ultimate-jekyll-manager 1.0.22 → 1.1.1

package/CHANGELOG.md

@@ -15,6 +15,41 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Security` in case of vulnerabilities.
 
 ---
+## [1.1.1] - 2026-04-06
+### Security
+- Fix open redirect via `authReturnUrl` URL parameter in core/auth.js — now validated with `isValidRedirectUrl()`
+- Fix cross-origin redirect via unvalidated postMessage in vert.js — added origin allowlist
+- Replace `new Function()` code execution in redirect.js with safe named modifier lookup
+- Sanitize markdown-it output with DOMPurify in campaign-preview.js (newsletter-safe tag allowlist)
+- Validate OAuth redirect URL scheme in connections.js
+- Escape `classes` parameter in prerendered-icons.js to prevent attribute breakout
+- Defense-in-depth: escape `formatDate()` outputs in security.js, team.js, referrals.js
+- Defense-in-depth: escape cancel/refund reason strings in billing.js, refund.js
+- Defense-in-depth: escape `submittingText` in form-manager.js spinner
+- Document redirect validation, postMessage origin checks, eval prohibition, and DOMPurify rules in CLAUDE.md
+
+### Added
+- `dompurify` dependency for HTML sanitization
+
+## [1.1.0] - 2026-04-06
+### Added
+- `payment-config.js` shared library for reading payment data from build-time config
+- Pricing layout resolves prices and feature limits from `_config.yml` when not set in frontmatter
+- `oauth2` config injected into client-side Configuration object via `foot.html`
+- Pricing page shows "Switch to This Plan" on other paid plans when user has active subscription
+
+### Changed
+- Move `payment` under `web_manager` in default `_config.yml` so it serializes into client-side config
+- Checkout page uses `payment-config.js` instead of fetching `/backend-manager/brand`
+- Account billing section uses config for products/limits/currency instead of brand API
+- Account connections section reads `oauth2` from config instead of brand API
+- Admin dashboard uses config for product list in MRR calculations
+- Remove `/backend-manager/brand` fetch from account page entirely
+- "Everything in [plan]" now uses dynamic previous plan name instead of hardcoded index
+
+### Fixed
+- Liquid 4.x compatibility: use loop-based hash lookup instead of bracket notation for config limits
+
 ## [1.0.22] - 2026-04-05
 ### Changed
 - Bump web-manager from ^4.1.36 to ^4.1.37

package/CLAUDE.md

@@ -429,6 +429,69 @@ $el.textContent = data.message; // Safe — no escaping needed
 
 Only use `innerHTML` when you need actual HTML structure (tags, classes, etc.), and escape every dynamic value in it.
 
+### Even "Safe" Values Must Be Escaped
+Even values that *seem* safe (like `Date.toLocaleDateString()` output, numeric calculations, or hardcoded config strings) MUST be escaped when inserted via `innerHTML`. This is defense-in-depth — if the data source ever changes, the escaping is already in place.
+
+```javascript
+// ✅ CORRECT — escape even "safe" values in innerHTML
+$el.innerHTML = `<small>${webManager.utilities().escapeHTML(formatDate(timestamp))}</small>`;
+$el.innerHTML = `<span>${webManager.utilities().escapeHTML(reason)}</span>`;
+
+// ❌ WRONG — assuming the value is safe because it's from a date formatter
+$el.innerHTML = `<small>${formatDate(timestamp)}</small>`;
+```
+
+### Redirects Must Be Validated
+Never redirect to a URL from untrusted sources without validation:
+
+```javascript
+// ✅ CORRECT — validate before redirect
+const url = urlParams.get('returnUrl');
+if (url && webManager.isValidRedirectUrl(url)) {
+  window.location.href = url;
+}
+
+// ✅ CORRECT — validate API response URLs have safe scheme
+if (response.url && /^https?:\/\//i.test(response.url)) {
+  window.location.href = response.url;
+}
+
+// ❌ WRONG — redirect to unvalidated input
+window.location.href = urlParams.get('returnUrl');
+```
+
+### postMessage Handlers Must Check Origin
+Always validate `event.origin` when handling `window.addEventListener('message', ...)`:
+
+```javascript
+// ✅ CORRECT
+window.addEventListener('message', (event) => {
+  if (event.origin !== window.location.origin && event.origin !== 'https://trusted-domain.com') {
+    return;
+  }
+  // handle message
+});
+
+// ❌ WRONG — any origin can send messages
+window.addEventListener('message', (event) => {
+  window.location.href = event.data.url; // attacker-controlled redirect
+});
+```
+
+### Never Use eval() or new Function()
+Do not use `eval()`, `new Function()`, `setTimeout(string)`, or `setInterval(string)`. These execute arbitrary code and violate CSP policies.
+
+### Sanitize Markdown/Rich Text Output
+When rendering user-authored markdown or rich text, use DOMPurify to sanitize the output:
+
+```javascript
+import DOMPurify from 'dompurify';
+const safeHTML = DOMPurify.sanitize(md.render(userContent), {
+  ALLOWED_TAGS: ['h1', 'h2', 'h3', 'p', 'br', 'a', 'b', 'strong', 'i', 'em', 'ul', 'ol', 'li', 'img', 'code', 'pre'],
+  ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'class', 'target', 'rel'],
+});
+```
+
 ### Do NOT Escape Values Passed to textContent-Based APIs
 `showNotification()`, `formManager.showSuccess()`, `formManager.showError()`, and `textContent` assignments use safe text insertion internally. Pre-escaping these causes double-encoding (e.g., `We'll` displays as `We&#039;ll`).
 
@@ -1108,12 +1171,24 @@ const response = await authorizedFetch(url, options);
 - No need to manually call `webManager.auth().getIdToken()`
 - Automatic token injection as Authorization Bearer header
 - Centralized authentication handling
+- Automatic usage sync: extracts `bm-properties` header from every response and updates `webManager.bindings()` with fresh usage data under the `usage` key
+
+**Options pass-through:** All `wonderful-fetch` options (`response`, `output`, `body`, `timeout`, etc.) are passed through untouched. Internally, `authorizedFetch` uses `output: 'complete'` to read response headers, then returns only the body by default. If the caller passes `output: 'complete'`, they get the full `{ status, headers, body }` response.
+
+**Automatic Usage Binding Sync:**
+
+After every successful response, `authorizedFetch` reads the `bm-properties` header and updates the `usage` bindings key:
+```javascript
+// After an API call, bindings are automatically updated:
+// usage.credits = { monthly: 5, daily: 2, limit: 100 }
+```
+This means any `data-wm-bind` elements bound to `usage.*` paths are automatically kept in sync without any manual work. See "Usage Bindings" below.
 
 **⚠️ IMPORTANT: Auth State Requirement**
 
 `authorizedFetch` requires Firebase Auth to have determined the current user's authentication state before being called. On fresh page loads (e.g., OAuth callback pages, deep links), Firebase Auth needs time to restore the session from IndexedDB/localStorage.
 
