From de23f8cc1e0b56b289b81d99a3e98a9d68d5e2a5 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Wed, 22 Apr 2026 14:33:01 -0700
Subject: [PATCH 01/12] fix(deps): add stevebauman/purify for HTML sanitization

Adds HTMLPurifier via the stevebauman/purify Laravel wrapper to
sanitize user-supplied HTML content before storage, preventing
stored XSS attacks through rich-text fields.
---
 composer.json |   3 +-
 composer.lock | 131 +++++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 131 insertions(+), 3 deletions(-)

diff --git a/composer.json b/composer.json
index 88c2ac6508..164523713f 100644
--- a/composer.json
+++ b/composer.json
@@ -44,9 +44,10 @@
         "sentry/sentry-laravel": "^4.13",
         "soundasleep/html2text": "^1.1",
         "spatie/calendar-links": "^1.6",
-        "spatie/laravel-validation-rules": "^3.4",
         "spatie/laravel-html": "^3.12.0",
+        "spatie/laravel-validation-rules": "^3.4",
         "spinen/laravel-discourse-sso": "dev-l12-compatibility",
+        "stevebauman/purify": "^6.3",
         "symfony/http-client": "^7.2",
         "symfony/http-foundation": "^7.2",
         "symfony/mailgun-mailer": "^7.2",
diff --git a/composer.lock b/composer.lock
index 0be2dcd596..dffeae7e4c 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "a79d8dc54c6b1514c5b254e265806d8f",
+    "content-hash": "3c3716ad51a3bef71683f8aa7d634fe5",
     "packages": [
         {
             "name": "addwiki/mediawiki-api",
@@ -1706,6 +1706,67 @@
             ],
             "time": "2023-06-01T07:04:22+00:00"
         },
+        {
+            "name": "ezyang/htmlpurifier",
+            "version": "v4.19.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ezyang/htmlpurifier.git",
+                "reference": "b287d2a16aceffbf6e0295559b39662612b77fcf"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/b287d2a16aceffbf6e0295559b39662612b77fcf",
+                "reference": "b287d2a16aceffbf6e0295559b39662612b77fcf",
+                "shasum": ""
+            },
+            "require": {
+                "php": "~5.6.0 || ~7.0.0 || ~7.1.0 || ~7.2.0 || ~7.3.0 || ~7.4.0 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 || ~8.4.0 || ~8.5.0"
+            },
+            "require-dev": {
+                "cerdic/css-tidy": "^1.7 || ^2.0",
+                "simpletest/simpletest": "dev-master"
+            },
+            "suggest": {
+                "cerdic/css-tidy": "If you want to use the filter 'Filter.ExtractStyleBlocks'.",
+                "ext-bcmath": "Used for unit conversion and imagecrash protection",
+                "ext-iconv": "Converts text to and from non-UTF-8 encodings",
+                "ext-tidy": "Used for pretty-printing HTML"
+            },
+            "type": "library",
+            "autoload": {
+                "files": [
+                    "library/HTMLPurifier.composer.php"
+                ],
+                "psr-0": {
+                    "HTMLPurifier": "library/"
+                },
+                "exclude-from-classmap": [
+                    "/library/HTMLPurifier/Language/"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "LGPL-2.1-or-later"
+            ],
+            "authors": [
+                {
+                    "name": "Edward Z. Yang",
+                    "email": "admin@htmlpurifier.org",
+                    "homepage": "http://ezyang.com"
+                }
+            ],
+            "description": "Standards compliant HTML filter written in PHP",
+            "homepage": "http://htmlpurifier.org/",
+            "keywords": [
+                "html"
+            ],
+            "support": {
+                "issues": "https://github.com/ezyang/htmlpurifier/issues",
+                "source": "https://github.com/ezyang/htmlpurifier/tree/v4.19.0"
+            },
+            "time": "2025-10-17T16:34:55+00:00"
+        },
         {
             "name": "filp/whoops",
             "version": "2.18.0",
@@ -7177,6 +7238,72 @@
             },
             "time": "2025-02-17T00:51:48+00:00"
         },
+        {
+            "name": "stevebauman/purify",
+            "version": "v6.3.2",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/stevebauman/purify.git",
+                "reference": "deba4aa55a45a7593c369b52d481c87b545a5bf8"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/stevebauman/purify/zipball/deba4aa55a45a7593c369b52d481c87b545a5bf8",
+                "reference": "deba4aa55a45a7593c369b52d481c87b545a5bf8",
+                "shasum": ""
+            },
+            "require": {
+                "ezyang/htmlpurifier": "^4.17",
+                "illuminate/contracts": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0|^13.0",
+                "illuminate/support": "^7.0|^8.0|^9.0|^10.0|^11.0|^12.0|^13.0",
+                "php": ">=7.4"
+            },
+            "require-dev": {
+                "orchestra/testbench": "^5.0|^6.0|^7.0|^8.0|^9.0|^10.0|^11.0",
+                "phpunit/phpunit": "^8.0|^9.0|^10.0|^11.5.3|^12.5.12"
+            },
+            "type": "library",
+            "extra": {
+                "laravel": {
+                    "aliases": {
+                        "Purify": "Stevebauman\\Purify\\Facades\\Purify"
+                    },
+                    "providers": [
+                        "Stevebauman\\Purify\\PurifyServiceProvider"
+                    ]
+                }
+            },
+            "autoload": {
+                "psr-4": {
+                    "Stevebauman\\Purify\\": "src/"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Steve Bauman",
+                    "email": "steven_bauman@outlook.com"
+                }
+            ],
+            "description": "An HTML Purifier / Sanitizer for Laravel",
+            "keywords": [
+                "Purifier",
+                "clean",
+                "cleaner",
+                "html",
+                "laravel",
+                "purification",
+                "purify"
+            ],
+            "support": {
+                "issues": "https://github.com/stevebauman/purify/issues",
+                "source": "https://github.com/stevebauman/purify/tree/v6.3.2"
+            },
+            "time": "2026-03-18T16:42:42+00:00"
+        },
         {
             "name": "swagger-api/swagger-ui",
             "version": "v5.21.0",
@@ -13980,5 +14107,5 @@
         "php": "^8.2"
     },
     "platform-dev": {},
-    "plugin-api-version": "2.6.0"
+    "plugin-api-version": "2.9.0"
 }

From e9181e7561ca48979707d80de1b78e25a113416e Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Wed, 22 Apr 2026 14:33:18 -0700
Subject: [PATCH 02/12] fix(xss): sanitize rich-text descriptions on storage

Group and event descriptions (free_text) were stored as raw user
HTML and rendered unescaped, allowing stored XSS. Now sanitized
with HTMLPurifier before storage, stripping dangerous tags like
script and event handlers while preserving safe HTML.
---
 app/Http/Controllers/API/EventController.php | 5 +++--
 app/Http/Controllers/API/GroupController.php | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/API/EventController.php b/app/Http/Controllers/API/EventController.php
index e3eae326b2..44abede45b 100644
--- a/app/Http/Controllers/API/EventController.php
+++ b/app/Http/Controllers/API/EventController.php
@@ -9,6 +9,7 @@
 use App\Helpers\Fixometer;
 use App\Helpers\FixometerFile;
 use App\Http\Controllers\Controller;
+use Stevebauman\Purify\Facades\Purify;
 use App\Models\Invite;
 use App\Models\Network;
 use App\Notifications\AdminModerationEvent;
@@ -489,7 +490,7 @@ public function createEventv2(Request $request): JsonResponse
             'timezone' => $timezone,
             'event_start_utc' => $event_start_utc,
             'event_end_utc' => $event_end_utc,
-            'free_text' => $description,
+            'free_text' => Purify::clean($description),
             'link' => $link,
             'venue' => $title,
             'location' => $location,
@@ -654,7 +655,7 @@ public function updateEventv2(Request $request, $idEvents): JsonResponse
             'event_start_utc' => $event_start_utc,
             'event_end_utc' => $event_end_utc,
             'hours' => $hours,
-            'free_text' => $description,
+            'free_text' => Purify::clean($description),
             'online' => $online,
             'venue' => $title,
             'link' => $link,
diff --git a/app/Http/Controllers/API/GroupController.php b/app/Http/Controllers/API/GroupController.php
index f42d94ba4b..de30935b2b 100644
--- a/app/Http/Controllers/API/GroupController.php
+++ b/app/Http/Controllers/API/GroupController.php
@@ -10,6 +10,7 @@
 use App\Helpers\Fixometer;
 use App\Helpers\FixometerFile;
 use App\Http\Controllers\Controller;
+use Stevebauman\Purify\Facades\Purify;
 use App\Http\Resources\PartySummaryCollection;
 use App\Http\Resources\TagCollection;
 use App\Http\Resources\VolunteerCollection;
@@ -830,7 +831,7 @@ public function createGroupv2(Request $request): JsonResponse {
             'latitude' => $latitude,
             'longitude' => $longitude,
             'country_code' => $country,
-            'free_text' => $description,
+            'free_text' => Purify::clean($description),
             'shareable_code' => Fixometer::generateUniqueShareableCode(\App\Models\Group::class, 'shareable_code'),
             'timezone' => $timezone,
             'phone' => $phone,
@@ -1005,7 +1006,7 @@ public function updateGroupv2(Request $request, $idGroup): JsonResponse {
             'latitude' => $latitude,
             'longitude' => $longitude,
             'country_code' => $country,
-            'free_text' => $description,
+            'free_text' => Purify::clean($description),
             'timezone' => $timezone,
             'phone' => $phone,
             'network_data' => $network_data,

