From a4ad10a872f3aeec8f54973e59390efde4681953 Mon Sep 17 00:00:00 2001
From: Ulas Kalayci <ulas.kalayci@googlemail.com>
Date: Wed, 22 Apr 2026 00:05:08 +0200
Subject: [PATCH] fix(installer): validate host/port input before use in DOM

Prevents unvalidated user input from reaching DOM sinks (href, template
literals). Host is checked against a strict hostname regex; port is
parsed as an integer and range-checked to 1-65535. An inline error
message is shown on validation failure.

Resolves CodeQL js/xss-through-dom alert #7.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 tools/installer/install.html | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tools/installer/install.html b/tools/installer/install.html
index 6b4903a..a06f85b 100644
--- a/tools/installer/install.html
+++ b/tools/installer/install.html
@@ -141,6 +141,7 @@
         </div>
       </div>
       <div class="card-foot">
+        <div id="cfg-err" class="error" style="display:none"></div>
         <button class="btn btn-primary" id="cfg-next">Continue</button>
       </div>
     </div>
@@ -443,8 +444,19 @@ document.addEventListener('click', async e => {
 });
 
 $('cfg-next').addEventListener('click', () => {
-  S.host = $('cfg-host').value.trim() || 'localhost';
-  S.port = $('cfg-port').value.trim() || '3000';
+  const rawHost = $('cfg-host').value.trim() || 'localhost';
+  const rawPort = parseInt($('cfg-port').value.trim(), 10);
+  if (!/^[a-zA-Z0-9]([a-zA-Z0-9\-\.]*[a-zA-Z0-9])?$/.test(rawHost) && rawHost !== 'localhost') {
+    showErr('cfg-err', 'Invalid hostname. Use only letters, digits, hyphens and dots.');
+    return;
+  }
+  if (isNaN(rawPort) || rawPort < 1 || rawPort > 65535) {
+    showErr('cfg-err', 'Invalid port. Must be a number between 1 and 65535.');
+    return;
+  }
+  showErr('cfg-err', '');
+  S.host = rawHost;
+  S.port = String(rawPort);
   S.tz   = $('cfg-tz').value.trim() || 'UTC';
   showStep(1);
 });