-**If called before auth state is determined, it will throw: `"No authenticated user found"`**
+**If called before auth state is determined, it will warn: `"No authenticated user found"`**
 
 **Solution:** Wait for auth state before calling `authorizedFetch`:
 
@@ -1136,6 +1211,142 @@ webManager.auth().listen({ once: true }, async () => {
 
 **Reference:** `src/assets/js/libs/authorized-fetch.js`
 
+#### Usage Bindings
+
+Usage data is available in the `usage` bindings key. It is populated from two sources:
+
+1. **On page load (auth settle):** `web-manager` reads `account.usage` from Firestore and resolves plan limits from `config.payment.plans`, then sets `usage` bindings with the merged data.
+2. **After API calls:** `authorizedFetch` reads the `bm-properties` response header and merges fresh usage counters + limits into the existing `usage` bindings.
+
+**Bindings structure:**
+```javascript
+// usage.credits = { monthly: 5, daily: 2, limit: 100 }
+// usage.requests = { monthly: 20, limit: 500 }
+```
+
+**HTML usage:**
+```html
+<!-- Show usage counter: "5/100" -->
+<span data-wm-bind="@show usage.credits">
+  <span data-wm-bind="usage.credits.monthly">–</span>/<span data-wm-bind="usage.credits.limit">–</span>
+</span>
+```
+
+**Config requirement:** Plan limits must be defined in `_config.yml` under `web_manager.payment.plans`:
+```yaml
+web_manager:
+  payment:
+    plans:
+      - id: basic
+        limits:
+          credits: 100
+      - id: premium
+        limits:
+          credits: 500
+```
+
+#### Payment Config Library
+
+Reads payment configuration (products, processors, prices, limits) from `webManager.config.payment` — populated from `_config.yml` at build time. **Do NOT fetch `/backend-manager/brand` to get payment data.** It's already available instantly via this library.
+
+**Import:**
+```javascript
+import { getPaymentConfig, getProcessors, getProducts, getProductById, getProductLimits, getCurrency } from '__main_assets__/js/libs/payment-config.js';
+```
+
+**Usage:**
+```javascript
+// Get all products
+const products = getProducts();
+
+// Find a specific product
+const product = getProductById('plus');
+
+// Get product limits
+const limits = getProductLimits('plus'); // { credits: 500, agents: 3, ... }
+
+// Get processors (stripe, paypal, etc.)
+const processors = getProcessors();
+```
+
+**Config location in `_config.yml`:**
+```yaml
+web_manager:
+  payment:
+    processors:
+      stripe:
+        publishableKey: pk_live_...
+      paypal:
+        clientId: ...
+    products:
+      - id: basic
+        name: Basic
+        limits:
+          credits: 100
+      - id: plus
+        name: Plus
+        limits:
+          credits: 500
+        prices:
+          monthly: 19
+          annually: 190
+```
+
+**How it works:** The `foot.html` Configuration injection serializes all `web_manager` properties into `window.Configuration`, which `webManager.initialize()` stores in `webManager.config`. The payment config is available immediately — no API call needed.
+
+**When to still use the brand API:**
+- `oauth2` provider configuration (used by the connections section on the account page)
+- Any data that is NOT in `_config.yml` and only exists server-side
+
+**Reference:** `src/assets/js/libs/payment-config.js`
+
+#### Pricing Page: Config-Resolved Values
+
+The pricing layout automatically resolves prices and feature limits from `_config.yml` when not explicitly set in frontmatter. This means consuming projects can define ONLY display metadata (name, tagline, icon, features list) and let prices/limits come from the single source of truth.
+
+**Resolution order (frontmatter wins):**
+1. `plan.pricing.monthly` / `plan.pricing.annually` from page frontmatter
+2. `site.web_manager.payment.products[matching_id].prices.monthly` / `.annually` from config
+3. `0` (default)
+
+**Feature value resolution:**
+1. `feature.value` from page frontmatter
+2. `site.web_manager.payment.products[matching_id].limits[feature.id]` from config (with `-1` → `"Unlimited"`)
+
+**Example: Minimal pricing.md (prices/limits come from config):**
+```yaml
+---
+layout: blueprint/pricing
+permalink: /pricing
+
+pricing:
+  plans:
+    - id: "basic"
+      name: "Basic"
+      tagline: "best for getting started"
+      url: "/dashboard"
+      features:
+        - id: "credits"
+          name: "Credits"
+          icon: "sparkles"
+        - id: "agents"
+          name: "Agents"
+          icon: "robot"
+    - id: "plus"
+      name: "Plus"
+      tagline: "best for small websites"
+      features:
+        - id: "credits"
+          name: "Credits"
+          icon: "sparkles"
+        - id: "agents"
+          name: "Agents"
+          icon: "robot"
+---
+```
+
+In this example, `credits` value of 100 and price of $19/mo come from `_config.yml`'s `web_manager.payment.products` — no hardcoding needed.
+
 #### FormManager Library
 
 Lightweight form state management library with built-in validation, state machine, and event system.

package/dist/assets/js/core/auth.js

@@ -38,7 +38,8 @@ export default function () {
     webManager.auth().listen({}, async (state) => {
       const user = state.user;
       const url = new URL(window.location.href);
-      const authReturnUrl = url.searchParams.get('authReturnUrl');
+      const authReturnUrlRaw = url.searchParams.get('authReturnUrl');
+      const authReturnUrl = authReturnUrlRaw && webManager.isValidRedirectUrl(authReturnUrlRaw) ? authReturnUrlRaw : null;
       const authSignout = url.searchParams.get('authSignout');
 
       // Log

package/dist/assets/js/libs/form-manager.js

@@ -803,7 +803,7 @@ export class FormManager {
       if (show) {
         // Store original content
         $btn._originalHTML = $btn.innerHTML;
-        $btn.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>${this.config.submittingText}`;
+        $btn.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>${webManager.utilities().escapeHTML(this.config.submittingText)}`;
       } else if ($btn._originalHTML) {
         $btn.innerHTML = $btn._originalHTML;
       }

package/dist/assets/js/libs/payment-config.js

@@ -0,0 +1,44 @@
+/**
+ * Payment Config Library
+ *
+ * Reads payment configuration (products, processors, prices, limits) from
+ * webManager.config.payment — which is populated from _config.yml at build time.
+ * This eliminates the need to fetch /backend-manager/brand at runtime.
+ */
+
+import webManager from 'web-manager';
+
+// Get the full payment config object
+export function getPaymentConfig() {
+  return webManager.config?.payment || {};
+}
+
+// Get payment processors
+export function getProcessors() {
+  return getPaymentConfig().processors || {};
+}
+
+// Get all products
+export function getProducts() {
+  return getPaymentConfig().products || [];
+}
+
+// Find a product by ID
+export function getProductById(productId) {
+  return getProducts().find(p => p.id === productId) || null;
+}
+
+// Get a product's limits
+export function getProductLimits(productId) {
+  return getProductById(productId)?.limits || {};
+}
+
+// Get a product's prices
+export function getProductPrices(productId) {
+  return getProductById(productId)?.prices || {};
+}
+
+// Get payment currency
+export function getCurrency() {
+  return getPaymentConfig().currency || 'USD';
+}

package/dist/assets/js/libs/prerendered-icons.js

@@ -2,6 +2,7 @@
  * Prerendered Icons Library
  * Retrieves pre-rendered icon HTML from the frontmatter icon system
  */
+import webManager from 'web-manager';
 
