +0200
Subject: [PATCH 1/2] fix(RecipeWaiter): sanitize user input in addOperation to
 prevent XSS

---
 package-lock.json                | 24 +++++++++++++++++-------
 package.json                     |  1 +
 src/web/waiters/RecipeWaiter.mjs |  5 ++++-
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e731efff..ef2da3f0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -37,6 +37,7 @@
         "d3": "7.9.0",
         "d3-hexbin": "^0.2.2",
         "diff": "^5.2.0",
+        "dompurify": "^3.2.5",
         "es6-promisify": "^7.0.0",
         "escodegen": "^2.1.0",
         "esprima": "^4.0.1",
@@ -50,7 +51,6 @@
         "jimp": "^0.22.12",
         "jq-web": "^0.5.1",
         "jquery": "3.7.1",
-        "js-crc": "^0.2.0",
         "js-sha3": "^0.9.3",
         "jsesc": "^3.0.2",
         "json5": "^2.2.3",
@@ -4365,6 +4365,13 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/trusted-types": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+      "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@types/ws": {
       "version": "8.5.13",
       "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.5.13.tgz",
@@ -8411,6 +8418,15 @@
         "url": "https://github.com/fb55/domhandler?sponsor=1"
       }
     },
+    "node_modules/dompurify": {
+      "version": "3.2.5",
+      "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.2.5.tgz",
+      "integrity": "sha512-mLPd29uoRe9HpvwP2TxClGQBzGXeEC/we/q+bFlmPPmj2p2Ugl3r6ATu/UU1v77DXNcehiBg9zsr1dREyA/dJQ==",
+      "license": "(MPL-2.0 OR Apache-2.0)",
+      "optionalDependencies": {
+        "@types/trusted-types": "^2.0.7"
+      }
+    },
     "node_modules/domutils": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/domutils/-/domutils-2.8.0.tgz",
@@ -12303,12 +12319,6 @@
       "integrity": "sha512-m4avr8yL8kmFN8psrbFFFmB/If14iN5o9nw/NgnnM+kybDJpRsAynV2BsfpTYrTRysYUdADVD7CkUUizgkpLfg==",
       "license": "MIT"
     },
-    "node_modules/js-crc": {
-      "version": "0.2.0",
-      "resolved": "https://registry.npmjs.org/js-crc/-/js-crc-0.2.0.tgz",
-      "integrity": "sha512-8DdCSAOACpF8WDAjyDFBC2rj8OS4HUP9mNZBDfl8jCiPCnJG+2bkuycalxwZh6heFy6PrMvoWTp47lp6gzT65A==",
-      "license": "MIT"
-    },
     "node_modules/js-sha3": {
       "version": "0.9.3",
       "resolved": "https://registry.npmjs.org/js-sha3/-/js-sha3-0.9.3.tgz",
diff --git a/package.json b/package.json
index 337e8679..b3492a8e 100644
--- a/package.json
+++ b/package.json
@@ -123,6 +123,7 @@
     "d3": "7.9.0",
     "d3-hexbin": "^0.2.2",
     "diff": "^5.2.0",
+    "dompurify": "^3.2.5",
     "es6-promisify": "^7.0.0",
     "escodegen": "^2.1.0",
     "esprima": "^4.0.1",
diff --git a/src/web/waiters/RecipeWaiter.mjs b/src/web/waiters/RecipeWaiter.mjs
index 3f5aa302..35389184 100755
--- a/src/web/waiters/RecipeWaiter.mjs
+++ b/src/web/waiters/RecipeWaiter.mjs
@@ -8,6 +8,7 @@ import HTMLOperation from "../HTMLOperation.mjs";
 import Sortable from "sortablejs";
 import Utils from "../../core/Utils.mjs";
 import {escapeControlChars} from "../utils/editorUtils.mjs";
+import DOMPurify from 'dompurify';
 
 
 /**
@@ -435,7 +436,9 @@ class RecipeWaiter {
         const item = document.createElement("li");
 
         item.classList.add("operation");
-        item.innerHTML = name;
+        const clean = DOMPurify.sanitize(name);
+        item.innerHTML = clean;
+
         this.buildRecipeOperation(item);
         document.getElementById("rec-list").appendChild(item);
 

From c83e1ac4fb7fe2d68bbf892c08c0790de8685d1f Mon Sep 17 00:00:00 2001
From: heaprc <9023404+0xh3xa@users.noreply.github.com>
Date: Sat, 5 Apr 2025 00:42:37 +0200
Subject: [PATCH 2/2] Fix(RecipeWaiter): eslint format error

---
 src/web/waiters/RecipeWaiter.mjs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/web/waiters/RecipeWaiter.mjs b/src/web/waiters/RecipeWaiter.mjs
index 35389184..93ca1182 100755
--- a/src/web/waiters/RecipeWaiter.mjs
+++ b/src/web/waiters/RecipeWaiter.mjs
@@ -8,7 +8,7 @@ import HTMLOperation from "../HTMLOperation.mjs";
 import Sortable from "sortablejs";
 import Utils from "../../core/Utils.mjs";
 import {escapeControlChars} from "../utils/editorUtils.mjs";
-import DOMPurify from 'dompurify';
+import DOMPurify from "dompurify";
 
 
 /**