From c6d0a439b82123f3ab7e6c69493f9df8fc36cd6a Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Wed, 22 Apr 2026 14:33:50 -0700
Subject: [PATCH 03/12] fix(xss): escape user data in flash messages and v-html

User-controlled values (group names, event venues, user names,
network names) were interpolated into HTML translation strings
and rendered unescaped via {!! !!} or v-html. Now all user data
is escaped with e() (PHP) or DOM textContent (JS) before
interpolation into HTML contexts.
---
 app/Http/Controllers/GroupController.php  | 6 +++---
 app/Http/Middleware/AcceptUserInvites.php | 8 ++++----
 resources/js/components/GroupPage.vue     | 5 ++++-
 resources/views/networks/show.blade.php   | 2 +-
 4 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/app/Http/Controllers/GroupController.php b/app/Http/Controllers/GroupController.php
index fe69022718..ca28014d04 100644
--- a/app/Http/Controllers/GroupController.php
+++ b/app/Http/Controllers/GroupController.php
@@ -455,7 +455,7 @@ public function delete($id): RedirectResponse
             $group->delete();
 
             return redirect('/group')->with('success', __('groups.delete_succeeded', [
-                'name' => $name,
+                'name' => e($name),
             ]));
         } else {
             return redirect('/user/forbidden');
@@ -576,7 +576,7 @@ public function getJoinGroup($group_id): RedirectResponse
             return redirect()
                 ->back()
                 ->with('success', __('groups.now_following', [
-                    'name' => $group->name,
+                    'name' => e($group->name),
                     'link' => url('/group/view/'.$group->idgroups),
                 ]));
         } catch (\Exception $e) {
@@ -661,7 +661,7 @@ public function inviteNearbyRestarter($groupId, $userId): RedirectResponse
             }
         }
 
-        return redirect('/group/nearby/'.intval($groupId))->with('success', $user->name.' has been invited');
+        return redirect('/group/nearby/'.intval($groupId))->with('success', e($user->name).' has been invited');
     }
 
     /**
diff --git a/app/Http/Middleware/AcceptUserInvites.php b/app/Http/Middleware/AcceptUserInvites.php
index 465d1c2af1..3631e4d762 100644
--- a/app/Http/Middleware/AcceptUserInvites.php
+++ b/app/Http/Middleware/AcceptUserInvites.php
@@ -45,13 +45,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('groups.you_have_joined', [
                             'url' => url("/group/view/{$group->idgroups}"),
-                            'name' => $group->name
+                            'name' => e($group->name)
                         ]));
 
                     // Else that must mean the User is already part of the Group.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/group/view/{$group->idgroups}").">{$group->name}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/group/view/{$group->idgroups}").'">'.e($group->name).'</a>');
                     }
                 }
                 $request->session()->forget('groups');
@@ -78,13 +78,13 @@ public function handle(Request $request, Closure $next): Response
                         $acceptance->delete();
                         $request->session()->push('invites-feedback', __('events.you_have_joined', [
                             'url' => url("/party/view/{$event->idevents}"),
-                            'name' => $event->venue
+                            'name' => e($event->venue)
                         ]));
 
                     // Else that must mean the User is already part of the Event.
                         // We can then delete the Invite and create a new session
                     } else {
-                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href='.url("/party/view/{$event->idevents}").">{$event->venue}</a>");
+                        $request->session()->push('invites-feedback', 'You are already a member of <a class="plain-link" href="'.url("/party/view/{$event->idevents}").'">'.e($event->venue).'</a>');
                     }
                 }
                 $request->session()->forget('events');
diff --git a/resources/js/components/GroupPage.vue b/resources/js/components/GroupPage.vue
index 1fcc137cf3..8827fc2740 100644
--- a/resources/js/components/GroupPage.vue
+++ b/resources/js/components/GroupPage.vue
@@ -164,8 +164,11 @@ export default {
       return this.$store.getters['groups/get'](this.idgroups)
     },
     translatedHaveLeft() {
+      const el = document.createElement('span')
+      el.textContent = this.group.name
+      const escapedName = el.innerHTML
       return this.$lang.get('groups.now_unfollowed', {
-        name: this.group.name,
+        name: escapedName,
         link: '/group/view/' + this.group.id
       })
     }
diff --git a/resources/views/networks/show.blade.php b/resources/views/networks/show.blade.php
index 68a4c551dc..9a19b3f56d 100644
--- a/resources/views/networks/show.blade.php
+++ b/resources/views/networks/show.blade.php
@@ -110,7 +110,7 @@
                     <p>
                         {!! __('networks.general.count', [
                             'count' => $network->groups->count(),
-                            'name' => $network->name,
+                            'name' => e($network->name),
                             'id' => $network->id
                         ]) !!}
                     </p>

From 6c3b521daf9793af29a211f04ffa9b16f3db6826 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Wed, 22 Apr 2026 14:46:33 -0700
Subject: [PATCH 04/12] chore(config): publish purify configuration

Publishes the default HTMLPurifier config from stevebauman/purify,
which controls which HTML tags and attributes are allowed through
sanitization.
---
 config/purify.php | 115 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 config/purify.php

diff --git a/config/purify.php b/config/purify.php
new file mode 100644
index 0000000000..66dbbb5683
--- /dev/null
+++ b/config/purify.php
@@ -0,0 +1,115 @@
+<?php
+
+use Stevebauman\Purify\Definitions\Html5Definition;
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default Config
+    |--------------------------------------------------------------------------
+    |
+    | This option defines the default config that is provided to HTMLPurifier.
+    |
+    */
+
+    'default' => 'default',
+
+    /*
+    |--------------------------------------------------------------------------
+    | Config sets
+    |--------------------------------------------------------------------------
+    |
+    | Here you may configure various sets of configuration for differentiated use of HTMLPurifier.
+    | A specific set of configuration can be applied by calling the "config($name)" method on
+    | a Purify instance. Feel free to add/remove/customize these attributes as you wish.
+    |
+    | Documentation: http://htmlpurifier.org/live/configdoc/plain.html
+    |
+    |   Core.Encoding               The encoding to convert input to.
+    |   HTML.Doctype                Doctype to use during filtering.
+    |   HTML.Allowed                The allowed HTML Elements with their allowed attributes.
+    |   HTML.ForbiddenElements      The forbidden HTML elements. Elements that are listed in this
+    |                               string will be removed, however their content will remain.
+    |   CSS.AllowedProperties       The Allowed CSS properties.
+    |   AutoFormat.AutoParagraph    Newlines are converted in to paragraphs whenever possible.
+    |   AutoFormat.RemoveEmpty      Remove empty elements that contribute no semantic information to the document.
+    |
+    */
+
+    'configs' => [
+
+        'default' => [
+            'Core.Encoding' => 'utf-8',
+            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,u,strong,i,em,s,del,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src],blockquote',
+            'HTML.ForbiddenElements' => '',
+            'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
+            'AutoFormat.AutoParagraph' => false,
+            'AutoFormat.RemoveEmpty' => false,
+        ],
+
+    ],
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTMLPurifier definitions
+    |--------------------------------------------------------------------------
+    |
+    | Here you may specify a class that augments the HTML definitions used by
+    | HTMLPurifier. Additional HTML5 definitions are provided out of the box.
+    | When specifying a custom class, make sure it implements the interface:
+    |
+    |   \Stevebauman\Purify\Definitions\Definition
+    |
+    | Note that these definitions are applied to every Purifier instance.
+    |
+    | Documentation: http://htmlpurifier.org/docs/enduser-customize.html
+    |
+    */
+
+    'definitions' => Html5Definition::class,
+
+    /*
+    |--------------------------------------------------------------------------
+    | HTMLPurifier CSS definitions
+    |--------------------------------------------------------------------------
+    |
+    | Here you may specify a class that augments the CSS definitions used by
+    | HTMLPurifier. When specifying a custom class, make sure it implements
+    | the interface:
+    |
+    |   \Stevebauman\Purify\Definitions\CssDefinition
+    |
+    | Note that these definitions are applied to every Purifier instance.
+    |
+    | CSS should be extending $definition->info['css-attribute'] = values
+    | See HTMLPurifier_CSSDefinition for further explanation
+    |
+    */
+
+    'css-definitions' => null,
+
+    /*
+    |--------------------------------------------------------------------------
+    | Serializer
+    |--------------------------------------------------------------------------
+    |
+    | The storage implementation where HTMLPurifier can store its serializer files.
+    | If the filesystem cache is in use, the path must be writable through the
+    | storage disk by the web server, otherwise an exception will be thrown.
+    |
+    */
+
+    'serializer' => [
+        'driver' => env('CACHE_STORE', env('CACHE_DRIVER', 'file')),
+        'cache' => \Stevebauman\Purify\Cache\CacheDefinitionCache::class,
+    ],
+
+    // 'serializer' => [
+    //    'disk' => env('FILESYSTEM_DISK', 'local'),
+    //    'path' => 'purify',
+    //    'cache' => \Stevebauman\Purify\Cache\FilesystemDefinitionCache::class,
+    // ],
+
+];

