From d1f2ae3ed415a6334a0b1c3bfceabd5c399b0d09 Mon Sep 17 00:00:00 2001
From: Alexander Whitestone
 <8633216+AlexanderWhitestone@users.noreply.github.com>
Date: Wed, 4 Mar 2026 07:58:49 -0500
Subject: [PATCH] Security: fix XSS vulnerabilities in health and grok routes
 (#124)

---
 src/dashboard/routes/grok.py               |  4 +-
 src/dashboard/routes/health.py             |  7 +--
 tests/security/test_xss_vulnerabilities.py | 50 ++++++++++++++++++++++
 3 files changed, 57 insertions(+), 4 deletions(-)
 create mode 100644 tests/security/test_xss_vulnerabilities.py

diff --git a/src/dashboard/routes/grok.py b/src/dashboard/routes/grok.py
index cc76dca..c135d10 100644
--- a/src/dashboard/routes/grok.py
+++ b/src/dashboard/routes/grok.py
@@ -198,9 +198,11 @@ async def grok_stats():
 
 def _render_toggle_card(active: bool) -> str:
     """Render the Grok Mode toggle card HTML."""
+    import html
     color = "#00ff88" if active else "#666"
     state = "ACTIVE" if active else "STANDBY"
     glow = "0 0 20px rgba(0, 255, 136, 0.4)" if active else "none"
+    model_name = html.escape(settings.grok_default_model)
 
     return f"""
     <div id="grok-toggle-card"
@@ -213,7 +215,7 @@ def _render_toggle_card(active: bool) -> str:
                     GROK MODE: {state}
                 </div>
                 <div style="font-size: 0.8rem; color: var(--text-muted); margin-top: 4px;">
-                    xAI frontier reasoning | {settings.grok_default_model}
+                    xAI frontier reasoning | {model_name}
                 </div>
             </div>
             <button hx-post="/grok/toggle"
diff --git a/src/dashboard/routes/health.py b/src/dashboard/routes/health.py
index 078e891..e0e3dfb 100644
--- a/src/dashboard/routes/health.py
+++ b/src/dashboard/routes/health.py
@@ -237,9 +237,10 @@ async def health_status_panel(request: Request):
     
     status_text = "UP" if ollama_ok else "DOWN"
     status_color = "#10b981" if ollama_ok else "#ef4444"
-    model = settings.ollama_model  # Include model for test compatibility
+    import html
+    model = html.escape(settings.ollama_model)  # Include model for test compatibility
     
-    html = f"""
+    html_content = f"""
     <!DOCTYPE html>
     <html>
     <head><title>Health Status</title></head>
@@ -251,7 +252,7 @@ async def health_status_panel(request: Request):
     </body>
     </html>
     """
-    return HTMLResponse(content=html)
+    return HTMLResponse(content=html_content)
 
 
 @router.get("/health/sovereignty", response_model=SovereigntyReport)
diff --git a/tests/security/test_xss_vulnerabilities.py b/tests/security/test_xss_vulnerabilities.py
new file mode 100644
index 0000000..6d47df1
--- /dev/null
+++ b/tests/security/test_xss_vulnerabilities.py
@@ -0,0 +1,50 @@
+import pytest
+from fastapi.testclient import TestClient
+from dashboard.app import app
+from config import settings
+import html
+
+@pytest.fixture
+def client():
+    return TestClient(app)
+
+def test_health_status_xss_vulnerability(client):
+    """Verify that the health status page escapes the model name."""
+    original_model = settings.ollama_model
+    malicious_model = '"><script>alert("XSS")</script>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.ollama_model = malicious_model
+        
+        response = client.get("/health/status")
+        assert response.status_code == 200
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in response.text
+        assert malicious_model not in response.text
+    finally:
+        settings.ollama_model = original_model
+
+def test_grok_toggle_xss_vulnerability(client):
+    """Verify that the grok toggle card escapes the model name."""
+    original_model = settings.grok_default_model
+    malicious_model = '"><img src=x onerror=alert(1)>'
+    
+    try:
+        # Inject malicious model name into settings
+        settings.grok_default_model = malicious_model
+        
+        # We need to make grok available to trigger the render_toggle_card
+        # Since we're in test mode, we might need to mock this or just call the function
+        from dashboard.routes.grok import _render_toggle_card
+        
+        html_output = _render_toggle_card(active=True)
+        
+        # The malicious script should be escaped
+        escaped_model = html.escape(malicious_model)
+        assert escaped_model in html_output
+        assert malicious_model not in html_output
+    finally:
+        settings.grok_default_model = original_model