From e1ef3022b498a3710f5d6d0d9ee1aadda3721e27 Mon Sep 17 00:00:00 2001
From: JuliaKalder <jule.kalder@gmail.com>
Date: Tue, 12 May 2026 10:56:07 +0000
Subject: [PATCH] fix: escape user-controlled values in console log calls

Fixes log injection (CWE-117) by passing user-controlled strings as
separate JSON.stringify'd arguments instead of interpolating them into
template literals in console.warn/error calls.

Fixes JuliaKalder/TemplateWing#165
---
 modules/template-insert.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/modules/template-insert.js b/modules/template-insert.js
index 30a412a..a72d5c5 100644
--- a/modules/template-insert.js
+++ b/modules/template-insert.js
@@ -176,12 +176,12 @@ export async function resolveNestedTemplates(text, visited, templatesById, templ
     }
 
     if (!nestedTemplate) {
-      console.warn(`TemplateWing: referenced template not found: ${identifier}`);
+      console.warn("TemplateWing: referenced template not found:", JSON.stringify(identifier));
       continue;
     }
 
     if (visited.has(nestedTemplate.id)) {
-      console.error(`TemplateWing: circular reference detected for template: ${nestedTemplate.name}`);
+      console.error("TemplateWing: circular reference detected for template:", JSON.stringify(nestedTemplate.name));
       throw new Error(`Circular reference detected: ${nestedTemplate.name}`);
     }
 
@@ -355,7 +355,7 @@ export async function insertTemplateIntoTab(tabId, template) {
         const file = new File([bytes], att.name, { type: att.type });
         await messenger.compose.addAttachment(tabId, { file, name: att.name });
       } catch (err) {
-        console.error(`TemplateWing: failed to attach "${att.name}"`, err);
+        console.error("TemplateWing: failed to attach:", JSON.stringify(att.name), err);
         attachmentErrors.push(att.name);
       }
     }