Updates

PDowney · web-flow · commit e0ae6075fb0e · 2025-11-25T02:16:46.000-05:00
diff --git a/.github/ci-config/enginescript-variables-ci.txt b/.github/ci-config/enginescript-variables-ci.txt
@@ -24,7 +24,6 @@ SSE_PLUGIN_VER="1.9.1"
 SWPO_PLUGIN_VER="1.8.0"
 
 # Frontend Dependencies  
-CHARTJS_VER="4.5.1"
 FONTAWESOME_VER="7.0.1"
 TINYFILEMANAGER_VER="2.6"
 
diff --git a/.github/workflows/software-version-check.yml b/.github/workflows/software-version-check.yml
@@ -283,19 +283,6 @@ jobs:
             fi
           fi
           
-          # Chart.js
-          echo "::debug::Fetching Chart.js version..."
-          CHARTJS_API_RESPONSE=$(curl -s https://api.github.com/repos/chartjs/Chart.js/releases/latest)
-          echo "::debug::Chart.js API Response: $CHARTJS_API_RESPONSE"
-          
-          LATEST_CHARTJS=$(echo "$CHARTJS_API_RESPONSE" | jq -r '.tag_name // empty' | sed 's/v//')
-          echo "::debug::Parsed Chart.js version: '$LATEST_CHARTJS'"
-          
-          if [[ -n "$LATEST_CHARTJS" && "$LATEST_CHARTJS" != "null" ]]; then
-            check_version "CHARTJS_VER" "$LATEST_CHARTJS"
-          else
-            echo "::warning::Failed to fetch Chart.js version, keeping current version"
-          fi
           
           # Font Awesome (restricted to 7.0.x releases)
           echo "::debug::Fetching Font Awesome 7.0.x version..."
@@ -362,7 +349,6 @@ jobs:
                 -e "s#^(\\|MARIADB\\|)[^|]*#\1$(get_current_version MARIADB_VER)#" \
                 -e "s#^(\\|PLUGIN: EngineScript: Simple Site Exporter\\|)[^|]*#\1$(get_current_version SSE_PLUGIN_VER)#" \
                 -e "s#^(\\|PLUGIN: EngineScript: Simple WP Optimizer\\|)[^|]*#\1$(get_current_version SWPO_PLUGIN_VER)#" \
-                -e "s#^(\\|Chart\\.js\\|)[^|]*#\1$(get_current_version CHARTJS_VER)#" \
                 -e "s#^(\\|Font Awesome\\|)[^|]*#\1$(get_current_version FONTAWESOME_VER)#" \
                 -e "s#^(\\|TinyFileManager\\|)[^|]*#\1$(get_current_version TINYFILEMANAGER_VER)#" \
                 README.md
diff --git a/config/var/www/admin/control-panel/api.php b/config/var/www/admin/control-panel/api.php
@@ -309,16 +309,15 @@ function sanitizeOutput($data) {
 }
 
 function logSecurityEvent($event, $details = '') { // codacy:ignore - Direct $_SERVER access required for security logging in standalone API
-    // Sanitize all log inputs to prevent log injection attacks
-    $safe_event = preg_replace('/[\r\n\t]/', ' ', $event);
-    $safe_event = substr(trim($safe_event), 0, 255); // Limit length
+    // Enhanced log injection protection
+    // Sanitize all log inputs to prevent log injection/forging attacks
+    $safe_event = sanitizeLogInput($event);
     
     $log_entry = date('Y-m-d H:i:s') . " [SECURITY] " . $safe_event;
     
     if ($details) {
-        // Sanitize details to prevent log injection
-        $safe_details = preg_replace('/[\r\n\t]/', ' ', $details);
-        $safe_details = substr(trim($safe_details), 0, 255); // Limit length
+        // Sanitize details using same function
+        $safe_details = sanitizeLogInput($details);
         $log_entry .= " - " . $safe_details;
     }
     
@@ -337,6 +336,28 @@ function logSecurityEvent($event, $details = '') { // codacy:ignore - Direct $_S
     error_log($log_entry, 3, $log_file);
 }
 