 /**
  * Get pre-rendered icon by name from frontmatter icon system.
@@ -31,5 +32,5 @@ export function getPrerenderedIcon(iconName, classes) {
     return $iconTemplate.innerHTML;
   }
 
-  return $iconTemplate.innerHTML.replace('class="fa"', `class="fa ${classes}"`);
+  return $iconTemplate.innerHTML.replace('class="fa"', `class="fa ${webManager.utilities().escapeHTML(classes)}"`);
 }

package/dist/assets/js/modules/redirect.js

@@ -34,15 +34,23 @@ const performRedirect = () => {
   const currentUrl = new URL(window.location.href);
   const siteUrl = new URL(config.siteUrl);
 
-  // Parse modifier function
+  // Named modifier lookup (safe alternative to eval/new Function)
+  const MODIFIERS = {
+    'search-cse': (url) => {
+      const q = url.searchParams.get('q');
+      url.searchParams.set('q', 'site:' + window.location.origin + ' ' + q);
+      return url;
+    },
+  };
+
+  // Resolve modifier by name
   let modifierFunction = (url) => url;
   if (config.modifier && config.modifier !== '""' && config.modifier !== '') {
-    try {
-      // Safely evaluate modifier function
-      modifierFunction = new Function('url', `return (${config.modifier})(url)`);
-    } catch (error) {
-      console.warn('[Redirect] Failed to parse modifier function:', error);
-      console.warn('[Redirect] Modifier string:', config.modifier);
+    const modifierName = config.modifier.trim();
+    if (MODIFIERS[modifierName]) {
+      modifierFunction = MODIFIERS[modifierName];
+    } else {
+      console.warn('[Redirect] Unknown modifier:', modifierName);
     }
   }
 

package/dist/assets/js/modules/vert.js

@@ -90,8 +90,12 @@ const setupMessageHandler = () => {
   // Flag as set up
   window.__ujVertMessageHandlerSetup = true;
 
-  // Listen for messages from iframes
+  // Listen for messages from vert iframes (validate origin)
   window.addEventListener('message', (event) => {
+    if (event.origin !== window.location.origin && event.origin !== 'https://promo-server.itwcreativeworks.com') {
+      return;
+    }
+
     const message = event.data || {};
     const command = message.command || '';
     const payload = message.payload || {};

package/dist/assets/js/pages/account/index.js

@@ -1,5 +1,4 @@
 // Libraries
-import fetch from 'wonderful-fetch';
 import * as profileSection from './sections/profile.js';
 import * as notificationsSection from './sections/notifications.js';
 import * as securitySection from './sections/security.js';
@@ -12,6 +11,7 @@ import * as dataRequestSection from './sections/data-request.js';
 import * as connectionsSection from './sections/connections.js';
 import * as refundSection from './sections/refund.js';
 import webManager from 'web-manager';
+import { getPaymentConfig } from '__main_assets__/js/libs/payment-config.js';
 
 // Module
 export default () => {
@@ -33,8 +33,9 @@ export default () => {
 // Global state
 let $navLinks = null;
 let $sections = null;
-let brandData = null;
-let fetchBrandDataPromise = null;
+
+// Config from _config.yml (available instantly, no fetch needed)
+const paymentConfig = getPaymentConfig();
 
 // Section modules map
 const sectionModules = {
@@ -85,10 +86,6 @@ async function initializeAccount() {
   webManager.auth().listen({}, async (state) => {
     console.log('Auth state with account data:', state);
 
-    // Load user data with the account information
-    // Wait for brand data to be fetched before loading section data
-    await fetchBrandData();
-
     /* @dev-only:start */
     {
       // Check for test subscription parameter
@@ -128,32 +125,6 @@ async function initializeAccount() {
   });
 }
 
-// Fetch brand data to get configuration and OAuth settings
-async function fetchBrandData() {
-  if (fetchBrandDataPromise) return fetchBrandDataPromise;
-
-  fetchBrandDataPromise = (async () => {
-    try {
-      const serverApiURL = `${webManager.getApiUrl()}/backend-manager/brand`;
-
-      // Fetch brand data
-      const response = await fetch(serverApiURL, {
-        response: 'json',
-      });
-
-      console.log('Fetched brand data:', response);
-      brandData = response;
-
-      return response;
-    } catch (error) {
-      webManager.sentry().captureException(new Error('Failed to fetch brand data', { cause: error }));
-      return null;
-    }
-  })();
-
-  return fetchBrandDataPromise;
-}
-
 // Load data for all sections
 function loadAllSectionData(authState) {
   const { user, account } = authState;
@@ -172,7 +143,7 @@ function loadAllSectionData(authState) {
   }
 
   if (sectionModules.billing.loadData) {
-    sectionModules.billing.loadData(account, brandData);
+    sectionModules.billing.loadData(account, paymentConfig);
   }
 
   if (sectionModules.team && sectionModules.team.loadData) {
@@ -196,7 +167,7 @@ function loadAllSectionData(authState) {
   }
 
   if (sectionModules.connections.loadData) {
-    sectionModules.connections.loadData(account, brandData);
+    sectionModules.connections.loadData(account, webManager.config?.oauth2 || {});
   }
 
   if (sectionModules.refund.loadData) {

package/dist/assets/js/pages/account/sections/billing.js

@@ -7,7 +7,7 @@ import { FormManager } from '__main_assets__/js/libs/form-manager.js';
 import authorizedFetch from '__main_assets__/js/libs/authorized-fetch.js';
 import webManager from 'web-manager';
 
-let brandData = null;
+let paymentConfig = null;
 let cancelFormManager = null;
 let currentAccount = null;
 
@@ -41,12 +41,12 @@ export async function init() {
 }
 
 // Load billing data
-export async function loadData(account, sharedBrandData) {
+export async function loadData(account, sharedPaymentConfig) {
   if (!account) {
     return;
   }
 
-  brandData = sharedBrandData;
+  paymentConfig = sharedPaymentConfig;
   currentAccount = account;
 
   updateUI(account);
@@ -104,7 +104,7 @@ function buildBillingState(account) {
   // Pre-format billing details
   const nextBillingUnix = subscription.expires?.timestampUNIX;
   const amount = subscription.payment?.price;
-  const currency = brandData?.payment?.currency || 'USD';
+  const currency = paymentConfig?.currency || 'USD';
   const frequency = subscription.payment?.frequency;
   const hasValidBilling = nextBillingUnix && nextBillingUnix > 0 && amount;
 
