From 75d2fdea9c2cad53c0f52add317f6ca8f99e5bb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Tue, 7 Apr 2026 20:41:09 +0700
Subject: [PATCH] fix(security): dom-based theme injection via unsanitized
 input in
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `changeCSS()` function directly interpolates its `theme` parameter into a URL template literal without validation. While currently called only from a `<select>` element with fixed `<option>` values, if invoked programmatically with a crafted value (e.g., via browser console or future code changes), it could load an arbitrary external stylesheet by manipulating the URL path.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/index.html b/index.html
index 5f90ae39..f59dc4f6 100644
--- a/index.html
+++ b/index.html
@@ -58,8 +58,11 @@
 			.catch( error => console.error( 'Error:', error ) );
 
 		// Change the theme
+		const allowedThemes = ['darkly', 'united', 'flatly', 'quartz'];
+
 		function changeCSS( theme )
 		{
+			if ( !allowedThemes.includes( theme ) ) return;
 			document.querySelector( 'link' ).href
 					= `https://cdn.jsdelivr.net/npm/bootswatch@${bootswatchVersion}/dist/${theme}/bootstrap.min.css`;
 		}