From d71c26243b76ac403f94836dbafe67986b8bacae Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:06:22 -0700
Subject: [PATCH 05/12] fix(xss): add model mutators for input sanitization

Adds sanitization mutators at the model layer so all write paths
(controllers, CSV imports, tinker, seeders) are covered. Plain-text
fields like names and venues use strip_tags() to remove HTML entirely.
Rich-text fields like descriptions and biographies use Purify::clean()
to strip dangerous tags while preserving safe formatting HTML.
---
 app/Models/Brands.php    |  5 +++++
 app/Models/Category.php  |  5 +++++
 app/Models/Group.php     | 11 +++++++++++
 app/Models/GroupTags.php |  5 +++++
 app/Models/Network.php   | 11 +++++++++++
 app/Models/Party.php     | 11 +++++++++++
 app/Models/Skills.php    |  5 +++++
 app/Models/User.php      | 11 +++++++++++
 8 files changed, 64 insertions(+)

diff --git a/app/Models/Brands.php b/app/Models/Brands.php
index bb0dad6dd1..1535a94715 100644
--- a/app/Models/Brands.php
+++ b/app/Models/Brands.php
@@ -21,4 +21,9 @@ class Brands extends Model
      * @var array
      */
     protected $hidden = [];
+
+    public function setBrandNameAttribute($value)
+    {
+        $this->attributes['brand_name'] = $value === null ? null : strip_tags((string) $value);
+    }
 }
diff --git a/app/Models/Category.php b/app/Models/Category.php
index 0b8f0ddf20..e678160513 100644
--- a/app/Models/Category.php
+++ b/app/Models/Category.php
@@ -33,6 +33,11 @@ class Category extends Model
 
     // Setters
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
     public function findAll()
     {
diff --git a/app/Models/Group.php b/app/Models/Group.php
index b949d3d555..a49a083c1a 100644
--- a/app/Models/Group.php
+++ b/app/Models/Group.php
@@ -12,6 +12,7 @@
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Lang;
 use Illuminate\Support\Facades\Log;
+use Stevebauman\Purify\Facades\Purify;
 use OwenIt\Auditing\Contracts\Auditable;
 use Illuminate\Database\Eloquent\SoftDeletes;
 
@@ -446,6 +447,16 @@ public function setDistanceAttribute($val)
         $this->distance = $val;
     }
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function createDiscourseGroup() {
         // Get the host who created the group.
         $success = false;
diff --git a/app/Models/GroupTags.php b/app/Models/GroupTags.php
index ae1ad1bffc..9ffbeba2a0 100644
--- a/app/Models/GroupTags.php
+++ b/app/Models/GroupTags.php
@@ -42,5 +42,10 @@ public function groupTagGroups(): HasMany
 
     // Setters
 
+    public function setTagNameAttribute($value)
+    {
+        $this->attributes['tag_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }
diff --git a/app/Models/Network.php b/app/Models/Network.php
index 2a0bda8ba6..fa18de9afb 100644
--- a/app/Models/Network.php
+++ b/app/Models/Network.php
@@ -6,11 +6,22 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use App\Models\Group;
 use Illuminate\Database\Eloquent\Model;
+use Stevebauman\Purify\Facades\Purify;
 
 class Network extends Model
 {
     use HasFactory;
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setDescriptionAttribute($value)
+    {
+        $this->attributes['description'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     public function groups(): BelongsToMany
     {
         return $this->belongsToMany(Group::class, 'group_network', 'network_id', 'group_id');
diff --git a/app/Models/Party.php b/app/Models/Party.php
index 25aadd1a2e..e72a36a3b4 100644
--- a/app/Models/Party.php
+++ b/app/Models/Party.php
@@ -13,6 +13,7 @@
 use DB;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\SoftDeletes;
+use Stevebauman\Purify\Facades\Purify;
 use Illuminate\Support\Str;
 use Notification;
 use OwenIt\Auditing\Contracts\Auditable;
@@ -767,6 +768,16 @@ public function getEventEndUtcAttribute() {
         return array_key_exists('event_end_utc', $this->attributes) ? Carbon::parse($this->attributes['event_end_utc'], 'UTC')->toIso8601String() : null;
     }
 
+    public function setVenueAttribute($value)
+    {
+        $this->attributes['venue'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setFreeTextAttribute($value)
+    {
+        $this->attributes['free_text'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     // Mutators for previous event_date/start/end fields.  These are now superceded by the UTC fields and therefore
     // should never be set directly.  Throw exceptions to ensure that they are not.
     public function setEventDateAttribute($val) {
diff --git a/app/Models/Skills.php b/app/Models/Skills.php
index fb5a5a98b8..efa9d547a0 100644
--- a/app/Models/Skills.php
+++ b/app/Models/Skills.php
@@ -26,5 +26,10 @@ class Skills extends Model
 
     // Setters
 
+    public function setSkillNameAttribute($value)
+    {
+        $this->attributes['skill_name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     //Getters
 }
diff --git a/app/Models/User.php b/app/Models/User.php
index 9cd00516e5..af2afb1cd0 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -9,6 +9,7 @@
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use App\Events\UserDeleted;
 use App\Events\UserUpdated;
+use Stevebauman\Purify\Facades\Purify;
 use App\Helpers\Fixometer;
 use App\Models\Network;
 use App\Models\UserGroups;
@@ -64,6 +65,16 @@ class User extends Authenticatable implements Auditable, HasLocalePreference
         'remember_token',
     ];
 
+    public function setNameAttribute($value)
+    {
+        $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
+    }
+
+    public function setBiographyAttribute($value)
+    {
+        $this->attributes['biography'] = $value === null ? null : Purify::clean((string) $value);
+    }
+
     /**
      * The event map for the model.
      *

From 03d25839fb9090b1c60c70cad1bd821164f6231d Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:06:39 -0700
Subject: [PATCH 06/12] refactor(xss): remove redundant controller-level Purify
 calls

Model mutators now handle sanitization of free_text fields, so the
explicit Purify::clean() calls in the API controllers are redundant
and can be removed.
---
 app/Http/Controllers/API/EventController.php | 5 ++---
 app/Http/Controllers/API/GroupController.php | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/API/EventController.php b/app/Http/Controllers/API/EventController.php
index 44abede45b..e3eae326b2 100644
--- a/app/Http/Controllers/API/EventController.php
+++ b/app/Http/Controllers/API/EventController.php
@@ -9,7 +9,6 @@
 use App\Helpers\Fixometer;
 use App\Helpers\FixometerFile;
 use App\Http\Controllers\Controller;
-use Stevebauman\Purify\Facades\Purify;
 use App\Models\Invite;
 use App\Models\Network;
 use App\Notifications\AdminModerationEvent;
@@ -490,7 +489,7 @@ public function createEventv2(Request $request): JsonResponse
             'timezone' => $timezone,
             'event_start_utc' => $event_start_utc,
             'event_end_utc' => $event_end_utc,
-            'free_text' => Purify::clean($description),
+            'free_text' => $description,
             'link' => $link,
             'venue' => $title,
             'location' => $location,
@@ -655,7 +654,7 @@ public function updateEventv2(Request $request, $idEvents): JsonResponse
             'event_start_utc' => $event_start_utc,
             'event_end_utc' => $event_end_utc,
             'hours' => $hours,
-            'free_text' => Purify::clean($description),
+            'free_text' => $description,
             'online' => $online,
             'venue' => $title,
             'link' => $link,
diff --git a/app/Http/Controllers/API/GroupController.php b/app/Http/Controllers/API/GroupController.php
index de30935b2b..f42d94ba4b 100644
--- a/app/Http/Controllers/API/GroupController.php
+++ b/app/Http/Controllers/API/GroupController.php
@@ -10,7 +10,6 @@
 use App\Helpers\Fixometer;
 use App\Helpers\FixometerFile;
 use App\Http\Controllers\Controller;
-use Stevebauman\Purify\Facades\Purify;
 use App\Http\Resources\PartySummaryCollection;
 use App\Http\Resources\TagCollection;
 use App\Http\Resources\VolunteerCollection;
@@ -831,7 +830,7 @@ public function createGroupv2(Request $request): JsonResponse {
             'latitude' => $latitude,
             'longitude' => $longitude,
             'country_code' => $country,
-            'free_text' => Purify::clean($description),
+            'free_text' => $description,
             'shareable_code' => Fixometer::generateUniqueShareableCode(\App\Models\Group::class, 'shareable_code'),
             'timezone' => $timezone,
             'phone' => $phone,
@@ -1006,7 +1005,7 @@ public function updateGroupv2(Request $request, $idGroup): JsonResponse {
             'latitude' => $latitude,
             'longitude' => $longitude,
             'country_code' => $country,
-            'free_text' => Purify::clean($description),
+            'free_text' => $description,
             'timezone' => $timezone,
             'phone' => $phone,
             'network_data' => $network_data,

