From e49b63170902cb4cbdf0a5f98f3b6a725d5601b4 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Tue, 21 Apr 2026 11:12:45 -0700
Subject: [PATCH 1/2] fix(security): 2 improvements across 2 files

- Security: DOM-based XSS via unsanitized query parameters
- Security: DOM-based XSS in live preview error page translations

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 src-node/www/phoenix-splash/error.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src-node/www/phoenix-splash/error.html b/src-node/www/phoenix-splash/error.html
index ec67c17a6a..2b712ed0a3 100644
--- a/src-node/www/phoenix-splash/error.html
+++ b/src-node/www/phoenix-splash/error.html
@@ -8,10 +8,10 @@
                 const urlSearchParams = new URLSearchParams(window.location.search);
                 const params = Object.fromEntries(urlSearchParams.entries());
                 if(params.mainHeading){
-                    document.getElementById("mainHeading").innerHTML = decodeURIComponent(params.mainHeading);
+                    document.getElementById("mainHeading").textContent = decodeURIComponent(params.mainHeading);
                 }
                 if(params.mainSpan){
-                    document.getElementById("mainSpan").innerHTML = decodeURIComponent(params.mainSpan);
+                    document.getElementById("mainSpan").textContent = decodeURIComponent(params.mainSpan);
                 }
             }
         </script>

From 930e7e3b580c4f1032ede2c6eceb72fa4be0f4b3 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Tue, 21 Apr 2026 11:12:46 -0700
Subject: [PATCH 2/2] fix(security): 2 improvements across 2 files

- Security: DOM-based XSS via unsanitized query parameters
- Security: DOM-based XSS in live preview error page translations

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 src/assets/phoenix-splash/live-preview-error.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/assets/phoenix-splash/live-preview-error.html b/src/assets/phoenix-splash/live-preview-error.html
index a8b73d5bb5..4b2c591f51 100644
--- a/src/assets/phoenix-splash/live-preview-error.html
+++ b/src/assets/phoenix-splash/live-preview-error.html
@@ -9,10 +9,10 @@
                 const urlSearchParams = new URLSearchParams(window.location.search);
                 const params = Object.fromEntries(urlSearchParams.entries());
                 if(params.mainHeading){
-                    document.getElementById("mainHeading").innerHTML = decodeURIComponent(params.mainHeading);
+                    document.getElementById("mainHeading").textContent = decodeURIComponent(params.mainHeading);
                 }
                 if(params.mainSpan){
-                    document.getElementById("mainSpan").innerHTML = decodeURIComponent(params.mainSpan);
+                    document.getElementById("mainSpan").textContent = decodeURIComponent(params.mainSpan);
                 }
             }
         </script>