+/**
+ * Sanitize input for safe log output
+ * Prevents log injection attacks by escaping control characters
+ * @param string $input Raw input to sanitize
+ * @return string Sanitized string safe for logging
+ */
+function sanitizeLogInput($input) {
+    // Remove all control characters (ASCII 0-31 and 127)
+    // This includes \r, \n, \t, and other dangerous characters
+    $sanitized = preg_replace('/[\x00-\x1F\x7F]/', ' ', $input);
+    
+    // Collapse multiple spaces
+    $sanitized = preg_replace('/\s+/', ' ', $sanitized);
+    
+    // Limit length to prevent log flooding
+    $sanitized = substr(trim($sanitized), 0, 255);
+    
+    // Encode any remaining special characters for safe output
+    // This prevents log format string attacks
+    return addcslashes($sanitized, '\\');
+}
+
 // Path was already extracted and validated above, validate again for security
 if (strlen($path) > 100 || !preg_match('/^\/[a-zA-Z0-9\/_-]*$/', $path)) {
     http_response_code(400);
diff --git a/config/var/www/admin/control-panel/dashboard.css b/config/var/www/admin/control-panel/dashboard.css
@@ -14,7 +14,7 @@
     --accent-hover: #00c49a;
     --text-primary: #fff;
     --text-secondary: #b3b3b3;
-    --text-muted: #808080;
+    --text-muted: #9a9a9a;
     --border-color: #444;
     --success-color: #00d4aa;
     --warning-color: #ffb800;
diff --git a/config/var/www/admin/control-panel/dashboard.js b/config/var/www/admin/control-panel/dashboard.js
@@ -3,7 +3,6 @@
 
 import { DashboardAPI } from './modules/api.js?v=2025.11.21.09';
 import { DashboardState } from './modules/state.js?v=2025.11.21.09';
-import { DashboardCharts } from './modules/charts.js?v=2025.11.21.09';
 import { DashboardUtils } from './modules/utils.js?v=2025.11.21.09';
 // External services loaded dynamically when needed (lazy loading)
 
@@ -12,7 +11,6 @@ class EngineScriptDashboard {
     // Initialize modules
     this.api = new DashboardAPI();
     this.state = new DashboardState();
-    this.charts = new DashboardCharts();
     this.utils = new DashboardUtils();
     this.externalServices = null; // Lazy loaded when needed
 
@@ -212,15 +210,81 @@ class EngineScriptDashboard {
   toggleMobileMenu() {
     const sidebar = document.querySelector(".sidebar");
     if (sidebar) {
+      const isOpening = !sidebar.classList.contains("mobile-open");
       sidebar.classList.toggle("mobile-open");
+      
+      // Manage focus when menu opens/closes
+      if (isOpening) {
+        this.setupMobileFocusTrap(sidebar);
+      } else {
+        this.removeMobileFocusTrap();
+        // Return focus to toggle button
+        const mobileToggle = document.getElementById("mobile-menu-toggle");
+        if (mobileToggle) mobileToggle.focus();
+      }
     }
   }
 
   closeMobileMenu() {
     const sidebar = document.querySelector(".sidebar");
     if (sidebar) {
       sidebar.classList.remove("mobile-open");
+      this.removeMobileFocusTrap();
+      // Return focus to toggle button
+      const mobileToggle = document.getElementById("mobile-menu-toggle");
+      if (mobileToggle) mobileToggle.focus();
+    }
+  }
+
+  /**
+   * Set up focus trap for mobile menu accessibility
+   * Prevents focus from escaping the menu overlay when open
+   */
+  setupMobileFocusTrap(sidebar) {
+    // Get all focusable elements in sidebar
+    const focusableSelector = 'a[href], button, [tabindex]:not([tabindex="-1"])';
+    const focusableElements = sidebar.querySelectorAll(focusableSelector);
+    
+    if (focusableElements.length === 0) return;
+    
+    this.firstFocusable = focusableElements[0];
+    this.lastFocusable = focusableElements[focusableElements.length - 1];
+    
+    // Focus first element when menu opens
+    this.firstFocusable.focus();
+    
+    // Store bound handler for removal
+    this.focusTrapHandler = (e) => {
+      if (e.key !== 'Tab') return;
+      
+      if (e.shiftKey) {
+        // Shift+Tab: if on first element, wrap to last
+        if (document.activeElement === this.firstFocusable) {
+          e.preventDefault();
+          this.lastFocusable.focus();
+        }
+      } else {
+        // Tab: if on last element, wrap to first
+        if (document.activeElement === this.lastFocusable) {
+          e.preventDefault();
+          this.firstFocusable.focus();
+        }
+      }
+    };
+    
+    document.addEventListener('keydown', this.focusTrapHandler);
+  }
+
+  /**
+   * Remove focus trap when mobile menu closes
+   */
+  removeMobileFocusTrap() {
+    if (this.focusTrapHandler) {
+      document.removeEventListener('keydown', this.focusTrapHandler);
+      this.focusTrapHandler = null;
     }
+    this.firstFocusable = null;
+    this.lastFocusable = null;
   }
 
   setupKeyboardShortcuts() {
diff --git a/config/var/www/admin/control-panel/external-services/external-services-api.php b/config/var/www/admin/control-panel/external-services/external-services-api.php
@@ -672,10 +672,10 @@ function handleStatusFeed() {
         
