fix(security): address critical and high findings from security audit

Fix stored XSS in tasks (titles/subtasks) and settings (member list)
by applying escHtml(). Harden trust proxy to loopback default, add
OAuth state parameter for Google Calendar CSRF protection, sanitize
CSV export against formula injection, invalidate sessions on user
deletion, restrict usernames to alphanumeric chars, and require admin
role for calendar sync triggers.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

CHANGELOG.md

@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.5.9] - 2026-04-03
+
+### Security
+- Fix stored XSS in task titles and subtask titles - all user-provided text in tasks.js is now escaped via `escHtml()` before insertion into innerHTML templates
+- Fix stored XSS in settings page member list - display_name and username are now escaped via `escHtml()` in `memberHtml()`
+- Fix rate limiter bypass via X-Forwarded-For IP spoofing - `trust proxy` now defaults to `loopback` instead of unconditional `1`; configurable via `TRUST_PROXY` env var
+- Fix Google OAuth CSRF - add cryptographic `state` parameter to OAuth flow, validated on callback
+- Fix CSV injection in budget export - fields starting with `=`, `+`, `-`, `@`, tab, or carriage return are now prefixed with apostrophe
+- Fix missing session invalidation on user deletion - all active sessions of deleted users are now destroyed
+- Restrict username to `[a-zA-Z0-9._-]` with minimum 3 characters, preventing HTML/script injection via usernames
+- Restrict Google Calendar sync trigger (`POST /google/sync`) and Apple Calendar sync trigger (`POST /apple/sync`) to admin role
+- Add warning log when Apple CalDAV credentials are stored without DB encryption enabled
+
 ## [0.5.8] - 2026-04-03
 
 ### Added
@@ -184,7 +197,14 @@ Initial release of Oikos - a self-hosted family planner for 2–6 person househo
 - No user data cached by service worker (API requests are network-only)
 - Hardened `.gitignore` and `.dockerignore` to prevent accidental secret or binary leakage
 
-[Unreleased]: https://github.com/ulsklyc/oikos/compare/v0.5.2...HEAD
+[Unreleased]: https://github.com/ulsklyc/oikos/compare/v0.5.9...HEAD
+[0.5.9]: https://github.com/ulsklyc/oikos/compare/v0.5.8...v0.5.9
+[0.5.8]: https://github.com/ulsklyc/oikos/compare/v0.5.7...v0.5.8
+[0.5.7]: https://github.com/ulsklyc/oikos/compare/v0.5.6...v0.5.7
+[0.5.6]: https://github.com/ulsklyc/oikos/compare/v0.5.5...v0.5.6
+[0.5.5]: https://github.com/ulsklyc/oikos/compare/v0.5.4...v0.5.5
+[0.5.4]: https://github.com/ulsklyc/oikos/compare/v0.5.3...v0.5.4
+[0.5.3]: https://github.com/ulsklyc/oikos/compare/v0.5.2...v0.5.3
 [0.5.2]: https://github.com/ulsklyc/oikos/compare/v0.5.1...v0.5.2
 [0.5.1]: https://github.com/ulsklyc/oikos/compare/v0.5.0...v0.5.1
 [0.5.0]: https://github.com/ulsklyc/oikos/compare/v0.4.0...v0.5.0

package.json

@@ -1,6 +1,6 @@
 {
   "name": "oikos",
-  "version": "0.5.8",
+  "version": "0.5.9",
   "description": "Selbstgehosteter Familienplaner - Kalender, Aufgaben, Einkauf, Essensplan, Budget und mehr. Privat, offen, ohne Abo.",
   "main": "server/index.js",
   "engines": {

public/pages/settings.js

@@ -488,15 +488,24 @@ function bindDeleteButtons(container, user) {
 // Helfer
 // --------------------------------------------------------
 
+function escHtml(str) {
+  if (!str) return '';
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+}
+
 function memberHtml(u) {
   return `
     <li class="settings-member" data-id="${u.id}">
-      <div class="settings-avatar settings-avatar--sm" style="background:${u.avatar_color}">${initials(u.display_name)}</div>
+      <div class="settings-avatar settings-avatar--sm" style="background:${escHtml(u.avatar_color)}">${initials(u.display_name)}</div>
       <div class="settings-member__info">
-        <span class="settings-member__name">${u.display_name}</span>
-        <span class="settings-member__meta">@${u.username} · ${u.role === 'admin' ? t('settings.roleAdmin') : t('settings.roleMember')}</span>
+        <span class="settings-member__name">${escHtml(u.display_name)}</span>
+        <span class="settings-member__meta">@${escHtml(u.username)} · ${u.role === 'admin' ? t('settings.roleAdmin') : t('settings.roleMember')}</span>
       </div>
-      <button class="btn btn--icon btn--danger-outline" data-delete-user="${u.id}" data-name="${u.display_name}" aria-label="${u.display_name} ${t('settings.deleteMemberLabel')}" title="${t('settings.deleteMemberLabel')}">
+      <button class="btn btn--icon btn--danger-outline" data-delete-user="${u.id}" data-name="${escHtml(u.display_name)}" aria-label="${escHtml(u.display_name)} ${t('settings.deleteMemberLabel')}" title="${t('settings.deleteMemberLabel')}">
         <i data-lucide="trash-2" aria-hidden="true"></i>
       </button>
     </li>