@@ -320,8 +320,8 @@ function populateCancelReasons() {
 
   $container.innerHTML = shuffled.map((reason, i) => `
     <div class="form-check mb-2">
-      <input class="form-check-input" type="radio" name="cancel_reason" id="cancel-reason-${i}" value="${reason}">
-      <label class="form-check-label" for="cancel-reason-${i}">${reason}</label>
+      <input class="form-check-input" type="radio" name="cancel_reason" id="cancel-reason-${i}" value="${webManager.utilities().escapeHTML(reason)}">
+      <label class="form-check-label" for="cancel-reason-${i}">${webManager.utilities().escapeHTML(reason)}</label>
     </div>
   `).join('');
 }
@@ -338,7 +338,7 @@ function updateUsageInfo(account) {
 
   // Use the effective plan for usage limits (basic if cancelled/suspended)
   const resolved = webManager.auth().resolveSubscription(account);
-  const product = brandData?.payment?.products?.find(p => p.id === resolved.plan);
+  const product = paymentConfig?.products?.find(p => p.id === resolved.plan);
   const limits = product?.limits || {};
 
   // Clear container
@@ -404,9 +404,9 @@ function getDisplayName(subscription) {
     return subscription.product.name;
   }
 
-  // Fall back to brandData product name
+  // Fall back to config product name
   const productId = subscription.product?.id || 'basic';
-  const product = brandData?.payment?.products?.find(p => p.id === productId);
+  const product = paymentConfig?.products?.find(p => p.id === productId);
   return product?.name || 'Free';
 }
 

package/dist/assets/js/pages/account/sections/connections.js

@@ -7,7 +7,7 @@ import { FormManager } from '__main_assets__/js/libs/form-manager.js';
 import authorizedFetch from '__main_assets__/js/libs/authorized-fetch.js';
 import webManager from 'web-manager';
 
-let brandData = null;
+let oauth2Config = null;
 let accountData = null;
 let connectionForms = new Map();
 
@@ -24,13 +24,13 @@ export async function init() {
 }
 
 // Load connections data
-export async function loadData(account, sharedBrandData) {
+export async function loadData(account, sharedOAuth2Config) {
   if (!account) {
     return;
   }
 
   accountData = account;
-  brandData = sharedBrandData;
+  oauth2Config = sharedOAuth2Config;
 
   displayConnections();
 }
@@ -43,14 +43,14 @@ function displayConnections() {
     $loading.classList.add('d-none');
   }
 
-  if (!brandData) {
+  if (!oauth2Config) {
     if ($loading) {
       $loading.classList.remove('d-none');
     }
     return;
   }
 
-  const availableProviders = brandData?.oauth2 || {};
+  const availableProviders = oauth2Config;
   const userConnections = accountData?.oauth2 || {};
 
   let hasEnabledProviders = false;
@@ -237,7 +237,7 @@ function initializeProviderForm(providerId) {
   formManager.on('statechange', ({ state }) => {
     if (state === 'ready') {
       const userConnection = accountData?.oauth2?.[providerId];
-      const providerSettings = brandData?.oauth2?.[providerId];
+      const providerSettings = oauth2Config?.[providerId];
       updateProviderStatus(providerId, userConnection, providerSettings);
     }
   });
@@ -252,7 +252,7 @@ function initializeProviderForm(providerId) {
       const success = await handleDisconnect(provider);
 
       if (success) {
-        const providerSettings = brandData?.oauth2?.[provider];
+        const providerSettings = oauth2Config?.[provider];
         updateProviderStatus(provider, null, providerSettings);
       }
     }
@@ -261,7 +261,7 @@ function initializeProviderForm(providerId) {
 
 // Handle connect action
 async function handleConnect(providerId) {
-  const provider = brandData?.oauth2?.[providerId];
+  const provider = oauth2Config?.[providerId];
 
   if (!provider || provider.enabled === false) {
     throw new Error('This connection service is not available.');
@@ -281,7 +281,7 @@ async function handleConnect(providerId) {
     tries: 2,
   });
 
-  if (response.url) {
+  if (response.url && /^https?:\/\//i.test(response.url)) {
     window.location.href = response.url;
   } else {
     throw new Error(response.message || 'Failed to get authorization URL');
@@ -322,7 +322,7 @@ async function handleDisconnect(providerId) {
 
 // Called when section is shown
 export function onShow() {
-  if (accountData && brandData) {
+  if (accountData && oauth2Config) {
     displayConnections();
   }
 }

package/dist/assets/js/pages/account/sections/referrals.js

@@ -110,12 +110,12 @@ function updateReferralsList(referrals) {
                   <span class="badge bg-secondary me-2">#${sortedReferrals.length - index}</span>
                   <div>
                     <strong class="font-monospace small">${webManager.utilities().escapeHTML(referral.uid || 'Unknown User')}</strong>
-                    <div class="text-muted small">${dateStr}${timeStr ? ` at ${timeStr}` : ''}</div>
+                    <div class="text-muted small">${webManager.utilities().escapeHTML(dateStr)}${timeStr ? ` at ${webManager.utilities().escapeHTML(timeStr)}` : ''}</div>
                   </div>
                 </div>
               </div>
               <div class="text-end">
-                ${getTimeSince(timestamp)}
+                <small class="text-muted">${webManager.utilities().escapeHTML(getTimeSince(timestamp))}</small>
               </div>
             </div>
           </div>
@@ -146,48 +146,40 @@ function formatTime(date) {
 
 // Get time since string
 function getTimeSince(timestamp) {
-  if (!timestamp) return '<small class="text-muted">Unknown</small>';
+  if (!timestamp) return 'Unknown';
 
   const now = Date.now();
   const diff = now - timestamp;
 
-  // Less than 1 minute
-  if (diff < 60000) {
-    return '<small class="text-success">Just now</small>';
-  }
+  if (diff < 60000) return 'Just now';
 
-  // Less than 1 hour
   if (diff < 3600000) {
     const minutes = Math.floor(diff / 60000);
-    return `<small class="text-muted">${minutes} min${minutes > 1 ? 's' : ''} ago</small>`;
+    return `${minutes} min${minutes > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 24 hours
   if (diff < 86400000) {
     const hours = Math.floor(diff / 3600000);
-    return `<small class="text-muted">${hours} hour${hours > 1 ? 's' : ''} ago</small>`;
+    return `${hours} hour${hours > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 7 days
   if (diff < 604800000) {
     const days = Math.floor(diff / 86400000);
-    return `<small class="text-muted">${days} day${days > 1 ? 's' : ''} ago</small>`;
+    return `${days} day${days > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 30 days
   if (diff < 2592000000) {
     const weeks = Math.floor(diff / 604800000);
-    return `<small class="text-muted">${weeks} week${weeks > 1 ? 's' : ''} ago</small>`;
+    return `${weeks} week${weeks > 1 ? 's' : ''} ago`;
   }
 
