ultimate-jekyll-manager 1.1.0 → 1.1.2

package/CHANGELOG.md

@@ -15,6 +15,30 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - `Security` in case of vulnerabilities.
 
 ---
+## [1.1.2] - 2026-04-08
+### Fixed
+- Fix AdSense minimum width error in dashboard sidebar by increasing sidebar width from 280px to 282px (content area now meets 250px minimum)
+
+### Changed
+- Update dependencies: fast-xml-parser, postcss, webpack, wonderful-fetch, prepare-package
+
+---
+## [1.1.1] - 2026-04-06
+### Security
+- Fix open redirect via `authReturnUrl` URL parameter in core/auth.js — now validated with `isValidRedirectUrl()`
+- Fix cross-origin redirect via unvalidated postMessage in vert.js — added origin allowlist
+- Replace `new Function()` code execution in redirect.js with safe named modifier lookup
+- Sanitize markdown-it output with DOMPurify in campaign-preview.js (newsletter-safe tag allowlist)
+- Validate OAuth redirect URL scheme in connections.js
+- Escape `classes` parameter in prerendered-icons.js to prevent attribute breakout
+- Defense-in-depth: escape `formatDate()` outputs in security.js, team.js, referrals.js
+- Defense-in-depth: escape cancel/refund reason strings in billing.js, refund.js
+- Defense-in-depth: escape `submittingText` in form-manager.js spinner
+- Document redirect validation, postMessage origin checks, eval prohibition, and DOMPurify rules in CLAUDE.md
+
+### Added
+- `dompurify` dependency for HTML sanitization
+
 ## [1.1.0] - 2026-04-06
 ### Added
 - `payment-config.js` shared library for reading payment data from build-time config

package/CLAUDE.md

@@ -429,6 +429,69 @@ $el.textContent = data.message; // Safe — no escaping needed
 
 Only use `innerHTML` when you need actual HTML structure (tags, classes, etc.), and escape every dynamic value in it.
 
+### Even "Safe" Values Must Be Escaped
+Even values that *seem* safe (like `Date.toLocaleDateString()` output, numeric calculations, or hardcoded config strings) MUST be escaped when inserted via `innerHTML`. This is defense-in-depth — if the data source ever changes, the escaping is already in place.
+
+```javascript
+// ✅ CORRECT — escape even "safe" values in innerHTML
+$el.innerHTML = `<small>${webManager.utilities().escapeHTML(formatDate(timestamp))}</small>`;
+$el.innerHTML = `<span>${webManager.utilities().escapeHTML(reason)}</span>`;
+
+// ❌ WRONG — assuming the value is safe because it's from a date formatter
+$el.innerHTML = `<small>${formatDate(timestamp)}</small>`;
+```
+
+### Redirects Must Be Validated
+Never redirect to a URL from untrusted sources without validation:
+
+```javascript
+// ✅ CORRECT — validate before redirect
+const url = urlParams.get('returnUrl');
+if (url && webManager.isValidRedirectUrl(url)) {
+  window.location.href = url;
+}
+
+// ✅ CORRECT — validate API response URLs have safe scheme
+if (response.url && /^https?:\/\//i.test(response.url)) {
+  window.location.href = response.url;
+}
+
+// ❌ WRONG — redirect to unvalidated input
+window.location.href = urlParams.get('returnUrl');
+```
+
+### postMessage Handlers Must Check Origin
+Always validate `event.origin` when handling `window.addEventListener('message', ...)`:
+
+```javascript
+// ✅ CORRECT
+window.addEventListener('message', (event) => {
+  if (event.origin !== window.location.origin && event.origin !== 'https://trusted-domain.com') {
+    return;
+  }
+  // handle message
+});
+
+// ❌ WRONG — any origin can send messages
+window.addEventListener('message', (event) => {
+  window.location.href = event.data.url; // attacker-controlled redirect
+});
+```
+
+### Never Use eval() or new Function()
+Do not use `eval()`, `new Function()`, `setTimeout(string)`, or `setInterval(string)`. These execute arbitrary code and violate CSP policies.
+
+### Sanitize Markdown/Rich Text Output
+When rendering user-authored markdown or rich text, use DOMPurify to sanitize the output:
+
+```javascript
+import DOMPurify from 'dompurify';
+const safeHTML = DOMPurify.sanitize(md.render(userContent), {
+  ALLOWED_TAGS: ['h1', 'h2', 'h3', 'p', 'br', 'a', 'b', 'strong', 'i', 'em', 'ul', 'ol', 'li', 'img', 'code', 'pre'],
+  ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'class', 'target', 'rel'],
+});
+```
+
 ### Do NOT Escape Values Passed to textContent-Based APIs
 `showNotification()`, `formManager.showSuccess()`, `formManager.showError()`, and `textContent` assignments use safe text insertion internally. Pre-escaping these causes double-encoding (e.g., `We'll` displays as `We&#039;ll`).
 