From ef9ae01343a9bac3317ab67d2057fb55fc7192e9 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:07:01 -0700
Subject: [PATCH 07/12] fix(xss): escape user data in ConfirmModal and
 soft-delete flash

Escapes group.name before passing to ConfirmModal's v-html rendered
delete/archive confirmation messages in GroupActions.vue. Also escapes
user name in the soft-delete flash message in UserController to prevent
stored XSS when an admin deletes a user with a malicious name.
---
 app/Http/Controllers/UserController.php  | 2 +-
 resources/js/components/GroupActions.vue | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index fe174a0c8f..419ba1f523 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -294,7 +294,7 @@ public function postSoftDeleteUser(Request $request): RedirectResponse
 
         if (Auth::id() !== $user_id) {
             return redirect('user/all')->with('danger', __('profile.soft_deleted', [
-                'name' => $old_user_name
+                'name' => e($old_user_name)
             ]));
         } else {
             return redirect('login');
diff --git a/resources/js/components/GroupActions.vue b/resources/js/components/GroupActions.vue
index eabb0bdc6d..73046e2656 100644
--- a/resources/js/components/GroupActions.vue
+++ b/resources/js/components/GroupActions.vue
@@ -56,10 +56,10 @@
     <ConfirmModal :key="'leavegroupmodal-' + idgroups" ref="confirmLeave" @confirm="leaveConfirmed"
       :message="__('groups.leave_group_confirm')" />
     <ConfirmModal :key="'deletegroupmodal-' + idgroups" ref="confirmDelete" @confirm="deleteConfirmed" :message="__('groups.delete_group_confirm', {
-      name: group.name
+      name: escapeHtml(group.name)
     })" />
     <ConfirmModal :key="'archivegroupmodal-' + idgroups" ref="confirmArchive" @confirm="archiveConfirmed" :message="__('groups.archive_group_confirm', {
-      name: group.name
+      name: escapeHtml(group.name)
     })" />
   </div>
 </template>
@@ -100,6 +100,11 @@ export default {
     }
   },
   methods: {
+    escapeHtml(str) {
+      const el = document.createElement('span')
+      el.textContent = str
+      return el.innerHTML
+    },
     leaveGroup() {
       this.$refs.confirmLeave.show()
     },

From bd93284c2f10ceed1edbf7f2cec4d9973e770b39 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:07:43 -0700
Subject: [PATCH 08/12] fix(xss): add DOMPurify to ReadMore.vue as
 defense-in-depth

Adds client-side HTML sanitization via DOMPurify to the ReadMore
component, which renders group and event descriptions via v-html.
Server-side Purify::clean() model mutators are the primary defense,
but this provides a second layer in case any write path bypasses
the model (raw DB queries, migrations, imports).
---
 package.json                         |  1 +
 resources/js/components/ReadMore.vue | 13 ++++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index ecb0d41f12..54643f4b06 100644
--- a/package.json
+++ b/package.json
@@ -59,6 +59,7 @@
         "bootstrap4-datetimepicker": "^5.2.3",
         "chart.js": "^2.7.2",
         "codemirror": "^5.39.2",
+        "dompurify": "^3.4.0",
         "dropzone": "^5.7.2",
         "ekko-lightbox": "^5.3.0",
         "floatthead": "^2.1.2",
diff --git a/resources/js/components/ReadMore.vue b/resources/js/components/ReadMore.vue
index a0111f3dff..61115143b8 100644
--- a/resources/js/components/ReadMore.vue
+++ b/resources/js/components/ReadMore.vue
@@ -4,10 +4,10 @@
       <p v-html="formattedString"></p>
     </span>
     <span v-else-if="html">
-      <span v-if="!needsTruncating" v-html="html" class="w-100" />
+      <span v-if="!needsTruncating" v-html="sanitizedHtml" class="w-100" />
       <span v-else>
-        <span v-if="!isReadMore" v-html="truncatedHTML" class="w-100" />
-        <span v-else v-html="html" class="w-100" />
+        <span v-if="!isReadMore" v-html="sanitizedTruncatedHtml" class="w-100" />
+        <span v-else v-html="sanitizedHtml" class="w-100" />
       </span>
     </span>
     <span v-if="needsTruncating">
@@ -20,6 +20,7 @@
 <script>
 const htmlToText = require('html-to-text');
 import clip from "text-clipper"
+import DOMPurify from "dompurify"
 // Originally based on https://github.com/orlyyani/read-more, with thanks.
 
 export default {
@@ -70,12 +71,18 @@ export default {
 
       return val_container;
     },
+    sanitizedHtml() {
+      return this.html ? DOMPurify.sanitize(this.html) : null
+    },
     truncatedHTML() {
       // We need to truncate HTML with care to ensure that the result is tag safe; string truncation isn't good
       // enough.
       const ret = this.html ? clip(this.html, this.maxChars, { html: true, maxLines: this.maxLines }) : null
       return ret
     },
+    sanitizedTruncatedHtml() {
+      return this.truncatedHTML ? DOMPurify.sanitize(this.truncatedHTML) : null
+    },
     needsTruncating() {
       if (this.text && (text.length > maxChars)) {
         return true

From 58c7b3ff0a992045cbfcf66023c97eb04c0861e1 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:41:18 -0700
Subject: [PATCH 09/12] fix(xss): address PR review feedback on purify config
 and escaping

Updates HTMLPurifier config to use HTML 5 doctype for consistency
with Html5Definition, adds URI.AllowedSchemes to block javascript:
and data: URLs in sanitized HTML, and extracts the inline DOM
escaping pattern into a named escapeHtml() method for readability.
---
 config/purify.php                     |  7 ++++++-
 resources/js/components/GroupPage.vue | 12 ++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/config/purify.php b/config/purify.php
index 66dbbb5683..a261fd27e5 100644
--- a/config/purify.php
+++ b/config/purify.php
@@ -41,10 +41,15 @@
 
         'default' => [
             'Core.Encoding' => 'utf-8',
-            'HTML.Doctype' => 'HTML 4.01 Transitional',
+            'HTML.Doctype' => 'HTML 5',
             'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,u,strong,i,em,s,del,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src],blockquote',
             'HTML.ForbiddenElements' => '',
             'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',
+            'URI.AllowedSchemes' => [
+                'http' => true,
+                'https' => true,
+                'mailto' => true,
+            ],
             'AutoFormat.AutoParagraph' => false,
             'AutoFormat.RemoveEmpty' => false,
         ],
diff --git a/resources/js/components/GroupPage.vue b/resources/js/components/GroupPage.vue
index 8827fc2740..e46a6ccc19 100644
--- a/resources/js/components/GroupPage.vue
+++ b/resources/js/components/GroupPage.vue
@@ -159,16 +159,20 @@ export default {
       haveLeft: false
     }
   },
+  methods: {
+    escapeHtml(str) {
+      const el = document.createElement('span')
+      el.textContent = str
+      return el.innerHTML
+    },
+  },
   computed: {
     group() {
       return this.$store.getters['groups/get'](this.idgroups)
     },
     translatedHaveLeft() {
-      const el = document.createElement('span')
-      el.textContent = this.group.name
-      const escapedName = el.innerHTML
       return this.$lang.get('groups.now_unfollowed', {
-        name: escapedName,
+        name: this.escapeHtml(this.group.name),
         link: '/group/view/' + this.group.id
       })
     }

From 8f438fa2b7ed22d3006e3ad313a0ce6b594bed08 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 09:50:52 -0700
Subject: [PATCH 10/12] fix: update package-lock.json