-  // More than 30 days
   const months = Math.floor(diff / 2592000000);
   if (months < 12) {
-    return `<small class="text-muted">${months} month${months > 1 ? 's' : ''} ago</small>`;
+    return `${months} month${months > 1 ? 's' : ''} ago`;
   }
 
   const years = Math.floor(months / 12);
-  return `<small class="text-muted">${years} year${years > 1 ? 's' : ''} ago</small>`;
+  return `${years} year${years > 1 ? 's' : ''} ago`;
 }
 
 // Setup button handlers

package/dist/assets/js/pages/account/sections/refund.js

@@ -128,8 +128,8 @@ function populateRefundReasons() {
 
   $container.innerHTML = shuffled.map((reason, i) => `
     <div class="form-check mb-2">
-      <input class="form-check-input" type="radio" name="refund_reason" id="refund-reason-${i}" value="${reason}" required>
-      <label class="form-check-label" for="refund-reason-${i}">${reason}</label>
+      <input class="form-check-input" type="radio" name="refund_reason" id="refund-reason-${i}" value="${webManager.utilities().escapeHTML(reason)}" required>
+      <label class="form-check-label" for="refund-reason-${i}">${webManager.utilities().escapeHTML(reason)}</label>
     </div>
   `).join('');
 }

package/dist/assets/js/pages/account/sections/security.js

@@ -301,7 +301,7 @@ async function updateActiveSessions(account) {
           </div>
         </div>
         <div class="text-end">
-          <small class="text-muted">${formatDate(session.timestamp || (session.timestampUNIX * 1000))}</small>
+          <small class="text-muted">${webManager.utilities().escapeHTML(formatDate(session.timestamp || (session.timestampUNIX * 1000)))}</small>
           ${session.isCurrent ? '<span class="badge bg-primary ms-2">Current</span>' : ''}
         </div>
       </div>

package/dist/assets/js/pages/account/sections/team.js

@@ -66,7 +66,7 @@ function updateInviteStatus(invites) {
       <div class="d-flex justify-content-between align-items-center">
         <div>
           <strong>${webManager.utilities().escapeHTML(invite.email)}</strong>
-          <small class="text-muted d-block">Invited ${formatDate(invite.invitedAt)}</small>
+          <small class="text-muted d-block">Invited ${webManager.utilities().escapeHTML(formatDate(invite.invitedAt))}</small>
         </div>
         <div>
           <button class="btn btn-sm btn-outline-danger" data-action="cancel-invite" data-invite-id="${webManager.utilities().escapeHTML(invite.id)}">

package/dist/assets/js/pages/admin/calendar/campaign-preview.js

@@ -26,7 +26,13 @@ async function renderEmailPreview(formData) {
     md = new MarkdownIt({ html: true, breaks: true, linkify: true });
   }
 
-  const renderedContent = content ? md.render(content) : '<p class="text-muted">No content yet</p>';
+  const DOMPurify = (await import('dompurify')).default;
+  const renderedContent = content
+    ? DOMPurify.sanitize(md.render(content), {
+        ALLOWED_TAGS: ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'br', 'hr', 'ul', 'ol', 'li', 'a', 'b', 'strong', 'i', 'em', 'u', 's', 'del', 'blockquote', 'pre', 'code', 'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span', 'sup', 'sub'],
+        ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'width', 'height', 'class', 'style', 'target', 'rel'],
+      })
+    : '<p class="text-muted">No content yet</p>';
 
   return `
     <div class="email-preview">

package/dist/assets/js/pages/admin/dashboard/index.js

@@ -4,8 +4,8 @@
 
 // Libraries
 import { getPrerenderedIcon } from '__main_assets__/js/libs/prerendered-icons.js';
-import fetch from 'wonderful-fetch';
 import authorizedFetch from '__main_assets__/js/libs/authorized-fetch.js';
+import { getProducts } from '__main_assets__/js/libs/payment-config.js';
 import { formatTimeAgo, capitalize, setStatValue, setStatSubValue } from '__main_assets__/js/libs/admin-helpers.js';
 import { Chart, DoughnutController, BarController, ArcElement, BarElement, CategoryScale, LinearScale, Tooltip, Legend } from 'chart.js';
 import webManager from 'web-manager';
@@ -80,13 +80,8 @@ async function loadSubscriberData() {
   const { collection, query, where, getCountFromServer } = await import('firebase/firestore');
   const db = webManager.firebaseFirestore;
 
-  // Fetch brand config to get product list and available frequencies
-  const brandConfig = await fetch(`${webManager.getApiUrl()}/backend-manager/brand`, {
-    response: 'json',
-    tries: 2,
-  });
-
-  const products = (brandConfig?.payment?.products || []).filter((p) => p.id !== 'basic');
+  // Get product list from _config.yml (available instantly via webManager.config)
+  const products = getProducts().filter((p) => p.id !== 'basic');
   const frequencyIds = [...new Set(products.flatMap((p) => Object.keys(p.prices || {})))];
 
   // Run count queries for each product × frequency in parallel

package/dist/assets/js/pages/payment/checkout/index.js

@@ -1,6 +1,7 @@
 // Payment Checkout Page
 import { FormManager } from '__main_assets__/js/libs/form-manager.js';
-import { fetchBrandConfig, fetchTrialEligibility, warmupServer, createPaymentIntent } from './modules/api.js';
+import { getPaymentConfig, getProcessors, getProductById } from '__main_assets__/js/libs/payment-config.js';
+import { fetchTrialEligibility, warmupServer, createPaymentIntent } from './modules/api.js';
 import { state, buildBindingsState, resolveProcessor, FREQUENCIES, getAvailableFrequencies } from './modules/state.js';
 import { applyDiscountCode } from './modules/discount.js';
 import { initializeRecaptcha } from './modules/recaptcha.js';
@@ -71,15 +72,24 @@ async function initializeCheckout() {
       throw new Error('Product ID is missing from URL.');
     }
 
+    // Read payment config from _config.yml (available instantly via webManager.config)
+    state.processors = getProcessors();
+
+    // Find product
+    const product = getProductById(productId);
+    if (!product) {
+      throw new Error(`Product "${productId}" not found.`);
+    }
+    state.product = product;
+
     // Wait for auth state to settle before any authorized calls
     await new Promise((resolve) => webManager.auth().listen({ once: true }, resolve));
 
     // Fire-and-forget server warmup
     warmupServer();
 
-    // Parallel fetch: brand config + trial eligibility + reCAPTCHA
-    const [brandConfigResult, trialResult, recaptchaResult] = await Promise.allSettled([
-      fetchBrandConfig(),
+    // Parallel fetch: trial eligibility + reCAPTCHA
+    const [trialResult, recaptchaResult] = await Promise.allSettled([
       fetchTrialEligibility(),
       initializeRecaptcha(webManager.config?.recaptcha?.['site-key']),
     ]);
@@ -96,23 +106,6 @@ async function initializeCheckout() {
     }
     /* @dev-only:end */
 
