From e1ee99ac9cc7fe411d7a0008a5ddb96ed24cb1fd Mon Sep 17 00:00:00 2001
From: Marcus Quinn <6428977+marcusquinn@users.noreply.github.com>
Date: Tue, 17 Mar 2026 19:33:04 +0000
Subject: [PATCH] fix: validate type parameter against allow-list in
 showMessage (#83)

Adds allow-list validation for the 'type' parameter in showMessage()
to prevent class injection vulnerabilities. The type is now checked
against ['success', 'error'] before being passed to addClass(), with
a safe fallback to 'error' for any unexpected values.

Addresses review feedback from PR #47 (gemini-code-assist finding).
Closes #76
---
 admin/js/update-source-selector.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/admin/js/update-source-selector.js b/admin/js/update-source-selector.js
index 3b2c1da..af92df5 100644
--- a/admin/js/update-source-selector.js
+++ b/admin/js/update-source-selector.js
@@ -147,17 +147,21 @@
     /**
 		 * Show a message in the modal
 		 *
-		 * @param {string} type Message type (success, error)
+		 * @param {string} type    Message type (success, error)
 		 * @param {string} message Message text
 		 */
     showMessage: function (type, message) {
       const $message = this.$modal.find( '.wpst-modal-message' );
 
-      // Set message as plain text to prevent XSS, then apply type class.
-      $message.text( message ).removeClass( 'success error' ).addClass( type ).show();
+      // Validate type against allow-list to prevent class injection vulnerabilities.
+      const allowedTypes = [ 'success', 'error' ];
+      const safeType = allowedTypes.includes( type ) ? type : 'error';
+
+      // Set message as plain text to prevent XSS, then apply validated type class.
+      $message.text( message ).removeClass( 'success error' ).addClass( safeType ).show();
 
       // Hide message after a delay for success messages.
-      if (type === 'success') {
+      if (safeType === 'success') {
         setTimeout(
           function () {
             $message.fadeOut( 300 );