From 67d3746f698e00f013452fccb8a46a4ef846d392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tr=E1=BA=A7n=20B=C3=A1ch?=
 <45133811+barttran2k@users.noreply.github.com>
Date: Wed, 8 Apr 2026 01:11:14 +0700
Subject: [PATCH] fix(security): theme selection via dom input without
 validation (#629)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `changeCSS` function constructs a URL by interpolating user-controlled input (`theme` parameter from the `<select>` element) directly into a CDN URL template. While the current `<select>` restricts values, if the function were called programmatically (e.g., via browser console or if the DOM is manipulated), an attacker could inject an arbitrary path into the stylesheet URL, potentially loading a malicious CSS file from the CDN.

Affected files: index.html

Signed-off-by: Trần Bách <45133811+barttran2k@users.noreply.github.com>
---
 index.html | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/index.html b/index.html
index 5f90ae3..f59dc4f 100644
--- a/index.html
+++ b/index.html
@@ -58,8 +58,11 @@
 			.catch( error => console.error( 'Error:', error ) );
 
 		// Change the theme
+		const allowedThemes = ['darkly', 'united', 'flatly', 'quartz'];
+
 		function changeCSS( theme )
 		{
+			if ( !allowedThemes.includes( theme ) ) return;
 			document.querySelector( 'link' ).href
 					= `https://cdn.jsdelivr.net/npm/bootswatch@${bootswatchVersion}/dist/${theme}/bootstrap.min.css`;
 		}