-    // Brand config is required
-    if (brandConfigResult.status === 'rejected') {
-      const reason = brandConfigResult.reason?.message || brandConfigResult.reason || 'Unknown error';
-      throw new Error(`Failed to load checkout brand config: ${reason}`);
-    }
-
-    const brandConfig = brandConfigResult.value;
-    state.brandConfig = brandConfig;
-    state.processors = brandConfig.payment?.processors || {};
-
-    // Find product
-    const product = brandConfig.payment?.products?.find(p => p.id === productId);
-    if (!product) {
-      throw new Error(`Product "${productId}" not found.`);
-    }
-    state.product = product;
-
     // Resolve frequency: URL param if valid, otherwise longest available term
     const available = getAvailableFrequencies(product);
     if (frequencyParam && FREQUENCIES.includes(frequencyParam) && available.includes(frequencyParam)) {
@@ -286,7 +279,7 @@ function initDevPanel() {
   // Show the panel
   $panel.hidden = false;
 
-  const products = state.brandConfig?.payment?.products || [];
+  const products = getPaymentConfig().products || [];
   const params = new URLSearchParams(window.location.search);
 
   // Populate product dropdown

package/dist/assets/js/pages/payment/checkout/modules/api.js

@@ -4,17 +4,6 @@ import authorizedFetch from '__main_assets__/js/libs/authorized-fetch.js';
 import { getRecaptchaToken } from './recaptcha.js';
 import webManager from 'web-manager';
 
-// Fetch brand config (products + processors)
-export async function fetchBrandConfig() {
-  const response = await fetch(`${webManager.getApiUrl()}/backend-manager/brand`, {
-    response: 'json',
-    tries: 2,
-  });
-
-  console.log('Fetched brand config:', response);
-  return response;
-}
-
 // Check trial eligibility via backend endpoint
 export async function fetchTrialEligibility() {
   try {

package/dist/assets/js/pages/payment/checkout/modules/state.js

@@ -9,8 +9,7 @@ export const FREQUENCIES = ['daily', 'weekly', 'monthly', 'annually'];
 
 // Minimal mutable state
 export const state = {
-  // From API (stored once, never transformed)
-  brandConfig: null,
+  // From config (stored once, never transformed)
   product: null,
   processors: null,
 

package/dist/assets/js/pages/pricing/index.js

@@ -319,7 +319,7 @@ function setupPromoCountdown() {
   adjustNavbarOffset();
 }
 
-// Disable button for the user's current active plan
+// Update buttons based on the user's current active plan
 function setupCurrentPlanIndicator() {
   webManager.auth().listen({ once: true }, (state) => {
     const resolved = webManager.auth().resolveSubscription(state.account);
@@ -328,16 +328,22 @@ function setupCurrentPlanIndicator() {
       return;
     }
 
-    const $button = document.querySelector(`button[data-plan-id="${resolved.plan}"]`);
-
-    if (!$button) {
-      return;
+    // Mark current plan button
+    const $currentButton = document.querySelector(`button[data-plan-id="${resolved.plan}"]`);
+    if ($currentButton) {
+      $currentButton.disabled = true;
+      $currentButton.textContent = 'Current Plan';
+      $currentButton.classList.remove('btn-primary', 'btn-gradient-rainbow', 'gradient-animated');
+      $currentButton.classList.add('btn-adaptive');
     }
 
-    $button.disabled = true;
-    $button.textContent = 'Current Plan';
-    $button.classList.remove('btn-primary', 'btn-gradient-rainbow', 'gradient-animated');
-    $button.classList.add('btn-adaptive');
+    // Update other paid plan buttons to "Switch to this plan"
+    document.querySelectorAll('button[data-plan-id]').forEach(($button) => {
+      if ($button.dataset.planId === resolved.plan || $button.dataset.planId === 'basic' || $button.dataset.planId === 'enterprise') {
+        return;
+      }
+      $button.textContent = 'Switch to This Plan';
+    });
   });
 }
 

package/dist/defaults/dist/_includes/core/foot.html

@@ -102,6 +102,7 @@
     {% endfor %}
     env: {{ page.resolved.web_manager.env | jsonify }},
     recaptcha: {{ page.resolved.recaptcha | jsonify }},
+    oauth2: {{ page.resolved.oauth2 | jsonify }},
   };
 </script>
 

package/dist/defaults/dist/_layouts/themes/classy/frontend/pages/pricing.html

@@ -328,6 +328,32 @@ faqs:
 
         <div class="row g-4 mb-5 justify-content-center">
           {% for plan in page.resolved.pricing.plans %}
+            {% comment %} Look up matching product in _config.yml payment products {% endcomment %}
+            {% assign _config_product = nil %}
+            {% for p in site.web_manager.payment.products %}
+              {% if p.id == plan.id %}
+                {% assign _config_product = p %}
+                {% break %}
+              {% endif %}
+            {% endfor %}
+
+            {% comment %} Resolve prices: frontmatter pricing takes precedence, then config prices {% endcomment %}
+            {% if plan.pricing.monthly or plan.pricing.monthly == 0 %}
+              {% assign _plan_monthly = plan.pricing.monthly %}
+            {% elsif _config_product.prices.monthly or _config_product.prices.monthly == 0 %}
+              {% assign _plan_monthly = _config_product.prices.monthly %}
+            {% else %}
+              {% assign _plan_monthly = 0 %}
+            {% endif %}
+
+            {% if plan.pricing.annually or plan.pricing.annually == 0 %}
+              {% assign _plan_annually = plan.pricing.annually %}
+            {% elsif _config_product.prices.annually or _config_product.prices.annually == 0 %}
+              {% assign _plan_annually = _config_product.prices.annually %}
+            {% else %}
+              {% assign _plan_annually = 0 %}
+            {% endif %}
+
             {% if plan.popular %}
               {% assign border_classes = "border-gradient-rainbow border-3" %}
             {% else %}
@@ -349,12 +375,12 @@ faqs:
                     <p class="text-muted small mb-3">{{ plan.tagline }}</p>
 
