From f00686021ad3cc3cc6b05f2ebfaedcaaa9cf6c74 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:55:35 -0700
Subject: [PATCH 1/7] fix(model): add Purify mutator to Alert model

Alert HTML content was stored without sanitization, enabling stored
XSS if an attacker could create alerts (e.g. via privilege escalation).
The setHtmlAttribute mutator ensures all HTML is cleaned through
HTMLPurifier before persistence, matching the pattern already
established on Group, Party, User, and Network models.
---
 app/Models/Alert.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/Models/Alert.php b/app/Models/Alert.php
index d4c15b6956..9ad283465a 100644
--- a/app/Models/Alert.php
+++ b/app/Models/Alert.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Facades\Lang;
 use Illuminate\Support\Facades\Log;
 use OwenIt\Auditing\Contracts\Auditable;
+use Stevebauman\Purify\Facades\Purify;
 
 class Alert extends Model implements Auditable
 {
@@ -32,4 +33,9 @@ class Alert extends Model implements Auditable
         'end',
         'variant'
     ];
+
+    public function setHtmlAttribute($value)
+    {
+        $this->attributes['html'] = $value === null ? null : Purify::clean((string) $value);
+    }
 }

From 14b57c9a5f8b19e00f45b14ed6dbb6a810222f6b Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:56:09 -0700
Subject: [PATCH 2/7] fix(vue): add DOMPurify sanitization to AlertBanner

AlertBanner rendered alert HTML via v-html without client-side
sanitization. This adds DOMPurify as a defense-in-depth layer
alongside the server-side Purify mutator on the Alert model,
matching the pattern used in ReadMore.vue.
---
 resources/js/components/AlertBanner.vue | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/resources/js/components/AlertBanner.vue b/resources/js/components/AlertBanner.vue
index 16096db683..6bfebcb9ca 100644
--- a/resources/js/components/AlertBanner.vue
+++ b/resources/js/components/AlertBanner.vue
@@ -10,7 +10,7 @@
               <!-- <span class='badge badge-warning'>NEW!</span> -->
               <strong>{{ alert.title }}</strong>
             </div>
-            <div v-html="alert.html" />
+            <div v-html="sanitize(alert.html)" />
           </div>
         </div>
 
@@ -24,6 +24,7 @@
 </template>
 <script>
 import moment from 'moment'
+import DOMPurify from 'dompurify'
 
 export default {
   computed: {
@@ -53,6 +54,9 @@ export default {
     await this.$store.dispatch('alerts/fetch')
   },
   methods: {
+    sanitize(html) {
+      return DOMPurify.sanitize(html)
+    },
     dismissed(id) {
       try {
         localStorage.setItem('alert-' + id, true)

From 56649e087b0354a6d6e16b575a7fda7f2cbbe335 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:56:38 -0700
Subject: [PATCH 3/7] refactor(vue): extract shared escapeHtml helper

The escapeHtml function was duplicated verbatim in GroupActions.vue
and GroupPage.vue. This extracts it into a shared helper module so
there is one canonical implementation for HTML-escaping user data
in Vue template interpolations.
---
 resources/js/components/GroupActions.vue | 7 ++-----
 resources/js/components/GroupPage.vue    | 7 ++-----
 resources/js/helpers/escapeHtml.js       | 5 +++++
 3 files changed, 9 insertions(+), 10 deletions(-)
 create mode 100644 resources/js/helpers/escapeHtml.js

diff --git a/resources/js/components/GroupActions.vue b/resources/js/components/GroupActions.vue
index 73046e2656..5e20cf6c25 100644
--- a/resources/js/components/GroupActions.vue
+++ b/resources/js/components/GroupActions.vue
@@ -66,6 +66,7 @@
 <script>
 import group from '../mixins/group'
 import ConfirmModal from './ConfirmModal'
+import { escapeHtml } from '../helpers/escapeHtml'
 
