Fix XSS vulnerability, request parsing bug, and session persistence

- Fix XSS in stegasoo.js: use textContent instead of innerHTML for filenames - Fix operator precedence in channel key parsing (form data was ignored) - Persist Flask secret key to instance/.secret_key so sessions survive restarts 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 00:08:06 -05:00
parent 5188492c77
commit 83e9bd6fa1
2 changed files with 18 additions and 3 deletions
--- a/frontends/web/static/js/stegasoo.js
+++ b/frontends/web/static/js/stegasoo.js
@@ -119,7 +119,11 @@ const Stegasoo = {
                if (isScanContainer || isPixelContainer) {
                    labelEl.classList.add('d-none');
                } else {
-                    labelEl.innerHTML = '<i class="bi bi-check-circle text-success me-1"></i>' + file.name;
+                    labelEl.textContent = '';
+                    const icon = document.createElement('i');
+                    icon.className = 'bi bi-check-circle text-success me-1';
+                    labelEl.appendChild(icon);
+                    labelEl.appendChild(document.createTextNode(file.name));
                }
            }