From 111ac9c7263294a9219cc7f991ae4a530982c2fc Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Wed, 25 Feb 2026 11:11:36 +0100
Subject: [PATCH] fix: prevent XSS via innerHTML injection in link edit prompt

Replace innerHTML with DOM API calls in inputPrompt.ts. The oldValue
parameter (sourced from a link's href attribute in the TipTap editor)
was interpolated directly into an HTML string, allowing stored XSS if
an attacker crafted a malicious href. Using document.createElement and
setting .value as a property ensures the value is never parsed as HTML.
---
 frontend/src/helpers/inputPrompt.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/frontend/src/helpers/inputPrompt.ts b/frontend/src/helpers/inputPrompt.ts
index b866aa783..1b5697f27 100644
--- a/frontend/src/helpers/inputPrompt.ts
+++ b/frontend/src/helpers/inputPrompt.ts
@@ -18,7 +18,14 @@ export default function inputPrompt(pos: ClientRect, oldValue: string = ''): Pro
 		popupElement.style.borderRadius = '4px'
 		popupElement.style.padding = '8px'
 		popupElement.style.boxShadow = 'var(--shadow-md)'
-		popupElement.innerHTML = `<div><input class="input" placeholder="URL" id="${id}" value="${oldValue}"/></div>`
+		const wrapperDiv = document.createElement('div')
+		const inputElement = document.createElement('input')
+		inputElement.className = 'input'
+		inputElement.placeholder = 'URL'
+		inputElement.id = id
+		inputElement.value = oldValue
+		wrapperDiv.appendChild(inputElement)
+		popupElement.appendChild(wrapperDiv)
 		document.body.appendChild(popupElement)
 
 		// Create a local mutable copy of the position for scroll tracking