From 4979a4a336628266fbd488dbfe7935da4a25a3e7 Mon Sep 17 00:00:00 2001
From: chschan <carmen.chan@displayr.com>
Date: Fri, 12 Jun 2026 15:29:20 +1000
Subject: [PATCH 1/4] RS-22478: fix stored XSS in dendrogram node tooltips

HTML-escape the node name and column names before building the tooltip
table so untrusted label data is not parsed as HTML. Rebuilt the
inst/htmlwidgets bundle.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js | 12 ++++++++++--
 package.json                                        |  3 +++
 theSrc/scripts/lib/dendroNetwork/dendroNetwork.js   | 12 ++++++++++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js b/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
index d1e99fa..e9b84d2 100644
--- a/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
+++ b/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
@@ -523,6 +523,14 @@ function DendroNetwork() {
 
       var maxBarLength = 50;
       var tipBarScale = d3.scaleLinear().domain([tipMin/2, tipMax]).range([0, maxBarLength])
+      var escapeTipHtml = function (value) {
+        return String(value)
+          .replace(/&/g, "&amp;")
+          .replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;")
+          .replace(/"/g, "&quot;")
+          .replace(/'/g, "&#39;");
+      };
       node.each(function(d) {
         if (d.data.tips) {
           var ft_s = options.tooltipsFontSize;
@@ -530,10 +538,10 @@ function DendroNetwork() {
           var t = "";
           var nval = d.data.tips.length;
           t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>";
-          t = t + "Name: " + d.data.name + "<br>" + "<table class='tipTable'>";
+          t = t + "Name: " + escapeTipHtml(d.data.name) + "<br>" + "<table class='tipTable'>";
           for (var i = 0; i < nval; i++) {
               t = t + "<tr>";
-              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + options.colnames[i] + "</td>";
+              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
               t = t + "<td class='tipDClassification' style='white-space:nowrap;'>";
               t = t + "<div style='width:" + tipBarScale(d.data.tips[i]) + "px;height:8px;background-color:steelblue'></div>" + "</td>";
               t = t + "</tr>";
diff --git a/package.json b/package.json
index 6bcc72c..b6e593d 100644
--- a/package.json
+++ b/package.json
@@ -3,6 +3,9 @@
   "engines": {
     "node": ">=6.9.5"
   },
+  "overrides": {
+    "graceful-fs": "^4.2.11"
+  },
   "devDependencies": {
     "babel-plugin-array-includes": "^2.0.3",
     "babel-plugin-transform-object-assign": "^6.22.0",
diff --git a/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js b/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
index d1e99fa..e9b84d2 100644
--- a/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
+++ b/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
@@ -523,6 +523,14 @@ function DendroNetwork() {
 
       var maxBarLength = 50;
       var tipBarScale = d3.scaleLinear().domain([tipMin/2, tipMax]).range([0, maxBarLength])
+      var escapeTipHtml = function (value) {
+        return String(value)
+          .replace(/&/g, "&amp;")
+          .replace(/</g, "&lt;")
+          .replace(/>/g, "&gt;")
+          .replace(/"/g, "&quot;")
+          .replace(/'/g, "&#39;");
+      };
       node.each(function(d) {
         if (d.data.tips) {
           var ft_s = options.tooltipsFontSize;
@@ -530,10 +538,10 @@ function DendroNetwork() {
           var t = "";
           var nval = d.data.tips.length;
           t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>";
-          t = t + "Name: " + d.data.name + "<br>" + "<table class='tipTable'>";
+          t = t + "Name: " + escapeTipHtml(d.data.name) + "<br>" + "<table class='tipTable'>";
           for (var i = 0; i < nval; i++) {
               t = t + "<tr>";
-              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + options.colnames[i] + "</td>";
+              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
               t = t + "<td class='tipDClassification' style='white-space:nowrap;'>";
               t = t + "<div style='width:" + tipBarScale(d.data.tips[i]) + "px;height:8px;background-color:steelblue'></div>" + "</td>";
               t = t + "</tr>";

From cc1548d4f4c1f91481c15349964b0b43d5e745ec Mon Sep 17 00:00:00 2001
From: chschan <carmen.chan@displayr.com>
Date: Fri, 12 Jun 2026 15:59:51 +1000
Subject: [PATCH 2/4] Bump version

---
 DESCRIPTION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DESCRIPTION b/DESCRIPTION
index 3b45a23..6e27e1e 100644
--- a/DESCRIPTION
+++ b/DESCRIPTION
@@ -1,7 +1,7 @@
 Package: rhtmlDendrogram
 Type: Package
 Title: What the Package Does (Title Case)
-Version: 1.0.0
+Version: 1.0.1
 Author: Who wrote it
 Maintainer: The package maintainer <yourself@somewhere.net>
 Description: More about what it does (maybe more than one line)