public/pages/tasks.js

@@ -10,6 +10,15 @@ import { openModal as openSharedModal, closeModal, wireBlurValidation, btnSucces
 import { stagger, vibrate } from '/utils/ux.js';
 import { t, formatDate } from '/i18n.js';
 
+function escHtml(str) {
+  if (!str) return '';
+  return String(str)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;');
+}
+
 // --------------------------------------------------------
 // Konstanten
 // --------------------------------------------------------
@@ -155,7 +164,7 @@ function renderTaskCard(task, opts = {}) {
                   data-status="${s.status}" aria-label="${t('tasks.subtaskMarkDone', { title: s.title })}">
             ${s.status === 'done' ? '<i data-lucide="check" style="width:10px;height:10px;color:#fff" aria-hidden="true"></i>' : ''}
           </button>
-          <span class="subtask-item__title">${s.title}</span>
+          <span class="subtask-item__title">${escHtml(s.title)}</span>
         </div>`).join('')
     : '';
 
@@ -170,7 +179,7 @@ function renderTaskCard(task, opts = {}) {
 
         <div class="task-card__body">
           <div class="task-card__title" data-action="open-task" data-id="${task.id}">
-            ${task.title}
+            ${escHtml(task.title)}
           </div>
           <div class="task-card__meta">
             ${renderPriorityBadge(task.priority)}
@@ -504,7 +513,7 @@ function renderKanbanCard(task) {
   return `
     <div class="kanban-card ${task.status === 'done' ? 'kanban-card--done' : ''}"
          data-task-id="${task.id}" draggable="true">
-      <div class="kanban-card__title">${task.title}</div>
+      <div class="kanban-card__title">${escHtml(task.title)}</div>
       <div class="kanban-card__meta">
         ${renderPriorityBadge(task.priority)}
         ${due ? `<span class="due-date ${due.cls}"><i data-lucide="clock" style="width:10px;height:10px" aria-hidden="true"></i> ${due.label}</span>` : ''}

server/auth.js

@@ -286,8 +286,8 @@ router.post('/users', requireAuth, requireAdmin, csrfMiddleware, async (req, res
       return res.status(400).json({ error: 'Passwort muss mindestens 8 Zeichen haben.', code: 400 });
     }
 
-    if (username.length > 64) {
-      return res.status(400).json({ error: 'Benutzername darf maximal 64 Zeichen lang sein.', code: 400 });
+    if (!/^[a-zA-Z0-9._-]{3,64}$/.test(username)) {
+      return res.status(400).json({ error: 'Benutzername muss 3-64 Zeichen lang sein und darf nur Buchstaben, Zahlen, Punkte, Bindestriche und Unterstriche enthalten.', code: 400 });
     }
 
     if (display_name.length > 128) {
@@ -384,6 +384,17 @@ router.delete('/users/:id', requireAuth, requireAdmin, csrfMiddleware, (req, res
       return res.status(404).json({ error: 'Benutzer nicht gefunden.', code: 404 });
     }
 
+    // Alle aktiven Sessions des geloeschten Users invalidieren
+    const allSessions = db.get().prepare('SELECT sid, sess FROM sessions').all();
+    for (const row of allSessions) {
+      try {
+        const sess = JSON.parse(row.sess);
+        if (sess.userId === userId) {
+          db.get().prepare('DELETE FROM sessions WHERE sid = ?').run(row.sid);
+        }
+      } catch { /* ignore malformed session */ }
+    }
+
     res.json({ ok: true });
   } catch (err) {
     console.error('[Auth] User-Löschen-Fehler:', err);

server/index.js

@@ -60,8 +60,9 @@ app.use(helmet({
   } : false,
 }));
 
-// Trust Proxy für korrekte IP hinter Nginx
-app.set('trust proxy', 1);
+// Trust Proxy: nur aktivieren wenn ein Reverse Proxy vorgeschaltet ist (TRUST_PROXY env var).
+// Default 'loopback' akzeptiert nur X-Forwarded-For von localhost - verhindert IP-Spoofing.
+app.set('trust proxy', process.env.TRUST_PROXY || 'loopback');
 