---
 package-lock.json | 501 ++++++++++++++++++++++++++++------------------
 1 file changed, 302 insertions(+), 199 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index b07eb4401f..d8a72208d4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -17,6 +17,7 @@
                 "bootstrap4-datetimepicker": "^5.2.3",
                 "chart.js": "^2.7.2",
                 "codemirror": "^5.39.2",
+                "dompurify": "^3.4.0",
                 "dropzone": "^5.7.2",
                 "ekko-lightbox": "^5.3.0",
                 "floatthead": "^2.1.2",
@@ -104,23 +105,74 @@
             }
         },
         "node_modules/@asamuzakjp/css-color": {
-            "version": "3.1.4",
-            "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-3.1.4.tgz",
-            "integrity": "sha512-SeuBV4rnjpFNjI8HSgKUwteuFdkHwkboq31HWzznuqgySQir+jSTczoWVVL4jvOjKjuH80fMDG0Fvg1Sb+OJsA==",
+            "version": "5.1.11",
+            "resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz",
+            "integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==",
+            "dev": true,
+            "peer": true,
+            "dependencies": {
+                "@asamuzakjp/generational-cache": "^1.0.1",
+                "@csstools/css-calc": "^3.2.0",
+                "@csstools/css-color-parser": "^4.1.0",
+                "@csstools/css-parser-algorithms": "^4.0.0",
+                "@csstools/css-tokenizer": "^4.0.0"
+            },
+            "engines": {
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+            }
+        },
+        "node_modules/@asamuzakjp/dom-selector": {
+            "version": "7.1.1",
+            "resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz",
+            "integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==",
+            "dev": true,
+            "peer": true,
+            "dependencies": {
+                "@asamuzakjp/generational-cache": "^1.0.1",
+                "@asamuzakjp/nwsapi": "^2.3.9",
+                "bidi-js": "^1.0.3",
+                "css-tree": "^3.2.1",
+                "is-potential-custom-element-name": "^1.0.1"
+            },
+            "engines": {
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+            }
+        },
+        "node_modules/@asamuzakjp/dom-selector/node_modules/css-tree": {
+            "version": "3.2.1",
+            "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+            "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "@csstools/css-calc": "^2.1.3",
-                "@csstools/css-color-parser": "^3.0.9",
-                "@csstools/css-parser-algorithms": "^3.0.4",
-                "@csstools/css-tokenizer": "^3.0.3",
-                "lru-cache": "^10.4.3"
+                "mdn-data": "2.27.1",
+                "source-map-js": "^1.2.1"
+            },
+            "engines": {
+                "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
             }
         },
-        "node_modules/@asamuzakjp/css-color/node_modules/lru-cache": {
-            "version": "10.4.3",
-            "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
-            "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
+        "node_modules/@asamuzakjp/dom-selector/node_modules/mdn-data": {
+            "version": "2.27.1",
+            "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+            "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
+            "dev": true,
+            "peer": true
+        },
+        "node_modules/@asamuzakjp/generational-cache": {
+            "version": "1.0.1",
+            "resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz",
+            "integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==",
+            "dev": true,
+            "peer": true,
+            "engines": {
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+            }
+        },
+        "node_modules/@asamuzakjp/nwsapi": {
+            "version": "2.3.9",
+            "resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+            "integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
             "dev": true,
             "peer": true
         },
@@ -1914,6 +1966,40 @@
             "integrity": "sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==",
             "dev": true
         },
+        "node_modules/@bramus/specificity": {
+            "version": "2.4.2",
+            "resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+            "integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+            "dev": true,
+            "peer": true,
+            "dependencies": {
+                "css-tree": "^3.0.0"
+            },
+            "bin": {
+                "specificity": "bin/cli.js"
+            }
+        },
+        "node_modules/@bramus/specificity/node_modules/css-tree": {
+            "version": "3.2.1",
+            "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+            "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
+            "dev": true,
+            "peer": true,
+            "dependencies": {
+                "mdn-data": "2.27.1",
+                "source-map-js": "^1.2.1"
+            },
+            "engines": {
+                "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
+            }
+        },
+        "node_modules/@bramus/specificity/node_modules/mdn-data": {
+            "version": "2.27.1",
+            "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+            "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
+            "dev": true,
+            "peer": true
+        },
         "node_modules/@colors/colors": {
             "version": "1.5.0",
             "resolved": "https://registry.npmjs.org/@colors/colors/-/colors-1.5.0.tgz",
@@ -1925,9 +2011,9 @@
             }
         },
         "node_modules/@csstools/color-helpers": {
-            "version": "5.0.2",
-            "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-5.0.2.tgz",
-            "integrity": "sha512-JqWH1vsgdGcw2RR6VliXXdA0/59LttzlU8UlRT/iUUsEeWfYq8I+K0yhihEUTTHLRm1EXvpsCx3083EU15ecsA==",
+            "version": "6.0.2",
+            "resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+            "integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
             "dev": true,
             "funding": [
                 {
@@ -1941,13 +2027,13 @@
             ],
             "peer": true,
             "engines": {
-                "node": ">=18"
+                "node": ">=20.19.0"
             }
         },
         "node_modules/@csstools/css-calc": {
-            "version": "2.1.3",
-            "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-2.1.3.tgz",
-            "integrity": "sha512-XBG3talrhid44BY1x3MHzUx/aTG8+x/Zi57M4aTKK9RFB4aLlF3TTSzfzn8nWVHWL3FgAXAxmupmDd6VWww+pw==",
+            "version": "3.2.0",
+            "resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.2.0.tgz",
+            "integrity": "sha512-bR9e6o2BDB12jzN/gIbjHa5wLJ4UjD1CB9pM7ehlc0ddk6EBz+yYS1EV2MF55/HUxrHcB/hehAyt5vhsA3hx7w==",
             "dev": true,
             "funding": [
                 {
@@ -1961,17 +2047,17 @@
             ],
             "peer": true,
             "engines": {
-                "node": ">=18"
+                "node": ">=20.19.0"
             },
             "peerDependencies": {
-                "@csstools/css-parser-algorithms": "^3.0.4",
-                "@csstools/css-tokenizer": "^3.0.3"
+                "@csstools/css-parser-algorithms": "^4.0.0",
+                "@csstools/css-tokenizer": "^4.0.0"
             }
         },
         "node_modules/@csstools/css-color-parser": {
-            "version": "3.0.9",
-            "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-3.0.9.tgz",
-            "integrity": "sha512-wILs5Zk7BU86UArYBJTPy/FMPPKVKHMj1ycCEyf3VUptol0JNRLFU/BZsJ4aiIHJEbSLiizzRrw8Pc1uAEDrXw==",
+            "version": "4.1.0",
+            "resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.0.tgz",
+            "integrity": "sha512-U0KhLYmy2GVj6q4T3WaAe6NPuFYCPQoE3b0dRGxejWDgcPp8TP7S5rVdM5ZrFaqu4N67X8YaPBw14dQSYx3IyQ==",
             "dev": true,
             "funding": [
                 {
@@ -1985,21 +2071,21 @@
             ],
             "peer": true,
             "dependencies": {
-                "@csstools/color-helpers": "^5.0.2",
-                "@csstools/css-calc": "^2.1.3"
+                "@csstools/color-helpers": "^6.0.2",
+                "@csstools/css-calc": "^3.2.0"
             },
             "engines": {
-                "node": ">=18"
+                "node": ">=20.19.0"
             },
             "peerDependencies": {
-                "@csstools/css-parser-algorithms": "^3.0.4",
-                "@csstools/css-tokenizer": "^3.0.3"
+                "@csstools/css-parser-algorithms": "^4.0.0",
+                "@csstools/css-tokenizer": "^4.0.0"
             }
         },
         "node_modules/@csstools/css-parser-algorithms": {
-            "version": "3.0.4",
-            "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-3.0.4.tgz",
-            "integrity": "sha512-Up7rBoV77rv29d3uKHUIVubz1BTcgyUK72IvCQAbfbMv584xHcGKCKbWh7i8hPrRJ7qU4Y8IO3IY9m+iTB7P3A==",
+            "version": "4.0.0",
+            "resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+            "integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
             "dev": true,
             "funding": [
                 {
@@ -2013,16 +2099,16 @@
             ],
             "peer": true,
             "engines": {
-                "node": ">=18"
+                "node": ">=20.19.0"
             },
             "peerDependencies": {
-                "@csstools/css-tokenizer": "^3.0.3"
+                "@csstools/css-tokenizer": "^4.0.0"
             }
         },
         "node_modules/@csstools/css-tokenizer": {
-            "version": "3.0.3",
-            "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-3.0.3.tgz",
-            "integrity": "sha512-UJnjoFsmxfKUdNYdWgOB0mWUypuLvAfQPH1+pyvRJs6euowbFkFC6P13w1l8mJyi3vxYMxc9kld5jZEGRQs6bw==",
+            "version": "4.0.0",
+            "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+            "integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
             "dev": true,
             "funding": [
                 {
@@ -2036,7 +2122,7 @@
             ],
             "peer": true,
             "engines": {
-                "node": ">=18"
+                "node": ">=20.19.0"
             }
         },
         "node_modules/@discoveryjs/json-ext": {
@@ -2048,6 +2134,24 @@
                 "node": ">=10.0.0"
             }
         },
+        "node_modules/@exodus/bytes": {
+            "version": "1.15.0",
+            "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.0.tgz",
+            "integrity": "sha512-UY0nlA+feH81UGSHv92sLEPLCeZFjXOuHhrIo0HQydScuQc8s0A7kL/UdgwgDq8g8ilksmuoF35YVTNphV2aBQ==",
+            "dev": true,
+            "peer": true,
+            "engines": {
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+            },
+            "peerDependencies": {
+                "@noble/hashes": "^1.8.0 || ^2.0.0"
+            },
+            "peerDependenciesMeta": {
+                "@noble/hashes": {
+                    "optional": true
+                }
+            }
+        },