From 424ca331f2be84fa001b55ce3ee45f3e04e2b800 Mon Sep 17 00:00:00 2001
From: chschan <carmen.chan@displayr.com>
Date: Fri, 12 Jun 2026 16:18:55 +1000
Subject: [PATCH 3/4] RS-22478: escape font-family in dendrogram tooltip style
 attribute

The tooltip font-family comes unvalidated from config and is interpolated
into an HTML style attribute, so escape it too (defense in depth). Rebuilt
the copied inst/htmlwidgets bundle.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js | 4 ++--
 theSrc/scripts/lib/dendroNetwork/dendroNetwork.js   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js b/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
index e9b84d2..f1482ce 100644
--- a/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
+++ b/inst/htmlwidgets/lib/dendroNetwork/dendroNetwork.js
@@ -537,11 +537,11 @@ function DendroNetwork() {
           var ft_f = options.tooltipsFontFamily;
           var t = "";
           var nval = d.data.tips.length;
-          t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>";
+          t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + escapeTipHtml(ft_f) + ";'>";
           t = t + "Name: " + escapeTipHtml(d.data.name) + "<br>" + "<table class='tipTable'>";
           for (var i = 0; i < nval; i++) {
               t = t + "<tr>";
-              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
+              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + escapeTipHtml(ft_f) + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
               t = t + "<td class='tipDClassification' style='white-space:nowrap;'>";
               t = t + "<div style='width:" + tipBarScale(d.data.tips[i]) + "px;height:8px;background-color:steelblue'></div>" + "</td>";
               t = t + "</tr>";
diff --git a/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js b/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
index e9b84d2..f1482ce 100644
--- a/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
+++ b/theSrc/scripts/lib/dendroNetwork/dendroNetwork.js
@@ -537,11 +537,11 @@ function DendroNetwork() {
           var ft_f = options.tooltipsFontFamily;
           var t = "";
           var nval = d.data.tips.length;
-          t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>";
+          t = t + "<div class='tipTableContainer' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + escapeTipHtml(ft_f) + ";'>";
           t = t + "Name: " + escapeTipHtml(d.data.name) + "<br>" + "<table class='tipTable'>";
           for (var i = 0; i < nval; i++) {
               t = t + "<tr>";
-              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + ft_f + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
+              t = t + "<td class='tipDClassification' style='white-space:nowrap;" + "font-size:" + ft_s + "px;font-family:" + escapeTipHtml(ft_f) + ";'>" + escapeTipHtml(options.colnames[i]) + "</td>";
               t = t + "<td class='tipDClassification' style='white-space:nowrap;'>";
               t = t + "<div style='width:" + tipBarScale(d.data.tips[i]) + "px;height:8px;background-color:steelblue'></div>" + "</td>";
               t = t + "</tr>";

From c84805dfb0220f61a169349cbf9d5f7b5820adb2 Mon Sep 17 00:00:00 2001
From: chschan <carmen.chan@displayr.com>
Date: Fri, 12 Jun 2026 16:48:38 +1000
Subject: [PATCH 4/4] Fix build

---
 .Rbuildignore |  1 +
 DESCRIPTION   | 11 +++++------
 README.md     |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.Rbuildignore b/.Rbuildignore
index 91114bf..3912071 100644
--- a/.Rbuildignore
+++ b/.Rbuildignore
@@ -1,2 +1,3 @@
 ^.*\.Rproj$
 ^\.Rproj\.user$
+^\.github$
diff --git a/DESCRIPTION b/DESCRIPTION
index 6e27e1e..1085138 100644
--- a/DESCRIPTION
+++ b/DESCRIPTION
@@ -1,12 +1,11 @@
 Package: rhtmlDendrogram
 Type: Package
-Title: What the Package Does (Title Case)
+Title: R htmlwidget package for creating interactive dendrograms
 Version: 1.0.1
-Author: Who wrote it
-Maintainer: The package maintainer <yourself@somewhere.net>
-Description: More about what it does (maybe more than one line)
-    Use four spaces when indenting paragraphs within the Description.
-License: What license is it under?
+Author: Displayr <opensource@displayr.com>
+Maintainer: Displayr <opensource@displayr.com>
+Description: R htmlwidget package for creating interactive dendrograms.
+License: GPL-3
 Imports: htmlwidgets
 Encoding: UTF-8
 LazyData: true
diff --git a/README.md b/README.md
index 23aafbd..62ae3c6 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 [![Coverage Status](https://coveralls.io/repos/github/Displayr/rhtmlDendrogram/badge.svg?branch=master)](https://coveralls.io/github/Displayr/rhtmlDendrogram?branch=master)
 # rhtmlDendrogram
 
-What the Package Does (Title Case)
+R htmlwidget package for creating interactive dendrograms
 
 ## Installation