                     <!-- Price -->
-                    {% if plan.pricing.monthly == 0 %}
+                    {% if _plan_monthly == 0 %}
                       <p class="display-6 fw-bold mb-0">Free</p>
                     {% else %}
                       <p class="mb-0">
                         <span class="display-6 fw-bold">
-                          <span class="fs-3">$</span><span class="amount" data-monthly="{{ plan.pricing.monthly }}" data-annually="{{ plan.pricing.annually | divided_by: 12 | round }}">{{ plan.pricing.annually | divided_by: 12 | round }}</span>
+                          <span class="fs-3">$</span><span class="amount" data-monthly="{{ _plan_monthly }}" data-annually="{{ _plan_annually | divided_by: 12 | round }}">{{ _plan_annually | divided_by: 12 | round }}</span>
                         </span>
                         <small class="text-muted">/month</small>
                       </p>
@@ -363,12 +389,17 @@ faqs:
                     <!-- Price per unit (only shown when enabled) -->
                     {% if page.resolved.pricing.price_per_unit.enabled %}
                       <p class="text-muted small mb-4">
-                        {% if plan.pricing.monthly > 0 %}
+                        {% if _plan_monthly > 0 %}
                           {% for feature in plan.features %}
                             {% if feature.id == page.resolved.pricing.price_per_unit.feature_id %}
-                              {% assign monthly_price_per_unit = plan.pricing.monthly | times: 1.0 | divided_by: feature.value | round: 2 %}
-                              {% assign annual_monthly_price = plan.pricing.annually | divided_by: 12.0 %}
-                              {% assign annual_price_per_unit = annual_monthly_price | divided_by: feature.value | round: 2 %}
+                              {% comment %} Resolve feature value from config limits if not set in frontmatter {% endcomment %}
+                              {% assign _ppu_value = feature.value %}
+                              {% if _config_product and _ppu_value == nil %}
+                                {% for _lim in _config_product.limits %}{% if _lim[0] == feature.id %}{% assign _ppu_value = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                              {% endif %}
+                              {% assign monthly_price_per_unit = _plan_monthly | times: 1.0 | divided_by: _ppu_value | round: 2 %}
+                              {% assign annual_monthly_price = _plan_annually | divided_by: 12.0 %}
+                              {% assign annual_price_per_unit = annual_monthly_price | divided_by: _ppu_value | round: 2 %}
                               <span class="price-per-unit" data-monthly="${{ monthly_price_per_unit }}" data-annually="${{ annual_price_per_unit }}">${{ annual_price_per_unit }}</span> per {{ page.resolved.pricing.price_per_unit.label }}
                             {% endif %}
                           {% endfor %}
@@ -389,8 +420,8 @@ faqs:
                       {% assign btn_style = "btn-primary" %}
 
                       {% iftruthy plan.url %}
-                        <a href="{{ plan.url }}" class="btn {% if plan.pricing.monthly == 0 %}btn-adaptive{% else %}{{ btn_style }}{% endif %} btn-md fw-semibold px-2 fs-5">
-                          {% if plan.pricing.monthly == 0 %}
+                        <a href="{{ plan.url }}" class="btn {% if _plan_monthly == 0 %}btn-adaptive{% else %}{{ btn_style }}{% endif %} btn-md fw-semibold px-2 fs-5">
+                          {% if _plan_monthly == 0 %}
                             Get Started
                           {% else %}
                             Get Free Trial
@@ -406,11 +437,11 @@ faqs:
 
                     <!-- Billing info -->
                     <p class="text-center text-muted small mb-3">
-                      {% if plan.pricing.monthly == 0 %}
+                      {% if _plan_monthly == 0 %}
                         <span>No credit card required</span>
                       {% else %}
-                        <span class="billing-info" data-monthly="Billed ${{ plan.pricing.monthly | uj_commaify }} monthly" data-annually="Billed ${{ plan.pricing.annually | uj_commaify }} annually">
-                          Billed ${{ plan.pricing.annually | uj_commaify }} annually
+                        <span class="billing-info" data-monthly="Billed ${{ _plan_monthly | uj_commaify }} monthly" data-annually="Billed ${{ _plan_annually | uj_commaify }} annually">
+                          Billed ${{ _plan_annually | uj_commaify }} annually
                         </span>
                       {% endif %}
                     </p>
@@ -423,6 +454,16 @@ faqs:
                       <ul class="list-unstyled mb-3">
                         {% for feature in plan.features %}
                           {% if common_feature_ids contains feature.id %}
+                            {% comment %} Resolve feature value: frontmatter > config limits {% endcomment %}
+                            {% assign _feature_value = feature.value %}
+                            {% if _config_product and _feature_value == nil %}
+                              {% assign _config_limit = nil %}{% for _lim in _config_product.limits %}{% if _lim[0] == feature.id %}{% assign _config_limit = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                              {% if _config_limit == -1 %}
+                                {% assign _feature_value = "Unlimited" %}
+                              {% elsif _config_limit %}
+                                {% assign _feature_value = _config_limit %}
+                              {% endif %}
+                            {% endif %}
                             {% assign feature_definition = nil %}
                             {% for def in page.resolved.pricing.definitions %}
                               {% if def.id == feature.id %}
@@ -433,10 +474,10 @@ faqs:
                             <li class="d-flex align-items-start mb-2">
                               <span class="me-3">{% uj_icon feature.icon, "fa-md" %}</span>
                               <span>
-                                {% if feature.value == "Unlimited" %}
+                                {% if _feature_value == "Unlimited" %}
                                   Unlimited
                                 {% else %}
-                                  {{ feature.value | uj_commaify }}
+                                  {{ _feature_value | uj_commaify }}
                                 {% endif %}
                                 {% iftruthy feature_definition %}
                                   <span class="text-decoration-underline text-decoration-dotted cursor-help" data-bs-toggle="tooltip" data-bs-title="{{ feature_definition }}">{{ feature.name }}</span>
@@ -467,6 +508,16 @@ faqs:
                           <ul class="list-unstyled mb-0">
                             {% for feature in plan.features %}
                               {% unless common_feature_ids contains feature.id %}
+                                {% comment %} Resolve feature value: frontmatter > config limits {% endcomment %}
+                                {% assign _feature_value = feature.value %}
+                                {% if _config_product and _feature_value == nil %}
+                                  {% assign _config_limit = nil %}{% for _lim in _config_product.limits %}{% if _lim[0] == feature.id %}{% assign _config_limit = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                                  {% if _config_limit == -1 %}
+                                    {% assign _feature_value = "Unlimited" %}
+                                  {% elsif _config_limit %}
+                                    {% assign _feature_value = _config_limit %}
+                                  {% endif %}
+                                {% endif %}
                                 {% assign feature_definition = nil %}
                                 {% for def in page.resolved.pricing.definitions %}
                                   {% if def.id == feature.id %}
@@ -477,12 +528,12 @@ faqs:
                                 <li class="d-flex align-items-start mb-2 {% if forloop.last %}mb-0{% endif %}">
                                   <span class="me-3">{% uj_icon feature.icon, "fa-md" %}</span>
                                   <span>
-                                    {% if feature.value == "24/7" %}
-                                      {{ feature.value }}
-                                    {% elsif feature.value == "Included" or feature.value == "Available" or feature.value == "Full" %}
+                                    {% if _feature_value == "24/7" %}
+                                      {{ _feature_value }}
+                                    {% elsif _feature_value == "Included" or _feature_value == "Available" or _feature_value == "Full" %}
                                       <!-- No prefix for these values -->
                                     {% else %}
-                                      {{ feature.value | uj_commaify }}
+                                      {{ _feature_value | uj_commaify }}
                                     {% endif %}
                                     {% iftruthy feature_definition %}
                                       <span class="text-decoration-underline text-decoration-dotted cursor-help" data-bs-toggle="tooltip" data-bs-title="{{ feature_definition }}">{{ feature.name }}</span>
@@ -509,16 +560,12 @@ faqs:
                           {% endunless %}
                         {% endfor %}
 