         "node_modules/@istanbuljs/load-nyc-config": {
             "version": "1.1.0",
             "resolved": "https://registry.npmjs.org/@istanbuljs/load-nyc-config/-/load-nyc-config-1.1.0.tgz",
@@ -3643,9 +3747,9 @@
             "dev": true
         },
         "node_modules/@types/leaflet": {
-            "version": "1.9.17",
-            "resolved": "https://registry.npmjs.org/@types/leaflet/-/leaflet-1.9.17.tgz",
-            "integrity": "sha512-IJ4K6t7I3Fh5qXbQ1uwL3CFVbCi6haW9+53oLWgdKlLP7EaS21byWFJxxqOx9y8I0AP0actXSJLVMbyvxhkUTA==",
+            "version": "1.9.21",
+            "resolved": "https://registry.npmjs.org/@types/leaflet/-/leaflet-1.9.21.tgz",
+            "integrity": "sha512-TbAd9DaPGSnzp6QvtYngntMZgcRk+igFELwR2N99XZn7RXUdKgsXMR+28bUO0rPsWp8MIu/f47luLIQuSLYv/w==",
             "peer": true,
             "dependencies": {
                 "@types/geojson": "*"
@@ -3783,6 +3887,12 @@
             "integrity": "sha512-Q5vtl1W5ue16D+nIaW8JWebSSraJVlK+EthKn7e7UcD4KWsaSJ8BqGPXNaPghgtcn/fhvrN17Tv8ksUsQpiplw==",
             "dev": true
         },
+        "node_modules/@types/trusted-types": {
+            "version": "2.0.7",
+            "resolved": "https://registry.npmjs.org/@types/trusted-types/-/trusted-types-2.0.7.tgz",
+            "integrity": "sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==",
+            "optional": true
+        },
         "node_modules/@types/ws": {
             "version": "8.18.1",
             "resolved": "https://registry.npmjs.org/@types/ws/-/ws-8.18.1.tgz",
@@ -5021,6 +5131,16 @@
                 "node": ">= 6.0.0"
             }
         },
+        "node_modules/bidi-js": {
+            "version": "1.0.3",
+            "resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+            "integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+            "dev": true,
+            "peer": true,
+            "dependencies": {
+                "require-from-string": "^2.0.2"
+            }
+        },
         "node_modules/big.js": {
             "version": "5.2.2",
             "resolved": "https://registry.npmjs.org/big.js/-/big.js-5.2.2.tgz",
@@ -6492,20 +6612,20 @@
             }
         },
         "node_modules/css-loader": {
-            "version": "7.1.2",
-            "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-7.1.2.tgz",
-            "integrity": "sha512-6WvYYn7l/XEGN8Xu2vWFt9nVzrCn39vKyTEFf/ExEyoksJjjSZV/0/35XPlMbpnr6VGhZIUg5yJrL8tGfes/FA==",
+            "version": "7.1.4",
+            "resolved": "https://registry.npmjs.org/css-loader/-/css-loader-7.1.4.tgz",
+            "integrity": "sha512-vv3J9tlOl04WjiMvHQI/9tmIrCxVrj6PFbHemBB1iihpeRbi/I4h033eoFIhwxBBqLhI0KYFS7yvynBFhIZfTw==",
             "dev": true,
             "peer": true,
             "dependencies": {
                 "icss-utils": "^5.1.0",
-                "postcss": "^8.4.33",
+                "postcss": "^8.4.40",
                 "postcss-modules-extract-imports": "^3.1.0",
                 "postcss-modules-local-by-default": "^4.0.5",
                 "postcss-modules-scope": "^3.2.0",
                 "postcss-modules-values": "^4.0.0",
                 "postcss-value-parser": "^4.2.0",
-                "semver": "^7.5.4"
+                "semver": "^7.6.3"
             },
             "engines": {
                 "node": ">= 18.12.0"
@@ -6515,7 +6635,7 @@
                 "url": "https://opencollective.com/webpack"
             },
             "peerDependencies": {
-                "@rspack/core": "0.x || 1.x",
+                "@rspack/core": "0.x || ^1.0.0 || ^2.0.0-0",
                 "webpack": "^5.27.0"
             },
             "peerDependenciesMeta": {
@@ -6841,9 +6961,9 @@
             }
         },
         "node_modules/decimal.js": {
-            "version": "10.5.0",
-            "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.5.0.tgz",
-            "integrity": "sha512-8vDa8Qxvr/+d94hSh5P3IJwI5t8/c0KsMp+g8bNw9cY2icONa5aPfvKeieW1WlG0WQYwwhJ7mjui2xtiePQSXw==",
+            "version": "10.6.0",
+            "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+            "integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
             "dev": true
         },
         "node_modules/dedent": {
@@ -7138,9 +7258,12 @@
             }
         },
         "node_modules/dompurify": {
-            "version": "2.3.8",
-            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.3.8.tgz",
-            "integrity": "sha512-eVhaWoVibIzqdGYjwsBWodIQIaXFSB+cKDf4cfxLMsK0xiud6SE+/WCVx/Xw/UwQsa4cS3T2eITcdtmTg2UKcw=="
+            "version": "3.4.1",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.4.1.tgz",
+            "integrity": "sha512-JahakDAIg1gyOm7dlgWSDjV4n7Ip2PKR55NIT6jrMfIgLFgWo81vdr1/QGqWtFNRqXP9UV71oVePtjqS2ebnPw==",
+            "optionalDependencies": {
+                "@types/trusted-types": "^2.0.7"
+            }
         },
         "node_modules/domutils": {
             "version": "1.7.0",
@@ -12659,35 +12782,36 @@
             "license": "MIT"
         },
         "node_modules/jsdom": {
-            "version": "26.1.0",
-            "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-26.1.0.tgz",
-            "integrity": "sha512-Cvc9WUhxSMEo4McES3P7oK3QaXldCfNWp7pl2NNeiIFlCoLr3kfq9kb1fxftiwk1FLV7CvpvDfonxtzUDeSOPg==",
+            "version": "29.0.2",
+            "resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.0.2.tgz",
+            "integrity": "sha512-9VnGEBosc/ZpwyOsJBCQ/3I5p7Q5ngOY14a9bf5btenAORmZfDse1ZEheMiWcJ3h81+Fv7HmJFdS0szo/waF2w==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "cssstyle": "^4.2.1",
-                "data-urls": "^5.0.0",
-                "decimal.js": "^10.5.0",
-                "html-encoding-sniffer": "^4.0.0",
-                "http-proxy-agent": "^7.0.2",
-                "https-proxy-agent": "^7.0.6",
+                "@asamuzakjp/css-color": "^5.1.5",
+                "@asamuzakjp/dom-selector": "^7.0.6",
+                "@bramus/specificity": "^2.4.2",
+                "@csstools/css-syntax-patches-for-csstree": "^1.1.1",
+                "@exodus/bytes": "^1.15.0",
+                "css-tree": "^3.2.1",
+                "data-urls": "^7.0.0",
+                "decimal.js": "^10.6.0",
+                "html-encoding-sniffer": "^6.0.0",
                 "is-potential-custom-element-name": "^1.0.1",
-                "nwsapi": "^2.2.16",
-                "parse5": "^7.2.1",
-                "rrweb-cssom": "^0.8.0",
+                "lru-cache": "^11.2.7",
+                "parse5": "^8.0.0",
                 "saxes": "^6.0.0",
                 "symbol-tree": "^3.2.4",
-                "tough-cookie": "^5.1.1",
+                "tough-cookie": "^6.0.1",
+                "undici": "^7.24.5",
                 "w3c-xmlserializer": "^5.0.0",
-                "webidl-conversions": "^7.0.0",
-                "whatwg-encoding": "^3.1.1",
-                "whatwg-mimetype": "^4.0.0",
-                "whatwg-url": "^14.1.1",
-                "ws": "^8.18.0",
+                "webidl-conversions": "^8.0.1",
+                "whatwg-mimetype": "^5.0.0",
+                "whatwg-url": "^16.0.1",
                 "xml-name-validator": "^5.0.0"
             },
             "engines": {
-                "node": ">=18"
+                "node": "^20.19.0 || ^22.13.0 || >=24.0.0"
             },
             "peerDependencies": {
                 "canvas": "^3.0.0"
@@ -12707,156 +12831,148 @@
                 "jsdom": ">=10.0.0"
             }
         },
-        "node_modules/jsdom/node_modules/agent-base": {
-            "version": "7.1.3",
-            "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.3.tgz",
-            "integrity": "sha512-jRR5wdylq8CkOe6hei19GGZnxM6rBGwFl3Bg0YItGDimvjGtAvdZk4Pu6Cl4u4Igsws4a1fd1Vq3ezrhn4KmFw==",
+        "node_modules/jsdom/node_modules/@csstools/css-syntax-patches-for-csstree": {
+            "version": "1.1.3",
+            "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.3.tgz",
+            "integrity": "sha512-SH60bMfrRCJF3morcdk57WklujF4Jr/EsQUzqkarfHXEFcAR1gg7fS/chAE922Sehgzc1/+Tz5H3Ypa1HiEKrg==",
             "dev": true,
+            "funding": [
+                {
+                    "type": "github",
+                    "url": "https://github.com/sponsors/csstools"
+                },
+                {
+                    "type": "opencollective",
+                    "url": "https://opencollective.com/csstools"
+                }
+            ],
             "peer": true,
-            "engines": {
-                "node": ">= 14"
+            "peerDependencies": {
+                "css-tree": "^3.2.1"
+            },
+            "peerDependenciesMeta": {
+                "css-tree": {
+                    "optional": true
+                }
             }
         },
-        "node_modules/jsdom/node_modules/cssstyle": {
-            "version": "4.3.1",
-            "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-4.3.1.tgz",
-            "integrity": "sha512-ZgW+Jgdd7i52AaLYCriF8Mxqft0gD/R9i9wi6RWBhs1pqdPEzPjym7rvRKi397WmQFf3SlyUsszhw+VVCbx79Q==",
+        "node_modules/jsdom/node_modules/css-tree": {
+            "version": "3.2.1",
+            "resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+            "integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "@asamuzakjp/css-color": "^3.1.2",
-                "rrweb-cssom": "^0.8.0"
+                "mdn-data": "2.27.1",
+                "source-map-js": "^1.2.1"
             },
             "engines": {
-                "node": ">=18"
+                "node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
             }
         },
         "node_modules/jsdom/node_modules/data-urls": {
-            "version": "5.0.0",
-            "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-5.0.0.tgz",
-            "integrity": "sha512-ZYP5VBHshaDAiVZxjbRVcFJpc+4xGgT0bK3vzy1HLN8jTO975HEbuYzZJcHoQEY5K1a0z8YayJkyVETa08eNTg==",
+            "version": "7.0.0",
+            "resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+            "integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "whatwg-mimetype": "^4.0.0",
-                "whatwg-url": "^14.0.0"
+                "whatwg-mimetype": "^5.0.0",
+                "whatwg-url": "^16.0.0"
             },
             "engines": {
-                "node": ">=18"
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
             }
         },
         "node_modules/jsdom/node_modules/html-encoding-sniffer": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-4.0.0.tgz",
-            "integrity": "sha512-Y22oTqIU4uuPgEemfz7NDJz6OeKf12Lsu+QC+s3BVpda64lTiMYCyGwg5ki4vFxkMwQdeZDl2adZoqUgdFuTgQ==",
+            "version": "6.0.0",
+            "resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+            "integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "whatwg-encoding": "^3.1.1"
+                "@exodus/bytes": "^1.6.0"
             },
             "engines": {
-                "node": ">=18"
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
             }
         },
-        "node_modules/jsdom/node_modules/http-proxy-agent": {
-            "version": "7.0.2",
-            "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
-            "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
+        "node_modules/jsdom/node_modules/lru-cache": {