@@ -1108,12 +1171,24 @@ const response = await authorizedFetch(url, options);
 - No need to manually call `webManager.auth().getIdToken()`
 - Automatic token injection as Authorization Bearer header
 - Centralized authentication handling
+- Automatic usage sync: extracts `bm-properties` header from every response and updates `webManager.bindings()` with fresh usage data under the `usage` key
+
+**Options pass-through:** All `wonderful-fetch` options (`response`, `output`, `body`, `timeout`, etc.) are passed through untouched. Internally, `authorizedFetch` uses `output: 'complete'` to read response headers, then returns only the body by default. If the caller passes `output: 'complete'`, they get the full `{ status, headers, body }` response.
+
+**Automatic Usage Binding Sync:**
+
+After every successful response, `authorizedFetch` reads the `bm-properties` header and updates the `usage` bindings key:
+```javascript
+// After an API call, bindings are automatically updated:
+// usage.credits = { monthly: 5, daily: 2, limit: 100 }
+```
+This means any `data-wm-bind` elements bound to `usage.*` paths are automatically kept in sync without any manual work. See "Usage Bindings" below.
 
 **⚠️ IMPORTANT: Auth State Requirement**
 
 `authorizedFetch` requires Firebase Auth to have determined the current user's authentication state before being called. On fresh page loads (e.g., OAuth callback pages, deep links), Firebase Auth needs time to restore the session from IndexedDB/localStorage.
 
-**If called before auth state is determined, it will throw: `"No authenticated user found"`**
+**If called before auth state is determined, it will warn: `"No authenticated user found"`**
 
 **Solution:** Wait for auth state before calling `authorizedFetch`:
 
@@ -1136,6 +1211,40 @@ webManager.auth().listen({ once: true }, async () => {
 
 **Reference:** `src/assets/js/libs/authorized-fetch.js`
 
+#### Usage Bindings
+
+Usage data is available in the `usage` bindings key. It is populated from two sources:
+
+1. **On page load (auth settle):** `web-manager` reads `account.usage` from Firestore and resolves plan limits from `config.payment.plans`, then sets `usage` bindings with the merged data.
+2. **After API calls:** `authorizedFetch` reads the `bm-properties` response header and merges fresh usage counters + limits into the existing `usage` bindings.
+
+**Bindings structure:**
+```javascript
+// usage.credits = { monthly: 5, daily: 2, limit: 100 }
+// usage.requests = { monthly: 20, limit: 500 }
+```
+
+**HTML usage:**
+```html
+<!-- Show usage counter: "5/100" -->
+<span data-wm-bind="@show usage.credits">
+  <span data-wm-bind="usage.credits.monthly">–</span>/<span data-wm-bind="usage.credits.limit">–</span>
+</span>
+```
+
+**Config requirement:** Plan limits must be defined in `_config.yml` under `web_manager.payment.plans`:
+```yaml
+web_manager:
+  payment:
+    plans:
+      - id: basic
+        limits:
+          credits: 100
+      - id: premium
+        limits:
+          credits: 500
+```
+
 #### Payment Config Library
 
 Reads payment configuration (products, processors, prices, limits) from `webManager.config.payment` — populated from `_config.yml` at build time. **Do NOT fetch `/backend-manager/brand` to get payment data.** It's already available instantly via this library.

package/dist/assets/css/core/_utilities.scss

@@ -83,8 +83,8 @@ button *, a * {
 // Sidebar
 // ============================================
 .sidebar {
-  width: 280px;
-  min-width: 280px;
+  width: 282px;
+  min-width: 282px;
 }
 