+                        {% assign _prev_index = forloop.index0 | minus: 1 %}
+                        {% assign _prev_plan = page.resolved.pricing.plans[_prev_index] %}
                         <div class="text-muted small mb-2">
                           <em>Everything in</em>
                           <em>
-                            <strong>
-                              {%- if forloop.index == 1 -%}Free{%- endif -%}
-                              {%- if forloop.index == 2 -%}Basic{%- endif -%}
-                              {%- if forloop.index == 3 -%}Starter{%- endif -%}
-                              {%- if forloop.index == 4 -%}Pro{%- endif -%}
-                              {%- if forloop.index == 5 -%}Max{% endif -%}
-                            </strong>
+                            <strong>{{ _prev_plan.name }}</strong>
                             {%- if has_additional -%}, plus:{%- endif -%}
                           </em>
                         </div>
@@ -528,6 +575,16 @@ faqs:
                           <ul class="list-unstyled mb-0">
                             {% for feature in plan.features %}
                               {% unless common_feature_ids contains feature.id %}
+                                {% comment %} Resolve feature value: frontmatter > config limits {% endcomment %}
+                                {% assign _feature_value = feature.value %}
+                                {% if _config_product and _feature_value == nil %}
+                                  {% assign _config_limit = nil %}{% for _lim in _config_product.limits %}{% if _lim[0] == feature.id %}{% assign _config_limit = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                                  {% if _config_limit == -1 %}
+                                    {% assign _feature_value = "Unlimited" %}
+                                  {% elsif _config_limit %}
+                                    {% assign _feature_value = _config_limit %}
+                                  {% endif %}
+                                {% endif %}
                                 {% assign feature_definition = nil %}
                                 {% for def in page.resolved.pricing.definitions %}
                                   {% if def.id == feature.id %}
@@ -538,12 +595,12 @@ faqs:
                                 <li class="d-flex align-items-start mb-2 {% if forloop.last %}mb-0{% endif %}">
                                   <span class="me-3">{% uj_icon feature.icon, "fa-md" %}</span>
                                   <span>
-                                    {% if feature.value == "24/7" %}
-                                      {{ feature.value }}
-                                    {% elsif feature.value == "Included" or feature.value == "Available" or feature.value == "Full" %}
+                                    {% if _feature_value == "24/7" %}
+                                      {{ _feature_value }}
+                                    {% elsif _feature_value == "Included" or _feature_value == "Available" or _feature_value == "Full" %}
                                       <!-- No prefix for these values -->
                                     {% else %}
-                                      {{ feature.value | uj_commaify }}
+                                      {{ _feature_value | uj_commaify }}
                                     {% endif %}
                                     {% iftruthy feature_definition %}
                                       <span class="text-decoration-underline text-decoration-dotted cursor-help" data-bs-toggle="tooltip" data-bs-title="{{ feature_definition }}">{{ feature.name }}</span>
@@ -664,6 +721,14 @@ faqs:
                 {% endiffalsy %}
               </th>
               {% for plan in page.resolved.pricing.plans %}
+                {% comment %} Look up config product for this plan {% endcomment %}
+                {% assign _tbl_config_product = nil %}
+                {% for p in site.web_manager.payment.products %}
+                  {% if p.id == plan.id %}
+                    {% assign _tbl_config_product = p %}
+                    {% break %}
+                  {% endif %}
+                {% endfor %}
                 <td>
                   {% assign has_feature = false %}
                   {% assign feature_value = nil %}
@@ -678,6 +743,16 @@ faqs:
                     {% endif %}
                   {% endfor %}
 
+                  {% comment %} Resolve feature value from config limits if not set {% endcomment %}
+                  {% if has_feature and feature_value == nil and _tbl_config_product %}
+                    {% assign _tbl_limit = nil %}{% for _lim in _tbl_config_product.limits %}{% if _lim[0] == feature_def.id %}{% assign _tbl_limit = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                    {% if _tbl_limit == -1 %}
+                      {% assign feature_value = "Unlimited" %}
+                    {% elsif _tbl_limit %}
+                      {% assign feature_value = _tbl_limit %}
+                    {% endif %}
+                  {% endif %}
+
                   {% unless has_feature %}
                     {% for check_plan in page.resolved.pricing.plans %}
                       {% if check_plan.id == plan.id %}
@@ -690,6 +765,26 @@ faqs:
                           {% break %}
                         {% endif %}
                       {% endfor %}
+
+                      {% comment %} Resolve inherited value from config limits if not set {% endcomment %}
+                      {% if inherited_feature and inherited_value == nil %}
+                        {% assign _inh_config_product = nil %}
+                        {% for p in site.web_manager.payment.products %}
+                          {% if p.id == check_plan.id %}
+                            {% assign _inh_config_product = p %}
+                            {% break %}
+                          {% endif %}
+                        {% endfor %}
+                        {% if _inh_config_product %}
+                          {% assign _inh_limit = nil %}{% for _lim in _inh_config_product.limits %}{% if _lim[0] == feature_def.id %}{% assign _inh_limit = _lim[1] %}{% break %}{% endif %}{% endfor %}
+                          {% if _inh_limit == -1 %}
+                            {% assign inherited_value = "Unlimited" %}
+                          {% elsif _inh_limit %}
+                            {% assign inherited_value = _inh_limit %}
+                          {% endif %}
+                        {% endif %}
+                      {% endif %}
+
                       {% if inherited_feature %}
                         {% break %}
                       {% endif %}

package/dist/defaults/dist/redirects/misc/search-cse.html

@@ -6,13 +6,5 @@ permalink: /search/cse
 ### REGULAR PAGES ###
 redirect:
   url: "https://cse.google.com/cse?cx={{ page.resolved.advertising.cse.site-id }}&ie=UTF-8"
-  modifier: "
-    function (url) {
-      var q = url.searchParams.get('q');
-
-      url.searchParams.set('q', 'site:' + window.location.origin + ' ' + q);
-
-      return url;
-    }
-  "
+  modifier: "search-cse"
 ---

package/dist/defaults/src/_config.yml

@@ -134,18 +134,17 @@ web_manager:
     config:
       autoRequest: 1000 * 60
   validRedirectHosts: []
-
-# Payment
-payment:
-  processors:
-    stripe:
-      publishableKey: null
-    paypal:
-      clientId: null
-    chargebee:
-      site: null
-    coinbase:
-      enabled: false
+  payment:
+    processors:
+      stripe:
+        publishableKey: null
+      paypal:
+        clientId: null
+      chargebee:
+        site: null
+      coinbase:
+        enabled: false
+    products: []
 
 # OAuth2
 oauth2:

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.0.22",
+  "version": "1.1.1",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {
@@ -78,6 +78,7 @@
     "chart.js": "^4.5.1",
     "cheerio": "^1.2.0",
     "chrome-launcher": "^1.2.1",
+    "dompurify": "^3.3.3",
     "dotenv": "^17.4.1",
     "fast-xml-parser": "^5.5.10",
     "fs-jetpack": "^5.1.0",