From 56286bcea39c4e631d0a4b016fad824ca5bf14e2 Mon Sep 17 00:00:00 2001
From: Ulas Kalayci <ulas.kalayci@googlemail.com>
Date: Wed, 22 Apr 2026 12:41:36 +0200
Subject: [PATCH] chore: release v0.23.13

---
 CHANGELOG.md                 | 5 +++++
 package-lock.json            | 4 ++--
 package.json                 | 2 +-
 tools/installer/install.html | 5 ++++-
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a1de0cb..b728915 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.23.13] - 2026-04-22
+
+### Security
+- Installer: replaced template-literal URL construction with the `URL` constructor when setting the final "Open Oikos" link, eliminating a potential DOM-based XSS vector (CodeQL js/xss-through-dom, GitHub Advisory #7)
+
 ## [0.23.12] - 2026-04-22
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
index 8367364..451aba3 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "oikos",
-  "version": "0.23.12",
+  "version": "0.23.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "oikos",
-      "version": "0.23.12",
+      "version": "0.23.13",
       "license": "MIT",
       "dependencies": {
         "bcrypt": "^6.0.0",
diff --git a/package.json b/package.json
index 77e26a4..741d579 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "oikos",
-  "version": "0.23.12",
+  "version": "0.23.13",
   "description": "Self-hosted family planner - calendar, tasks, shopping, meal planning, budget and more. Private, open-source, no subscription.",
   "main": "server/index.js",
   "type": "module",
diff --git a/tools/installer/install.html b/tools/installer/install.html
index a06f85b..417792f 100644
--- a/tools/installer/install.html
+++ b/tools/installer/install.html
@@ -610,7 +610,10 @@ async function createAdmin() {
     });
     const d = await r.json();
     if (r.status === 201 || r.status === 403) {
-      $('done-link').href = `http://${S.host}:${S.port}`;
+      const appUrl = new URL('http://placeholder');
+      appUrl.hostname = S.host;
+      appUrl.port = S.port;
+      $('done-link').href = appUrl.href;
       showStep(7);
     } else {
       btn.disabled = false; btn.textContent = 'Create Account';