 .sidebar-logo {

package/dist/assets/js/core/auth.js

@@ -38,7 +38,8 @@ export default function () {
     webManager.auth().listen({}, async (state) => {
       const user = state.user;
       const url = new URL(window.location.href);
-      const authReturnUrl = url.searchParams.get('authReturnUrl');
+      const authReturnUrlRaw = url.searchParams.get('authReturnUrl');
+      const authReturnUrl = authReturnUrlRaw && webManager.isValidRedirectUrl(authReturnUrlRaw) ? authReturnUrlRaw : null;
       const authSignout = url.searchParams.get('authSignout');
 
       // Log

package/dist/assets/js/libs/form-manager.js

@@ -803,7 +803,7 @@ export class FormManager {
       if (show) {
         // Store original content
         $btn._originalHTML = $btn.innerHTML;
-        $btn.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>${this.config.submittingText}`;
+        $btn.innerHTML = `<span class="spinner-border spinner-border-sm me-2"></span>${webManager.utilities().escapeHTML(this.config.submittingText)}`;
       } else if ($btn._originalHTML) {
         $btn.innerHTML = $btn._originalHTML;
       }

package/dist/assets/js/libs/prerendered-icons.js

@@ -2,6 +2,7 @@
  * Prerendered Icons Library
  * Retrieves pre-rendered icon HTML from the frontmatter icon system
  */
+import webManager from 'web-manager';
 
 /**
  * Get pre-rendered icon by name from frontmatter icon system.
@@ -31,5 +32,5 @@ export function getPrerenderedIcon(iconName, classes) {
     return $iconTemplate.innerHTML;
   }
 
-  return $iconTemplate.innerHTML.replace('class="fa"', `class="fa ${classes}"`);
+  return $iconTemplate.innerHTML.replace('class="fa"', `class="fa ${webManager.utilities().escapeHTML(classes)}"`);
 }

package/dist/assets/js/modules/redirect.js

@@ -34,15 +34,23 @@ const performRedirect = () => {
   const currentUrl = new URL(window.location.href);
   const siteUrl = new URL(config.siteUrl);
 
-  // Parse modifier function
+  // Named modifier lookup (safe alternative to eval/new Function)
+  const MODIFIERS = {
+    'search-cse': (url) => {
+      const q = url.searchParams.get('q');
+      url.searchParams.set('q', 'site:' + window.location.origin + ' ' + q);
+      return url;
+    },
+  };
+
+  // Resolve modifier by name
   let modifierFunction = (url) => url;
   if (config.modifier && config.modifier !== '""' && config.modifier !== '') {
-    try {
-      // Safely evaluate modifier function
-      modifierFunction = new Function('url', `return (${config.modifier})(url)`);
-    } catch (error) {
-      console.warn('[Redirect] Failed to parse modifier function:', error);
-      console.warn('[Redirect] Modifier string:', config.modifier);
+    const modifierName = config.modifier.trim();
+    if (MODIFIERS[modifierName]) {
+      modifierFunction = MODIFIERS[modifierName];
+    } else {
+      console.warn('[Redirect] Unknown modifier:', modifierName);
     }
   }
 

package/dist/assets/js/modules/vert.js

@@ -90,8 +90,12 @@ const setupMessageHandler = () => {
   // Flag as set up
   window.__ujVertMessageHandlerSetup = true;
 
-  // Listen for messages from iframes
+  // Listen for messages from vert iframes (validate origin)
   window.addEventListener('message', (event) => {
+    if (event.origin !== window.location.origin && event.origin !== 'https://promo-server.itwcreativeworks.com') {
+      return;
+    }
+
     const message = event.data || {};
     const command = message.command || '';
     const payload = message.payload || {};

package/dist/assets/js/pages/account/sections/billing.js

@@ -320,8 +320,8 @@ function populateCancelReasons() {
 
   $container.innerHTML = shuffled.map((reason, i) => `
     <div class="form-check mb-2">
-      <input class="form-check-input" type="radio" name="cancel_reason" id="cancel-reason-${i}" value="${reason}">
-      <label class="form-check-label" for="cancel-reason-${i}">${reason}</label>
+      <input class="form-check-input" type="radio" name="cancel_reason" id="cancel-reason-${i}" value="${webManager.utilities().escapeHTML(reason)}">
+      <label class="form-check-label" for="cancel-reason-${i}">${webManager.utilities().escapeHTML(reason)}</label>
     </div>
   `).join('');
 }

package/dist/assets/js/pages/account/sections/connections.js

@@ -281,7 +281,7 @@ async function handleConnect(providerId) {
     tries: 2,
   });
 