 export default {
   components: { ConfirmModal },
@@ -100,11 +101,7 @@ export default {
     }
   },
   methods: {
-    escapeHtml(str) {
-      const el = document.createElement('span')
-      el.textContent = str
-      return el.innerHTML
-    },
+    escapeHtml,
     leaveGroup() {
       this.$refs.confirmLeave.show()
     },
diff --git a/resources/js/components/GroupPage.vue b/resources/js/components/GroupPage.vue
index e46a6ccc19..8e5ff11dfb 100644
--- a/resources/js/components/GroupPage.vue
+++ b/resources/js/components/GroupPage.vue
@@ -60,6 +60,7 @@ import GroupDevicesMostRepaired from './GroupDevicesMostRepaired'
 import GroupDevicesBreakdown from './GroupDevicesBreakdown'
 import AlertBanner from './AlertBanner'
 import auth from '../mixins/auth'
+import { escapeHtml } from '../helpers/escapeHtml'
 
 export default {
   components: {
@@ -160,11 +161,7 @@ export default {
     }
   },
   methods: {
-    escapeHtml(str) {
-      const el = document.createElement('span')
-      el.textContent = str
-      return el.innerHTML
-    },
+    escapeHtml,
   },
   computed: {
     group() {
diff --git a/resources/js/helpers/escapeHtml.js b/resources/js/helpers/escapeHtml.js
new file mode 100644
index 0000000000..3eed4ecbf4
--- /dev/null
+++ b/resources/js/helpers/escapeHtml.js
@@ -0,0 +1,5 @@
+export function escapeHtml(str) {
+  const el = document.createElement('span')
+  el.textContent = str
+  return el.innerHTML
+}

From 520cf88a88b822074e8c62fe8fac6d7200345efb Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:57:00 -0700
Subject: [PATCH 4/7] fix(vue): sanitize ReadMore text prop and fix reference
 bug

The text prop path rendered via v-html without DOMPurify sanitization.
While no current callers use this path, it was an unsanitized sink that
could introduce XSS if a future caller wired up the text prop. Also
fixed a ReferenceError where text.length and maxChars were missing
their this. prefix in the needsTruncating computed property.
---
 resources/js/components/ReadMore.vue | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/resources/js/components/ReadMore.vue b/resources/js/components/ReadMore.vue
index 61115143b8..ba3cec17f6 100644
--- a/resources/js/components/ReadMore.vue
+++ b/resources/js/components/ReadMore.vue
@@ -69,7 +69,7 @@ export default {
         val_container = val_container.substring(0, this.maxChars) + "...";
       }
 
-      return val_container;
+      return DOMPurify.sanitize(val_container);
     },
     sanitizedHtml() {
       return this.html ? DOMPurify.sanitize(this.html) : null
@@ -84,7 +84,7 @@ export default {
       return this.truncatedHTML ? DOMPurify.sanitize(this.truncatedHTML) : null
     },
     needsTruncating() {
-      if (this.text && (text.length > maxChars)) {
+      if (this.text && (this.text.length > this.maxChars)) {
         return true
       }
 

From 023d5477da3b5075b334aafb9c15d85ded09ceb5 Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:57:21 -0700
Subject: [PATCH 5/7] fix(controller): escape user emails in flash messages

The invite flows in GroupController and PartyController interpolated
user-supplied email addresses into translation strings rendered via
{!! !!} without escaping. This wraps them with e() to prevent XSS
through crafted email-like input.
---
 app/Http/Controllers/GroupController.php | 2 +-
 app/Http/Controllers/PartyController.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/GroupController.php b/app/Http/Controllers/GroupController.php
index ca28014d04..ee53843508 100644
--- a/app/Http/Controllers/GroupController.php
+++ b/app/Http/Controllers/GroupController.php
@@ -376,7 +376,7 @@ public function postSendInvite(Request $request): RedirectResponse
 
         // Don't log to Sentry - legitimate user error.
         return redirect()->back()->with('warning', __('groups.invite_success_apart_from', [
-            'emails' => rtrim(implode(', ', $not_sent))
+            'emails' => e(rtrim(implode(', ', $not_sent)))
         ]));
     }
 
diff --git a/app/Http/Controllers/PartyController.php b/app/Http/Controllers/PartyController.php
index 3dce9bd2bd..1e884a51bc 100644
--- a/app/Http/Controllers/PartyController.php
+++ b/app/Http/Controllers/PartyController.php
@@ -704,7 +704,7 @@ public function postSendInvite(Request $request): RedirectResponse
 
