fix(cep): sanitize imported panel preferences

Validate imported local panel settings before writing localStorage, preserve the shipped-locale i18n baseline, and surface storage failures with a warning toast.

Author: SysAdminDoc

CHANGELOG.md

@@ -10,6 +10,9 @@ record also lives in the git commit messages.
 - Settings no longer exposes non-English UI language choices before matching
   locale files ship, preventing a selection that cannot persistently localize
   the panel.
+- Settings import now sanitizes local panel preferences before writing
+  `localStorage`, ignoring unknown keys and unsupported preference values while
+  surfacing storage failures as a warning toast.
 
 ### Changed — audio privacy
 

extension/com.opencut.panel/client/locales/en.json

@@ -836,16 +836,7 @@
   "language.swedish": "Swedish",
   "language.thai": "Thai",
   "language.turkish": "Turkish",
-  "language.ui_chinese": "中文",
   "language.ui_english": "English",
-  "language.ui_french": "Français",
-  "language.ui_german": "Deutsch",
-  "language.ui_italian": "Italiano",
-  "language.ui_japanese": "日本語",
-  "language.ui_korean": "한국어",
-  "language.ui_portuguese": "Português",
-  "language.ui_russian": "Русский",
-  "language.ui_spanish": "Español",
   "language.vietnamese": "Vietnamese",
   "issue.report_title": "OpenCut issue report from panel",
   "interview.batch_button": "Batch {current}/{total}…",
@@ -1311,6 +1302,7 @@
   "settings.import_preset_file": "Import Preset",
   "settings.import_failed": "Couldn't import settings",
   "settings.import_invalid_file": "This file doesn't contain valid OpenCut settings",
+  "settings.import_local_failed": "Settings imported, but local panel preferences could not be saved.",
   "settings.import_settings": "Import Settings",
   "settings.import_settings_file_aria": "Import settings file",
   "settings.imported": "Settings imported: {items}",

extension/com.opencut.panel/client/main.js

@@ -8073,14 +8073,16 @@
         try { _recomputeEffectiveOutputDir(); } catch (e) {}
     }
 
-    function loadLocalSettings() {
-        try {
-            var saved = localStorage.getItem(LOCAL_SETTINGS_KEY);
-            if (saved) {
-                var settings = JSON.parse(saved);
-                if (settings.autoImport !== undefined && el.settingsAutoImport) el.settingsAutoImport.checked = settings.autoImport;
-                if (settings.autoOpen !== undefined && el.settingsAutoOpen) el.settingsAutoOpen.checked = settings.autoOpen;
-                if (settings.showNotifications !== undefined && el.settingsShowNotifications) el.settingsShowNotifications.checked = settings.showNotifications;
+    function loadLocalSettings() {
+        try {
+            var saved = localStorage.getItem(LOCAL_SETTINGS_KEY);
+            if (saved) {
+                var settings = PanelUtils.normalizeLocalSettings
+                    ? PanelUtils.normalizeLocalSettings(JSON.parse(saved))
+                    : JSON.parse(saved);
+                if (settings.autoImport !== undefined && el.settingsAutoImport) el.settingsAutoImport.checked = settings.autoImport;
+                if (settings.autoOpen !== undefined && el.settingsAutoOpen) el.settingsAutoOpen.checked = settings.autoOpen;
+                if (settings.showNotifications !== undefined && el.settingsShowNotifications) el.settingsShowNotifications.checked = settings.showNotifications;
                 if (settings.outputDir && el.settingsOutputDir) el.settingsOutputDir.value = settings.outputDir;
                 if (settings.defaultModel && el.settingsDefaultModel) el.settingsDefaultModel.value = settings.defaultModel;
                 if (settings.theme && el.settingsTheme) {
@@ -11959,16 +11961,23 @@
                 if (!file) return;
                 var reader = new FileReader();
                 reader.onload = function (e) {
-                    try {
-                        var data = JSON.parse(e.target.result);
-                        api("POST", "/settings/import", data, function (err, result) {
-                            if (err) { showToast(t("settings.import_failed", "Couldn't import settings"), "error"); return; }
-                            if (data.localStorage) {
-                                localStorage.setItem("opencut_settings", JSON.stringify(data.localStorage));
-                                loadLocalSettings();
-                            }
-                            showToast(t("settings.imported", "Settings imported: {items}").replace("{items}", (result.imported || []).join(", ")), "success");
-                            if (typeof initPresets === "function") initPresets();
+                    try {
+                        var data = JSON.parse(e.target.result);
+                        api("POST", "/settings/import", data, function (err, result) {
+                            if (err) { showToast(t("settings.import_failed", "Couldn't import settings"), "error"); return; }
+                            if (data.localStorage) {
+                                try {
+                                    var localSettings = PanelUtils.normalizeLocalSettings
+                                        ? PanelUtils.normalizeLocalSettings(data.localStorage)
+                                        : data.localStorage;
+                                    localStorage.setItem(LOCAL_SETTINGS_KEY, JSON.stringify(localSettings));
+                                    loadLocalSettings();
+                                } catch (storageError) {
+                                    showToast(t("settings.import_local_failed", "Settings imported, but local panel preferences could not be saved."), "warning");
+                                }
+                            }
+                            showToast(t("settings.imported", "Settings imported: {items}").replace("{items}", (result.imported || []).join(", ")), "success");
+                            if (typeof initPresets === "function") initPresets();
                         });
                     } catch (ex) {
                         showToast(t("settings.import_invalid_file", "This file doesn't contain valid OpenCut settings"), "error");

