Potential fix for code scanning alert no. 22: DOM text reinterpreted as HTML

app/settings.py

@@ -139,21 +139,21 @@ def test_connection():
         return jsonify(result)
 
     except Exception as e:
-        error_msg = str(e)
-        print(f"Test connection error: {error_msg}")
+        print(f"Test connection error: {str(e)}")
         print(traceback.format_exc())
 
-        # Provide more specific error messages
-        if 'timeout' in error_msg.lower():
-            error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
-        elif 'connection' in error_msg.lower():
-            error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
-        elif 'ssl' in error_msg.lower() or 'certificate' in error_msg.lower():
-            error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
+        # Provide more specific error messages to the user, do not return exception messages
+        user_error_msg = None
+        error_str = str(e).lower()
+        if 'timeout' in error_str:
+            user_error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
+        elif 'connection' in error_str:
+            user_error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
+        elif 'ssl' in error_str or 'certificate' in error_str:
+            user_error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
         else:
-            error_msg = f'Connection test failed: {error_msg}'
-
-        return jsonify({'error': error_msg, 'success': False}), 200
+            user_error_msg = 'Connection test failed. Please contact support or try again later.'
+        return jsonify({'error': user_error_msg, 'success': False}), 200
 
 @settings_bp.route('/api/domains', methods=['GET'])
 @login_required

requirements.txt

@@ -7,4 +7,4 @@ pyotp==2.9.0
 qrcode==8.2
 pillow==11.3.0
 requests==2.32.5
-cryptography==46.0.1
+cryptography==46.0.2

static/dashboard.js

@@ -4,6 +4,16 @@ let emailAccounts = [];
 let availableDomains = [];
 let selectedDomain = null;
 
+// Escape a string for HTML insertion (prevents XSS)
+function escapeHTML(str) {
+    return String(str)
+        .replace(/&/g, "&")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+
 // Helper function to validate destinations (including special ones)
 function isValidDestination(destination) {
     // Allow special destinations
@@ -228,9 +238,9 @@ async function loadForwarders() {
         console.error('Error loading forwarders:', error);
 
         if (error.response && error.response.status === 403) {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + selectedDomain + ' may not be configured in your DirectAdmin account.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + escapeHTML(selectedDomain) + ' may not be configured in your DirectAdmin account.</td></tr>';
         } else {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + selectedDomain + '. Please check your DirectAdmin settings.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + escapeHTML(selectedDomain) + '. Please check your DirectAdmin settings.</td></tr>';
         }
     }
 }