From faf5ca010b9bee383e9548dcf8d0436e3c5d4c0f Mon Sep 17 00:00:00 2001
From: matthew-pilot <matthew@vulturelabs.io>
Date: Fri, 29 May 2026 23:07:36 +0000
Subject: [PATCH] fix: escape chart label text via labelFn to prevent XSS
 (PILOT-255)

Wrap labelFn output in escapeHtml() in drawChart() to prevent
XSS via future labelFn implementations that may derive from
untrusted server JSON. Today labels are date strings from
fmtDateTime so user-controlled content is bounded, but the
same template path is used for any future labelFn.
---
 dashboard/dashboard.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dashboard/dashboard.go b/dashboard/dashboard.go
index 3c63687..7d3f5c8 100644
--- a/dashboard/dashboard.go
+++ b/dashboard/dashboard.go
@@ -1034,10 +1034,10 @@ function drawChart(svg,tip,samples,valFn,labelFn,color,unit,zoomY){
       var anchor='middle';
       if(i===0)anchor='start';
       else if(i===vals.length-1)anchor='end';
-      html+='<text x="'+x.toFixed(1)+'" y="'+(padT+cH+16)+'" fill="'+muted2+'" font-size="9" text-anchor="'+anchor+'" font-family="monospace">'+lbl+'</text>';
+      html+='<text x="'+x.toFixed(1)+'" y="'+(padT+cH+16)+'" fill="'+muted2+'" font-size="9" text-anchor="'+anchor+'" font-family="monospace">'+escapeHtml(lbl)+'</text>';
     }
     var rw=cW/(vals.length||1);
-    html+='<rect x="'+(x-rw/2).toFixed(1)+'" y="'+padT+'" width="'+rw.toFixed(1)+'" height="'+cH+'" fill="transparent" data-val="'+vals[i]+'" data-lbl="'+lbl+'" data-x="'+x.toFixed(1)+'"/>';
+    html+='<rect x="'+(x-rw/2).toFixed(1)+'" y="'+padT+'" width="'+rw.toFixed(1)+'" height="'+cH+'" fill="transparent" data-val="'+vals[i]+'" data-lbl="'+escapeHtml(lbl)+'" data-x="'+x.toFixed(1)+'"/>';
   }
   svg.innerHTML=html;
   if(tip){