+            "version": "11.3.5",
+            "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.3.5.tgz",
+            "integrity": "sha512-NxVFwLAnrd9i7KUBxC4DrUhmgjzOs+1Qm50D3oF1/oL+r1NpZ4gA7xvG0/zJ8evR7zIKn4vLf7qTNduWFtCrRw==",
             "dev": true,
             "peer": true,
-            "dependencies": {
-                "agent-base": "^7.1.0",
-                "debug": "^4.3.4"
-            },
             "engines": {
-                "node": ">= 14"
+                "node": "20 || >=22"
             }
         },
-        "node_modules/jsdom/node_modules/https-proxy-agent": {
-            "version": "7.0.6",
-            "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz",
-            "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==",
+        "node_modules/jsdom/node_modules/mdn-data": {
+            "version": "2.27.1",
+            "resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+            "integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
             "dev": true,
-            "peer": true,
-            "dependencies": {
-                "agent-base": "^7.1.2",
-                "debug": "4"
-            },
-            "engines": {
-                "node": ">= 14"
-            }
+            "peer": true
         },
         "node_modules/jsdom/node_modules/tough-cookie": {
-            "version": "5.1.2",
-            "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-5.1.2.tgz",
-            "integrity": "sha512-FVDYdxtnj0G6Qm/DhNPSb8Ju59ULcup3tuJxkFb5K8Bv2pUXILbf0xZWU8PX8Ov19OXljbUyveOFwRMwkXzO+A==",
+            "version": "6.0.1",
+            "resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.1.tgz",
+            "integrity": "sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "tldts": "^6.1.32"
+                "tldts": "^7.0.5"
             },
             "engines": {
                 "node": ">=16"
             }
         },
         "node_modules/jsdom/node_modules/tr46": {
-            "version": "5.1.1",
-            "resolved": "https://registry.npmjs.org/tr46/-/tr46-5.1.1.tgz",
-            "integrity": "sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==",
+            "version": "6.0.0",
+            "resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+            "integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
             "dev": true,
             "peer": true,
             "dependencies": {
                 "punycode": "^2.3.1"
             },
             "engines": {
-                "node": ">=18"
+                "node": ">=20"
             }
         },
         "node_modules/jsdom/node_modules/webidl-conversions": {
-            "version": "7.0.0",
-            "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-7.0.0.tgz",
-            "integrity": "sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==",
-            "dev": true,
-            "peer": true,
-            "engines": {
-                "node": ">=12"
-            }
-        },
-        "node_modules/jsdom/node_modules/whatwg-encoding": {
-            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/whatwg-encoding/-/whatwg-encoding-3.1.1.tgz",
-            "integrity": "sha512-6qN4hJdMwfYBtE3YBTTHhoeuUrDBPZmbQaxWAqSALV/MeEnR5z1xd8UKud2RAkFoPkmB+hli1TZSnyi84xz1vQ==",
+            "version": "8.0.1",
+            "resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+            "integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
             "dev": true,
             "peer": true,
-            "dependencies": {
-                "iconv-lite": "0.6.3"
-            },
             "engines": {
-                "node": ">=18"
+                "node": ">=20"
             }
         },
         "node_modules/jsdom/node_modules/whatwg-mimetype": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-4.0.0.tgz",
-            "integrity": "sha512-QaKxh0eNIi2mE9p2vEdzfagOKHCcj1pJ56EEHGQOVxp8r9/iszLUUV7v89x9O1p/T+NlTM5W7jW6+cz4Fq1YVg==",
+            "version": "5.0.0",
+            "resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+            "integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
             "dev": true,
             "peer": true,
             "engines": {
-                "node": ">=18"
+                "node": ">=20"
             }
         },
         "node_modules/jsdom/node_modules/whatwg-url": {
-            "version": "14.2.0",
-            "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-14.2.0.tgz",
-            "integrity": "sha512-De72GdQZzNTUBBChsXueQUnPKDkg/5A5zp7pFDuQAj5UFoENpiACU0wlCvzpAGnTkj++ihpKwKyYewn/XNUbKw==",
+            "version": "16.0.1",
+            "resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+            "integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "tr46": "^5.1.0",
-                "webidl-conversions": "^7.0.0"
+                "@exodus/bytes": "^1.11.0",
+                "tr46": "^6.0.0",
+                "webidl-conversions": "^8.0.1"
             },
             "engines": {
-                "node": ">=18"
+                "node": "^20.19.0 || ^22.12.0 || >=24.0.0"
             }
         },
         "node_modules/jsdom/node_modules/xml-name-validator": {
@@ -17185,26 +17301,26 @@
             }
         },
         "node_modules/parse5": {
-            "version": "7.3.0",
-            "resolved": "https://registry.npmjs.org/parse5/-/parse5-7.3.0.tgz",
-            "integrity": "sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw==",
+            "version": "8.0.1",
+            "resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz",
+            "integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "entities": "^6.0.0"
+                "entities": "^8.0.0"
             },
             "funding": {
                 "url": "https://github.com/inikulin/parse5?sponsor=1"
             }
         },
         "node_modules/parse5/node_modules/entities": {
-            "version": "6.0.0",
-            "resolved": "https://registry.npmjs.org/entities/-/entities-6.0.0.tgz",
-            "integrity": "sha512-aKstq2TDOndCn4diEyp9Uq/Flu2i1GlLkc6XIDQSDMuaFE3OPW5OphLCyQ5SpSJZTb4reN+kTcYru5yIfXoRPw==",
+            "version": "8.0.0",
+            "resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz",
+            "integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==",
             "dev": true,
             "peer": true,
             "engines": {
-                "node": ">=0.12"
+                "node": ">=20.19.0"
             },
             "funding": {
                 "url": "https://github.com/fb55/entities?sponsor=1"
@@ -18259,6 +18375,11 @@
                 "quill": "^1.3.5"
             }
         },
+        "node_modules/quill-paste-smart/node_modules/dompurify": {
+            "version": "2.5.9",
+            "resolved": "https://registry.npmjs.org/dompurify/-/dompurify-2.5.9.tgz",
+            "integrity": "sha512-i6mvVmWN4xo9LrhCOZrDgSs9noW6nOahbrmzjRbPF36YPyj5Ue5lgok0MHDWkG7xzpWFO2OYttXdzM7rJxHvNA=="
+        },
         "node_modules/randombytes": {
             "version": "2.1.0",
             "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
@@ -18657,13 +18778,6 @@
                 "inherits": "^2.0.1"
             }
         },
-        "node_modules/rrweb-cssom": {
-            "version": "0.8.0",
-            "resolved": "https://registry.npmjs.org/rrweb-cssom/-/rrweb-cssom-0.8.0.tgz",
-            "integrity": "sha512-guoltQEx+9aMf2gDZ0s62EcV8lsXR+0w8915TC3ITdn2YueuNjdAYh/levpU9nFaoChh9RUS5ZdQMrKfVEN9tw==",
-            "dev": true,
-            "peer": true
-        },
         "node_modules/run-parallel": {
             "version": "1.2.0",
             "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
@@ -18890,13 +19004,10 @@
             }
         },
         "node_modules/semver": {
-            "version": "7.5.4",
-            "resolved": "https://registry.npmjs.org/semver/-/semver-7.5.4.tgz",
-            "integrity": "sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==",
+            "version": "7.7.4",
+            "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+            "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
             "dev": true,
-            "dependencies": {
-                "lru-cache": "^6.0.0"
-            },
             "bin": {
                 "semver": "bin/semver.js"
             },
@@ -18904,24 +19015,6 @@
                 "node": ">=10"
             }
         },
-        "node_modules/semver/node_modules/lru-cache": {
-            "version": "6.0.0",
-            "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-6.0.0.tgz",
-            "integrity": "sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==",
-            "dev": true,
-            "dependencies": {
-                "yallist": "^4.0.0"
-            },
-            "engines": {
-                "node": ">=10"
-            }
-        },
-        "node_modules/semver/node_modules/yallist": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
-            "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
-            "dev": true
-        },
         "node_modules/send": {
             "version": "0.16.2",
             "resolved": "https://registry.npmjs.org/send/-/send-0.16.2.tgz",
@@ -19999,22 +20092,22 @@
             "integrity": "sha512-NB6Dk1A9xgQPMoGqC5CVXn123gWyte215ONT5Pp5a0yt4nlEoO1ZWeCwpncaekPHXO60i47ihFnZPiRPjRMq4Q=="
         },
         "node_modules/tldts": {
-            "version": "6.1.86",
-            "resolved": "https://registry.npmjs.org/tldts/-/tldts-6.1.86.tgz",
-            "integrity": "sha512-WMi/OQ2axVTf/ykqCQgXiIct+mSQDFdH2fkwhPwgEwvJ1kSzZRiinb0zF2Xb8u4+OqPChmyI6MEu4EezNJz+FQ==",
+            "version": "7.0.28",
+            "resolved": "https://registry.npmjs.org/tldts/-/tldts-7.0.28.tgz",
+            "integrity": "sha512-+Zg3vWhRUv8B1maGSTFdev9mjoo8Etn2Ayfs4cnjlD3CsGkxXX4QyW3j2WJ0wdjYcYmy7Lx2RDsZMhgCWafKIw==",
             "dev": true,
             "peer": true,
             "dependencies": {
-                "tldts-core": "^6.1.86"
+                "tldts-core": "^7.0.28"
             },
             "bin": {
                 "tldts": "bin/cli.js"
             }
         },
         "node_modules/tldts-core": {
-            "version": "6.1.86",
-            "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-6.1.86.tgz",
-            "integrity": "sha512-Je6p7pkk+KMzMv2XXKmAE3McmolOQFdxkKw0R8EYNr7sELW46JqnNeTX8ybPiQgvg1ymCoF8LXs5fzFaZvJPTA==",
+            "version": "7.0.28",
+            "resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.0.28.tgz",
+            "integrity": "sha512-7W5Efjhsc3chVdFhqtaU0KtK32J37Zcr9RKtID54nG+tIpcY79CQK/veYPODxtD/LJ4Lue66jvrQzIX2Z2/pUQ==",
             "dev": true,
             "peer": true
         },
@@ -20197,6 +20290,16 @@
                 "node": "*"
             }
         },
+        "node_modules/undici": {
+            "version": "7.25.0",
+            "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
+            "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
+            "dev": true,
+            "peer": true,
+            "engines": {
+                "node": ">=20.18.1"
+            }
+        },
         "node_modules/unicode-canonical-property-names-ecmascript": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-2.0.0.tgz",