-  if (response.url) {
+  if (response.url && /^https?:\/\//i.test(response.url)) {
     window.location.href = response.url;
   } else {
     throw new Error(response.message || 'Failed to get authorization URL');

package/dist/assets/js/pages/account/sections/referrals.js

@@ -110,12 +110,12 @@ function updateReferralsList(referrals) {
                   <span class="badge bg-secondary me-2">#${sortedReferrals.length - index}</span>
                   <div>
                     <strong class="font-monospace small">${webManager.utilities().escapeHTML(referral.uid || 'Unknown User')}</strong>
-                    <div class="text-muted small">${dateStr}${timeStr ? ` at ${timeStr}` : ''}</div>
+                    <div class="text-muted small">${webManager.utilities().escapeHTML(dateStr)}${timeStr ? ` at ${webManager.utilities().escapeHTML(timeStr)}` : ''}</div>
                   </div>
                 </div>
               </div>
               <div class="text-end">
-                ${getTimeSince(timestamp)}
+                <small class="text-muted">${webManager.utilities().escapeHTML(getTimeSince(timestamp))}</small>
               </div>
             </div>
           </div>
@@ -146,48 +146,40 @@ function formatTime(date) {
 
 // Get time since string
 function getTimeSince(timestamp) {
-  if (!timestamp) return '<small class="text-muted">Unknown</small>';
+  if (!timestamp) return 'Unknown';
 
   const now = Date.now();
   const diff = now - timestamp;
 
-  // Less than 1 minute
-  if (diff < 60000) {
-    return '<small class="text-success">Just now</small>';
-  }
+  if (diff < 60000) return 'Just now';
 
-  // Less than 1 hour
   if (diff < 3600000) {
     const minutes = Math.floor(diff / 60000);
-    return `<small class="text-muted">${minutes} min${minutes > 1 ? 's' : ''} ago</small>`;
+    return `${minutes} min${minutes > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 24 hours
   if (diff < 86400000) {
     const hours = Math.floor(diff / 3600000);
-    return `<small class="text-muted">${hours} hour${hours > 1 ? 's' : ''} ago</small>`;
+    return `${hours} hour${hours > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 7 days
   if (diff < 604800000) {
     const days = Math.floor(diff / 86400000);
-    return `<small class="text-muted">${days} day${days > 1 ? 's' : ''} ago</small>`;
+    return `${days} day${days > 1 ? 's' : ''} ago`;
   }
 
-  // Less than 30 days
   if (diff < 2592000000) {
     const weeks = Math.floor(diff / 604800000);
-    return `<small class="text-muted">${weeks} week${weeks > 1 ? 's' : ''} ago</small>`;
+    return `${weeks} week${weeks > 1 ? 's' : ''} ago`;
   }
 
-  // More than 30 days
   const months = Math.floor(diff / 2592000000);
   if (months < 12) {
-    return `<small class="text-muted">${months} month${months > 1 ? 's' : ''} ago</small>`;
+    return `${months} month${months > 1 ? 's' : ''} ago`;
   }
 
   const years = Math.floor(months / 12);
-  return `<small class="text-muted">${years} year${years > 1 ? 's' : ''} ago</small>`;
+  return `${years} year${years > 1 ? 's' : ''} ago`;
 }
 
 // Setup button handlers

package/dist/assets/js/pages/account/sections/refund.js

@@ -128,8 +128,8 @@ function populateRefundReasons() {
 
   $container.innerHTML = shuffled.map((reason, i) => `
     <div class="form-check mb-2">
-      <input class="form-check-input" type="radio" name="refund_reason" id="refund-reason-${i}" value="${reason}" required>
-      <label class="form-check-label" for="refund-reason-${i}">${reason}</label>
+      <input class="form-check-input" type="radio" name="refund_reason" id="refund-reason-${i}" value="${webManager.utilities().escapeHTML(reason)}" required>
+      <label class="form-check-label" for="refund-reason-${i}">${webManager.utilities().escapeHTML(reason)}</label>
     </div>
   `).join('');
 }

