From 2e14223dd4f2e4ab58baa10cfea27bed497a0afe Mon Sep 17 00:00:00 2001
From: Frederico Castro <frederico.castro@capes.gov.br>
Date: Sat, 28 Feb 2026 12:22:19 -0300
Subject: [PATCH] Corrigir 5 vulnerabilidades XSS no frontend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Sanitizar valores dinâmicos com escapeHtml em pontos que estavam
sem proteção: tags no modal de agente, campo model no card,
mensagens de toast, prompt do modal e expressão cron nos agendamentos.
---
 public/js/components/agents.js    | 4 ++--
 public/js/components/modal.js     | 2 +-
 public/js/components/schedules.js | 2 +-
 public/js/components/toast.js     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/public/js/components/agents.js b/public/js/components/agents.js
index b2f75dc..f03b424 100644
--- a/public/js/components/agents.js
+++ b/public/js/components/agents.js
@@ -119,7 +119,7 @@ const AgentsUI = {
           <div class="agent-meta">
             <span class="agent-meta-item">
               <i data-lucide="cpu"></i>
-              ${model}
+              ${Utils.escapeHtml(model)}
             </span>
             <span class="agent-meta-item">
               <i data-lucide="clock"></i>
@@ -241,7 +241,7 @@ const AgentsUI = {
       const tagsChips = document.getElementById('agent-tags-chips');
       if (tagsChips) {
         tagsChips.innerHTML = tags.map((t) =>
-          `<span class="tag-chip">${t}<button type="button" data-tag="${t}" class="tag-remove" aria-label="Remover tag ${t}">×</button></span>`
+          `<span class="tag-chip">${Utils.escapeHtml(t)}<button type="button" data-tag="${Utils.escapeHtml(t)}" class="tag-remove" aria-label="Remover tag ${Utils.escapeHtml(t)}">×</button></span>`
         ).join('');
       }
 
diff --git a/public/js/components/modal.js b/public/js/components/modal.js
index 3200ccb..499cd50 100644
--- a/public/js/components/modal.js
+++ b/public/js/components/modal.js
@@ -69,7 +69,7 @@ const Modal = {
       const inputEl = document.getElementById('prompt-modal-input');
 
       if (titleEl) titleEl.textContent = title;
-      if (messageEl) messageEl.innerHTML = message;
+      if (messageEl) messageEl.textContent = message;
       if (inputEl) inputEl.value = defaultValue;
 
       Modal.open('prompt-modal-overlay');
diff --git a/public/js/components/schedules.js b/public/js/components/schedules.js
index b3208df..ab96327 100644
--- a/public/js/components/schedules.js
+++ b/public/js/components/schedules.js
@@ -47,7 +47,7 @@ const SchedulesUI = {
           <td>${Utils.escapeHtml(schedule.agentName || '—')}</td>
           <td class="schedule-task-cell" title="${Utils.escapeHtml(schedule.taskDescription || '')}">${Utils.escapeHtml(schedule.taskDescription || '—')}</td>
           <td>
-            <code class="font-mono">${cronExpr}</code>
+            <code class="font-mono">${Utils.escapeHtml(cronExpr)}</code>
           </td>
           <td>${nextRun}</td>
           <td><span class="badge ${statusClass}">${statusLabel}</span></td>
diff --git a/public/js/components/toast.js b/public/js/components/toast.js
index d3b5b84..7e0129f 100644
--- a/public/js/components/toast.js
+++ b/public/js/components/toast.js
@@ -24,7 +24,7 @@ const Toast = {
 
     toast.innerHTML = `
       <span class="toast-icon" data-lucide="${iconName}"></span>
-      <span class="toast-message">${message}</span>
+      <span class="toast-message">${Utils.escapeHtml(message)}</span>
       <button class="toast-close" aria-label="Fechar notificação">
         <i data-lucide="x"></i>
       </button>