chore: release v0.23.13

CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.23.13] - 2026-04-22
+
+### Security
+- Installer: replaced template-literal URL construction with the `URL` constructor when setting the final "Open Oikos" link, eliminating a potential DOM-based XSS vector (CodeQL js/xss-through-dom, GitHub Advisory #7)
+
 ## [0.23.12] - 2026-04-22
 
 ### Fixed

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "oikos",
-  "version": "0.23.12",
+  "version": "0.23.13",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "oikos",
-      "version": "0.23.12",
+      "version": "0.23.13",
       "license": "MIT",
       "dependencies": {
         "bcrypt": "^6.0.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "oikos",
-  "version": "0.23.12",
+  "version": "0.23.13",
   "description": "Self-hosted family planner - calendar, tasks, shopping, meal planning, budget and more. Private, open-source, no subscription.",
   "main": "server/index.js",
   "type": "module",

tools/installer/install.html

@@ -610,7 +610,10 @@ async function createAdmin() {
     });
     const d = await r.json();
     if (r.status === 201 || r.status === 403) {
-      $('done-link').href = `http://${S.host}:${S.port}`;
+      const appUrl = new URL('http://placeholder');
+      appUrl.hostname = S.host;
+      appUrl.port = S.port;
+      $('done-link').href = appUrl.href;
       showStep(7);
     } else {
       btn.disabled = false; btn.textContent = 'Create Account';