package/dist/assets/js/pages/account/sections/security.js

@@ -301,7 +301,7 @@ async function updateActiveSessions(account) {
           </div>
         </div>
         <div class="text-end">
-          <small class="text-muted">${formatDate(session.timestamp || (session.timestampUNIX * 1000))}</small>
+          <small class="text-muted">${webManager.utilities().escapeHTML(formatDate(session.timestamp || (session.timestampUNIX * 1000)))}</small>
           ${session.isCurrent ? '<span class="badge bg-primary ms-2">Current</span>' : ''}
         </div>
       </div>

package/dist/assets/js/pages/account/sections/team.js

@@ -66,7 +66,7 @@ function updateInviteStatus(invites) {
       <div class="d-flex justify-content-between align-items-center">
         <div>
           <strong>${webManager.utilities().escapeHTML(invite.email)}</strong>
-          <small class="text-muted d-block">Invited ${formatDate(invite.invitedAt)}</small>
+          <small class="text-muted d-block">Invited ${webManager.utilities().escapeHTML(formatDate(invite.invitedAt))}</small>
         </div>
         <div>
           <button class="btn btn-sm btn-outline-danger" data-action="cancel-invite" data-invite-id="${webManager.utilities().escapeHTML(invite.id)}">

package/dist/assets/js/pages/admin/calendar/campaign-preview.js

@@ -26,7 +26,13 @@ async function renderEmailPreview(formData) {
     md = new MarkdownIt({ html: true, breaks: true, linkify: true });
   }
 
-  const renderedContent = content ? md.render(content) : '<p class="text-muted">No content yet</p>';
+  const DOMPurify = (await import('dompurify')).default;
+  const renderedContent = content
+    ? DOMPurify.sanitize(md.render(content), {
+        ALLOWED_TAGS: ['h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'br', 'hr', 'ul', 'ol', 'li', 'a', 'b', 'strong', 'i', 'em', 'u', 's', 'del', 'blockquote', 'pre', 'code', 'img', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'div', 'span', 'sup', 'sub'],
+        ALLOWED_ATTR: ['href', 'src', 'alt', 'title', 'width', 'height', 'class', 'style', 'target', 'rel'],
+      })
+    : '<p class="text-muted">No content yet</p>';
 
   return `
     <div class="email-preview">

package/dist/defaults/dist/redirects/misc/search-cse.html

@@ -6,13 +6,5 @@ permalink: /search/cse
 ### REGULAR PAGES ###
 redirect:
   url: "https://cse.google.com/cse?cx={{ page.resolved.advertising.cse.site-id }}&ie=UTF-8"
-  modifier: "
-    function (url) {
-      var q = url.searchParams.get('q');
-
-      url.searchParams.set('q', 'site:' + window.location.origin + ' ' + q);
-
-      return url;
-    }
-  "
+  modifier: "search-cse"
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ultimate-jekyll-manager",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Ultimate Jekyll dependency manager",
   "main": "dist/index.js",
   "exports": {
@@ -78,8 +78,9 @@
     "chart.js": "^4.5.1",
     "cheerio": "^1.2.0",
     "chrome-launcher": "^1.2.1",
+    "dompurify": "^3.3.3",
     "dotenv": "^17.4.1",
-    "fast-xml-parser": "^5.5.10",
+    "fast-xml-parser": "^5.5.11",
     "fs-jetpack": "^5.1.0",
     "glob": "^13.0.6",
     "gulp-clean-css": "^4.3.0",
@@ -99,14 +100,14 @@
     "minimatch": "^10.2.5",
     "node-powertools": "^3.0.0",
     "npm-api": "^1.0.1",
-    "postcss": "^8.5.8",
+    "postcss": "^8.5.9",
     "prettier": "^3.8.1",
     "sass": "^1.99.0",
     "spellchecker": "^3.7.1",
     "through2": "^4.0.2",
     "web-manager": "^4.1.37",
-    "webpack": "^5.105.4",
-    "wonderful-fetch": "^2.0.4",
+    "webpack": "^5.106.0",
+    "wonderful-fetch": "^2.0.5",
     "wonderful-version": "^1.3.2",
     "yargs": "^18.0.0"
   },
@@ -114,6 +115,6 @@
     "gulp": "^5.0.1"
   },
   "devDependencies": {
-    "prepare-package": "^2.0.7"
+    "prepare-package": "^2.0.8"
   }
 }