extension/com.opencut.panel/client/panel-utils.js

@@ -52,6 +52,35 @@
         });
     }
 
+    function _copyBooleanSetting(source, target, key) {
+        if (typeof source[key] === "boolean") target[key] = source[key];
+    }
+
+    function _copyEnumSetting(source, target, key, allowed) {
+        if (typeof source[key] !== "string") return;
+        if (allowed.indexOf(source[key]) === -1) return;
+        target[key] = source[key];
+    }
+
+    function normalizeLocalSettings(value) {
+        var source = value && typeof value === "object" && !Array.isArray(value) ? value : {};
+        var settings = {};
+        _copyBooleanSetting(source, settings, "autoImport");
+        _copyBooleanSetting(source, settings, "autoOpen");
+        _copyBooleanSetting(source, settings, "showNotifications");
+        _copyEnumSetting(source, settings, "outputDir", ["source", "project", "custom"]);
+        _copyEnumSetting(source, settings, "theme", ["auto", "dark", "light"]);
+        _copyEnumSetting(source, settings, "lang", ["en"]);
+        _copyEnumSetting(source, settings, "defaultModel", [
+            "tiny", "tiny.en", "base", "base.en", "small", "small.en",
+            "medium", "medium.en", "large", "large-v1", "large-v2",
+            "large-v3", "turbo", "large-v3-turbo", "distil-large-v2",
+            "distil-large-v3", "distil-large-v3.5", "distil-medium.en",
+            "distil-small.en",
+        ]);
+        return settings;
+    }
+
     function getCommandPaletteItemKey(item) {
         if (!item) return "";
         return [item.name || "", item.tab || "", item.sub || ""].join("::");
@@ -279,6 +308,7 @@
         escapeJsxDoubleQuotedString: escapeJsxDoubleQuotedString,
         createLazyDomProxy: createLazyDomProxy,
         normalizePaletteText: normalizePaletteText,
+        normalizeLocalSettings: normalizeLocalSettings,
         formatPaletteLabel: formatPaletteLabel,
         getCommandPaletteItemKey: getCommandPaletteItemKey,
         scoreCommandPaletteItem: function (item, options) {

extension/com.opencut.panel/tests/panel-utils.test.mjs

@@ -72,6 +72,44 @@ describe("CEP lazy DOM proxy", () => {
   });
 });
 
+describe("CEP local settings normalization", () => {
+  it("keeps only supported local panel preference keys and values", () => {
+    expect(utils.normalizeLocalSettings({
+      autoImport: true,
+      autoOpen: false,
+      showNotifications: true,
+      outputDir: "project",
+      defaultModel: "large-v3",
+      lang: "en",
+      theme: "light",
+      unexpected: "<script>",
+      nested: { value: "custom" },
+    })).toEqual({
+      autoImport: true,
+      autoOpen: false,
+      showNotifications: true,
+      outputDir: "project",
+      defaultModel: "large-v3",
+      lang: "en",
+      theme: "light",
+    });
+  });
+
+  it("drops malformed or unsupported imported panel preference values", () => {
+    expect(utils.normalizeLocalSettings({
+      autoImport: "yes",
+      autoOpen: 1,
+      showNotifications: null,
+      outputDir: "C:/Users/me",
+      defaultModel: "malicious",
+      lang: "es",
+      theme: "solarized",
+    })).toEqual({});
+    expect(utils.normalizeLocalSettings(null)).toEqual({});
+    expect(utils.normalizeLocalSettings([])).toEqual({});
+  });
+});
+
 describe("CEP command palette indexer", () => {
   it("builds deduplicated browse sections from recent, favorite, and current commands", () => {
     const sections = utils.buildCommandPaletteSections(paletteOptions({