 // --------------------------------------------------------
 // Request-Parsing

server/routes/budget.js

@@ -147,14 +147,19 @@ router.get('/export', (req, res) => {
     `).all(from, to);
 
     const header = 'Datum,Titel,Betrag,Kategorie,Wiederkehrend,Erstellt von\n';
+    const csvSafe = (val) => {
+      let s = String(val || '').replace(/"/g, '""');
+      if (/^[=+\-@\t\r]/.test(s)) s = "'" + s;
+      return `"${s}"`;
+    };
     const rows   = entries.map((e) =>
       [
         e.date,
-        `"${(e.title || '').replace(/"/g, '""')}"`,
+        csvSafe(e.title),
         e.amount.toFixed(2).replace('.', ','),
         e.category,
         e.is_recurring ? 'Ja' : 'Nein',
-        `"${(e.creator_name || '').replace(/"/g, '""')}"`,
+        csvSafe(e.creator_name),
       ].join(',')
     ).join('\n');
 

server/routes/calendar.js

@@ -206,7 +206,7 @@ router.get('/upcoming', (req, res) => {
  */
 router.get('/google/auth', requireAdmin, (req, res) => {
   try {
-    const url = googleCalendar.getAuthUrl();
+    const url = googleCalendar.getAuthUrl(req.session);
     if (!url) return res.status(503).json({ error: 'Google nicht konfiguriert.', code: 503 });
     res.redirect(url);
   } catch (err) {
@@ -222,10 +222,17 @@ router.get('/google/auth', requireAdmin, (req, res) => {
  */
 router.get('/google/callback', async (req, res) => {
   try {
-    const { code, error } = req.query;
+    const { code, error, state } = req.query;
     if (error) return res.redirect('/settings?sync_error=google');
     if (!code)  return res.status(400).json({ error: 'Kein Code erhalten.', code: 400 });
 
+    // OAuth CSRF-Schutz: state-Parameter validieren
+    if (!state || !req.session.googleOAuthState || state !== req.session.googleOAuthState) {
+      console.error('[calendar/google/callback] OAuth state mismatch');
+      return res.redirect('/settings?sync_error=google');
+    }
+    delete req.session.googleOAuthState;
+
     await googleCalendar.handleCallback(code);
 
     // Initialen Sync im Hintergrund starten (kein await - Redirect soll sofort erfolgen)
@@ -243,7 +250,7 @@ router.get('/google/callback', async (req, res) => {
  * Manueller Sync-Trigger.
  * Response: { ok: true, lastSync: string }
  */
-router.post('/google/sync', async (req, res) => {
+router.post('/google/sync', requireAdmin, async (req, res) => {
   try {
     await googleCalendar.sync();
     const { lastSync } = googleCalendar.getStatus();
@@ -304,7 +311,7 @@ router.get('/apple/status', (req, res) => {
  * Manueller Sync-Trigger.
  * Response: { ok: true, lastSync: string }
  */
-router.post('/apple/sync', async (req, res) => {
+router.post('/apple/sync', requireAdmin, async (req, res) => {
   try {
     await appleCalendar.sync();
     const { lastSync } = appleCalendar.getStatus();

server/services/apple-calendar.js

@@ -53,6 +53,10 @@ function getCredentials() {
 }
 
 function saveCredentials(url, username, password) {
+  // Warnung wenn DB-Verschluesselung nicht aktiv - Credentials liegen dann im Klartext
+  if (!process.env.DB_ENCRYPTION_KEY) {
+    console.warn('[Apple] WARNUNG: DB_ENCRYPTION_KEY nicht gesetzt - CalDAV-Credentials werden unverschluesselt gespeichert.');
+  }
   cfgSet('apple_caldav_url',  url);
   cfgSet('apple_username',    username);
   cfgSet('apple_app_password', password);

server/services/google-calendar.js

@@ -14,6 +14,7 @@
 'use strict';
 
 const { google } = require('googleapis');
+const crypto = require('crypto');
 const db = require('../db');
 
 const GOOGLE_COLOR = '#4285F4';
@@ -92,12 +93,21 @@ function loadAuthorizedClient() {
  * Generiert die Google OAuth2-URL zum Weiterleiten des Admins.
  * @returns {string} Auth-URL
  */
-function getAuthUrl() {
+/**
+ * Generiert die Google OAuth2-URL zum Weiterleiten des Admins.
+ * Enthalt einen CSRF-sicheren state-Parameter.
+ * @param {object} session - Express-Session-Objekt (state wird dort gespeichert)
+ * @returns {string} Auth-URL
+ */
+function getAuthUrl(session) {
   const client = createClient();
+  const state = crypto.randomBytes(32).toString('hex');
+  if (session) session.googleOAuthState = state;
   return client.generateAuthUrl({
     access_type: 'offline',
     prompt:      'consent',
     scope:       ['https://www.googleapis.com/auth/calendar'],
+    state,
   });
 }