             // Don't log to Sentry - legitimate user error.
             return redirect()->back()->with('warning', __('events.invite_invalid_emails', [
-                'emails' => implode(', ', $not_sent)
+                'emails' => e(implode(', ', $not_sent))
             ]));
         }
 

From c95ef22196192dd88fb3706b6b2e7e85d8f1ec8a Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:57:37 -0700
Subject: [PATCH 6/7] fix(config): add tel URI scheme to HTMLPurifier allowlist

Mobile click-to-call links (tel: URIs) are a reasonable thing to
allow in sanitized descriptions and carry no XSS risk unlike
javascript: or data: URIs.
---
 config/purify.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/purify.php b/config/purify.php
index e9b68556f9..61fdc2ef49 100644
--- a/config/purify.php
+++ b/config/purify.php
@@ -49,6 +49,7 @@
                 'http' => true,
                 'https' => true,
                 'mailto' => true,
+                'tel' => true,
             ],
             'AutoFormat.AutoParagraph' => false,
             'AutoFormat.RemoveEmpty' => false,

From 84dbe41636d3e4a030bb81ad5f88728e43bb2b9a Mon Sep 17 00:00:00 2001
From: Angel de la Torre <angel.dlt.1996@gmail.com>
Date: Mon, 27 Apr 2026 13:57:55 -0700
Subject: [PATCH 7/7] fix(deps): update axios to fix known CVEs