         // Sanitize filter parameter to prevent injection
         if ($filter !== null) {
-            // Allow alphanumeric, spaces, hyphens, periods, parentheses for service names
-            $filter = preg_replace('/[^a-zA-Z0-9 \-\.\(\)]/', '', $filter);
+            // Restrict to alphanumeric, hyphens, underscores only (removed spaces/parentheses as injection vectors)
+            $filter = preg_replace('/[^a-zA-Z0-9_-]/', '', $filter);
             // Limit length to reasonable service name size
-            $filter = substr($filter, 0, 100);
+            $filter = substr($filter, 0, 50);
             if (empty($filter)) {
                 $filter = null;
             }
diff --git a/config/var/www/admin/control-panel/external-services/external-services.js b/config/var/www/admin/control-panel/external-services/external-services.js
@@ -751,15 +751,18 @@ export class ExternalServicesManager {
       date.setTime(date.getTime() + (days * 24 * 60 * 60 * 1000));
       expires = "; expires=" + date.toUTCString();
     }
-    // Set cookie with SameSite=Lax for security
-    document.cookie = name + "=" + (value || "") + expires + "; path=/; SameSite=Lax";
+    // Set cookie with Secure, HttpOnly cannot be set via JS, SameSite=Strict for maximum security
+    // Secure flag ensures cookie only sent over HTTPS
+    // SameSite=Strict prevents CSRF attacks (stricter than Lax)
+    document.cookie = name + "=" + (value || "") + expires + "; path=/; SameSite=Strict; Secure";
   }
 
   /**
    * Delete cookie
+   * Include Secure flag in deletion for consistency
    */
   deleteCookie(name) {
-    document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
+    document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; SameSite=Strict; Secure';
   }
 
   // ============ Service Preferences ============
diff --git a/config/var/www/admin/control-panel/index.html b/config/var/www/admin/control-panel/index.html
@@ -8,7 +8,6 @@
     <link rel="icon" type="image/png" href="favicon.png">
     
     <!-- External Dependencies -->
-    <script src="https://cdn.jsdelivr.net/npm/chart.js@{CHARTJS_VER}/dist/chart.umd.js" data-cfasync="false"></script>
     <link href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/{FONTAWESOME_VER}/css/all.min.css" rel="stylesheet" crossorigin="anonymous">
     
     <!-- Custom Styles -->
diff --git a/config/var/www/admin/control-panel/modules/charts.js b/config/var/www/admin/control-panel/modules/charts.js
@@ -1,8 +1,14 @@
 // EngineScript Admin Dashboard - Charts Module
-// Handles Chart.js initialization and management
+// DEPRECATED - Chart.js removed from project
+// This module is no longer imported or used
+// Kept for reference only - safe to delete
 
+/**
+ * @deprecated No longer used - Chart.js dependency removed
+ */
 export class DashboardCharts {
   constructor() {
+    console.warn('DashboardCharts is deprecated and no longer used');
     this.charts = {};
   }
 
diff --git a/enginescript-variables.txt b/enginescript-variables.txt
@@ -24,7 +24,6 @@ SSE_PLUGIN_VER="1.9.1"
 SWPO_PLUGIN_VER="1.8.0"
 
 # Frontend Dependencies  
-CHARTJS_VER="4.5.1"
 FONTAWESOME_VER="7.0.1"
 TINYFILEMANAGER_VER="2.6"
 
diff --git a/scripts/install/tools/frontend/admin-control-panel-install.sh b/scripts/install/tools/frontend/admin-control-panel-install.sh
@@ -25,7 +25,6 @@ cd /usr/src
 cp -a /usr/local/bin/enginescript/config/var/www/admin/control-panel/. /var/www/admin/enginescript/
 
 # Substitute frontend dependency versions
-sed -i "s|{CHARTJS_VER}|${CHARTJS_VER}|g" /var/www/admin/enginescript/index.html
 sed -i "s|{FONTAWESOME_VER}|${FONTAWESOME_VER}|g" /var/www/admin/enginescript/index.html
 
 # Remove Adminer tool card if INSTALL_ADMINER=0