From 624bfb3622f4bd0fa72ab895435f8d3e87b1ab25 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 10:15:26 -0700
Subject: [PATCH 11/12] revert: use HTML 4 for purify
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

HTMLPurifier doesn't support HTML 5 as a doctype value — it throws at
runtime. The Html5Definition class from stevebauman/purify adds HTML5
element support on top of the HTML 4.01 base, so HTML 4.01 Transitional
+ Html5Definition is the intended pairing.
---
 config/purify.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/purify.php b/config/purify.php
index a261fd27e5..e9b68556f9 100644
--- a/config/purify.php
+++ b/config/purify.php
@@ -41,7 +41,7 @@
 
         'default' => [
             'Core.Encoding' => 'utf-8',
-            'HTML.Doctype' => 'HTML 5',
+            'HTML.Doctype' => 'HTML 4.01 Transitional',
             'HTML.Allowed' => 'h1,h2,h3,h4,h5,h6,b,u,strong,i,em,s,del,a[href|title],ul,ol,li,p[style],br,span,img[width|height|alt|src],blockquote',
             'HTML.ForbiddenElements' => '',
             'CSS.AllowedProperties' => 'font,font-size,font-weight,font-style,font-family,text-decoration,padding-left,color,background-color,text-align',

From 4a3d914ad9f461a6555c1abc2b0c64804feaa4ed Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Thu, 23 Apr 2026 10:33:19 -0700
Subject: [PATCH 12/12] fix(xss): escape user fields in user list and add
 location mutator

Replaces raw <?php echo ?> with Blade {{ }} for user name and
location in the user list template. Adds setLocationAttribute
mutator to User model to strip HTML tags from the location field
on storage, preventing stored XSS via the location/town field.
---
 app/Models/User.php                | 5 +++++
 resources/views/user/all.blade.php | 6 +++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/Models/User.php b/app/Models/User.php
index af2afb1cd0..40c1d0bd55 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -70,6 +70,11 @@ public function setNameAttribute($value)
         $this->attributes['name'] = $value === null ? null : strip_tags((string) $value);
     }
 
+    public function setLocationAttribute($value)
+    {
+        $this->attributes['location'] = $value === null ? null : strip_tags((string) $value);
+    }
+
     public function setBiographyAttribute($value)
     {
         $this->attributes['biography'] = $value === null ? null : Purify::clean((string) $value);
diff --git a/resources/views/user/all.blade.php b/resources/views/user/all.blade.php
index f674da135d..cd77a9c740 100644
--- a/resources/views/user/all.blade.php
+++ b/resources/views/user/all.blade.php
@@ -168,9 +168,9 @@
                       <td>
 
                           @if(App\Helpers\Fixometer::hasRole($user, 'Administrator'))
-                          <a href="/user/edit/<?php echo $u->id; ?>"><?php echo $u->name; ?></a>
+                          <a href="/user/edit/{{ $u->id }}">{{ $u->name }}</a>
                           @else
-                          <?php echo $u->name; ?>
+                          {{ $u->name }}
                           @endif
 
                       </td>
@@ -191,7 +191,7 @@
                       </td>
                       <td class="d-none d-sm-table-cell">
                         @if (!empty($u->location))
-                          <?php echo $u->location; ?>
+                          {{ $u->location }}
                         @else
                           N/A
                         @endif