Bumps axios from ^1.6.4 to ^1.15.0 to exit the vulnerable range
(1.0.0-1.14.0) which includes SSRF, credential leakage, and CSRF
vulnerabilities. This is the minimum version bump needed to resolve
the CVEs without a major version change.
---
 package-lock.json | 68 ++++++++++++++++++++++++++++++++---------------
 package.json      |  4 +--
 2 files changed, 49 insertions(+), 23 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index d8a72208d4..5f719bc77b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -62,7 +62,7 @@
                 "@playwright/test": "^1.14.1",
                 "@vue/test-utils": "^1.3.6",
                 "@vue/vue2-jest": "^28.1.0",
-                "axios": "^1.6.4",
+                "axios": "^1.15.2",
                 "babel-jest": "^28.1.0",
                 "bootstrap": "^4.6.1",
                 "browser-sync": "^2.27.11",
@@ -4690,14 +4690,15 @@
             }
         },
         "node_modules/axios": {
-            "version": "1.8.4",
-            "resolved": "https://registry.npmjs.org/axios/-/axios-1.8.4.tgz",
-            "integrity": "sha512-eBSYY4Y68NNlHbHBMdeDmKNtDgXWhQsJcGqzO3iLUM0GraQFSS9cVgPX5I9b3lbdFKyYoAEGAZF1DwhTaljNAw==",
+            "version": "1.15.2",
+            "resolved": "https://registry.npmjs.org/axios/-/axios-1.15.2.tgz",
+            "integrity": "sha512-wLrXxPtcrPTsNlJmKjkPnNPK2Ihe0hn0wGSaTEiHRPxwjvJwT3hKmXF4dpqxmPO9SoNb2FsYXj/xEo0gHN+D5A==",
             "dev": true,
+            "license": "MIT",
             "dependencies": {
-                "follow-redirects": "^1.15.6",
-                "form-data": "^4.0.0",
-                "proxy-from-env": "^1.1.0"
+                "follow-redirects": "^1.15.11",
+                "form-data": "^4.0.5",
+                "proxy-from-env": "^2.1.0"
             }
         },
         "node_modules/babel-jest": {
@@ -7620,6 +7621,22 @@
                 "node": ">= 0.4"
             }
         },
+        "node_modules/es-set-tostringtag": {
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/es-set-tostringtag/-/es-set-tostringtag-2.1.0.tgz",
+            "integrity": "sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==",
+            "dev": true,
+            "license": "MIT",
+            "dependencies": {
+                "es-errors": "^1.3.0",
+                "get-intrinsic": "^1.2.6",
+                "has-tostringtag": "^1.0.2",
+                "hasown": "^2.0.2"
+            },
+            "engines": {
+                "node": ">= 0.4"
+            }
+        },
         "node_modules/es6-error": {
             "version": "4.1.1",
             "resolved": "https://registry.npmjs.org/es6-error/-/es6-error-4.1.1.tgz",
@@ -8294,9 +8311,9 @@
             "integrity": "sha512-3jkThaKmc6v62mUQwCBcnTsQEGLAxSIQOMK0U3o7tt3MSjNPaBc/lmaDFaJrWnFmV9LM4Jk3w/cROYJgOMJgHA=="
         },
         "node_modules/follow-redirects": {
-            "version": "1.15.6",
-            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
-            "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
+            "version": "1.16.0",
+            "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz",
+            "integrity": "sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==",
             "dev": true,
             "funding": [
                 {
@@ -8304,6 +8321,7 @@
                     "url": "https://github.com/sponsors/RubenVerborgh"
                 }
             ],
+            "license": "MIT",
             "engines": {
                 "node": ">=4.0"
             },
@@ -8335,13 +8353,16 @@
             }
         },
         "node_modules/form-data": {
-            "version": "4.0.0",
-            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.0.tgz",
-            "integrity": "sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==",
+            "version": "4.0.5",
+            "resolved": "https://registry.npmjs.org/form-data/-/form-data-4.0.5.tgz",
+            "integrity": "sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==",
             "dev": true,
+            "license": "MIT",
             "dependencies": {
                 "asynckit": "^0.4.0",
                 "combined-stream": "^1.0.8",
+                "es-set-tostringtag": "^2.1.0",
+                "hasown": "^2.0.2",
                 "mime-types": "^2.1.12"
             },
             "engines": {
@@ -8677,11 +8698,12 @@
             }
         },
         "node_modules/has-tostringtag": {
-            "version": "1.0.0",
-            "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.0.tgz",
-            "integrity": "sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==",
+            "version": "1.0.2",
+            "resolved": "https://registry.npmjs.org/has-tostringtag/-/has-tostringtag-1.0.2.tgz",
+            "integrity": "sha512-NqADB8VjPFLM2V0VvHUewwwsw0ZWBaIdgo+ieHtK3hasLz4qeCRjYcqfB6AQrBggRKppKF8L52/VqdVsO47Dlw==",
+            "license": "MIT",
             "dependencies": {
-                "has-symbols": "^1.0.2"
+                "has-symbols": "^1.0.3"
             },
             "engines": {
                 "node": ">= 0.4"
@@ -18235,10 +18257,14 @@
             }
         },
         "node_modules/proxy-from-env": {
-            "version": "1.1.0",
-            "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-1.1.0.tgz",
-            "integrity": "sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==",
-            "dev": true
+            "version": "2.1.0",
+            "resolved": "https://registry.npmjs.org/proxy-from-env/-/proxy-from-env-2.1.0.tgz",
+            "integrity": "sha512-cJ+oHTW1VAEa8cJslgmUZrc+sjRKgAKl3Zyse6+PV38hZe/V6Z14TbCuXcan9F9ghlz4QrFr2c92TNF82UkYHA==",
+            "dev": true,
+            "license": "MIT",
+            "engines": {
+                "node": ">=10"
+            }
         },
         "node_modules/pseudomap": {
             "version": "1.0.2",
diff --git a/package.json b/package.json
index 54643f4b06..0dbeceadf4 100644
--- a/package.json
+++ b/package.json
@@ -18,11 +18,12 @@
         "@playwright/test": "^1.14.1",
         "@vue/test-utils": "^1.3.6",
         "@vue/vue2-jest": "^28.1.0",
-        "axios": "^1.6.4",
+        "axios": "^1.15.2",
         "babel-jest": "^28.1.0",
         "bootstrap": "^4.6.1",
         "browser-sync": "^2.27.11",
         "browser-sync-webpack-plugin": "^2.3.0",
+        "concurrently": "^9.0.1",
         "faker": "^5.5.3",
         "jest": "^28.1.0",
         "jest-environment-jsdom": "^28.1.0",
@@ -44,7 +45,6 @@
         "vue": "^2.7.14",
         "vue-loader": "^15.10.1",
         "vue-template-compiler": "^2.7.14",
-        "concurrently": "^9.0.1",
         "webpack-shell-plugin-next": "^2.3.1"
     },
     "dependencies": {