From 7a3530396799d7aa500b8d07aa71569374746f83 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 6 Oct 2025 06:46:22 +0000
Subject: [PATCH 1/3] Bump cryptography from 46.0.1 to 46.0.2

Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.1 to 46.0.2.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/46.0.1...46.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 691bca1..a39a3e8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,4 +7,4 @@ pyotp==2.9.0
 qrcode==8.2
 pillow==11.3.0
 requests==2.32.5
-cryptography==46.0.1
\ No newline at end of file
+cryptography==46.0.2
\ No newline at end of file

From bcbe063b901298d446fda3c4b3e56b3131881c4d Mon Sep 17 00:00:00 2001
From: Timeraider <57343973+GitTimeraider@users.noreply.github.com>
Date: Mon, 6 Oct 2025 09:19:15 +0200
Subject: [PATCH 2/3] Potential fix for code scanning alert no. 22: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 static/dashboard.js | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/static/dashboard.js b/static/dashboard.js
index 1eabe68..9e38f09 100644
--- a/static/dashboard.js
+++ b/static/dashboard.js
@@ -4,6 +4,16 @@ let emailAccounts = [];
 let availableDomains = [];
 let selectedDomain = null;
 
+// Escape a string for HTML insertion (prevents XSS)
+function escapeHTML(str) {
+    return String(str)
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+
 // Helper function to validate destinations (including special ones)
 function isValidDestination(destination) {
     // Allow special destinations
@@ -228,9 +238,9 @@ async function loadForwarders() {
         console.error('Error loading forwarders:', error);
         
         if (error.response && error.response.status === 403) {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + selectedDomain + ' may not be configured in your DirectAdmin account.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + escapeHTML(selectedDomain) + ' may not be configured in your DirectAdmin account.</td></tr>';
         } else {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + selectedDomain + '. Please check your DirectAdmin settings.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + escapeHTML(selectedDomain) + '. Please check your DirectAdmin settings.</td></tr>';
         }
     }
 }

From 329e24a5e537c855a1aaf7231b4ba4818116409d Mon Sep 17 00:00:00 2001
From: Timeraider <57343973+GitTimeraider@users.noreply.github.com>
Date: Mon, 6 Oct 2025 09:21:24 +0200
Subject: [PATCH 3/3] Potential fix for code scanning alert no. 20: Information
 exposure through an exception

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 app/settings.py | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/app/settings.py b/app/settings.py
index c3c23b3..291f7d3 100644
--- a/app/settings.py
+++ b/app/settings.py
@@ -139,21 +139,21 @@ def test_connection():
         return jsonify(result)
 
     except Exception as e:
-        error_msg = str(e)
-        print(f"Test connection error: {error_msg}")
+        print(f"Test connection error: {str(e)}")
         print(traceback.format_exc())
         
-        # Provide more specific error messages
-        if 'timeout' in error_msg.lower():
-            error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
-        elif 'connection' in error_msg.lower():
-            error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
-        elif 'ssl' in error_msg.lower() or 'certificate' in error_msg.lower():
-            error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
+        # Provide more specific error messages to the user, do not return exception messages
+        user_error_msg = None
+        error_str = str(e).lower()
+        if 'timeout' in error_str:
+            user_error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
+        elif 'connection' in error_str:
+            user_error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
+        elif 'ssl' in error_str or 'certificate' in error_str:
+            user_error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
         else:
-            error_msg = f'Connection test failed: {error_msg}'
-            
-        return jsonify({'error': error_msg, 'success': False}), 200
+            user_error_msg = 'Connection test failed. Please contact support or try again later.'
+        return jsonify({'error': user_error_msg, 'success': False}), 200
 
 @settings_bp.route('/api/domains', methods=['GET'])
 @login_required