mstrhakr · mstrhakr · Feb 13, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/source/compose.manager/compose.manager.dashboard.page b/source/compose.manager/compose.manager.dashboard.page
@@ -70,7 +70,6 @@ EOT;
 // Debug setting from config
 $debugEnabled = isset($cfg['DEBUG_TO_LOG']) && $cfg['DEBUG_TO_LOG'] === 'true' ? 'true' : 'false';
 $hideComposeContainersJs = $hideDockerComposeContainers ? 'true' : 'false';
-
 // CSS and JavaScript
 $configScript = <<<EOT
 <script>
@@ -166,6 +165,25 @@ $script = <<<'EOT'
         }
     }
 
+    // HTML escape function to prevent XSS
+    function escapeHtml(text) {
+        if (text === null || text === undefined) return '';
+        var div = document.createElement('div');
+        div.textContent = String(text);
+        return div.innerHTML;
+    }
+
+    // Escape for HTML attributes (more strict)
+    function escapeAttr(text) {
+        if (text === null || text === undefined) return '';
+        return String(text)
+            .replace(/&/g, '&amp;')
+            .replace(/"/g, '&quot;')
+            .replace(/'/g, '&#39;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;');
+    }
+
     // Resolve WebUI URL placeholders for a container
     // As of this version, WebUI URLs are resolved server-side in exec.php
     // (matching Unraid's DockerClient logic for IP/PORT resolution).
@@ -446,10 +464,9 @@ $script = <<<'EOT'
                         var stateText = isRunning ? 'started' : 'stopped';
                         var ctElId = 'dash-ct-' + ct.ID.substring(0, 12);
                         var imgSrc = ct.Icon || '/plugins/dynamix.docker.manager/images/question.png';
-                        var escapedName = ct.Name.replace(/'/g, "\\'");
-                        var webui = resolveContainerWebUI(ct.WebUI).replace(/'/g, "\\'");
-                        var shell = (ct.Shell || '/bin/bash').replace(/'/g, "\\'");
+                        var shell = ct.Shell || '/bin/bash';
                         var shortId = ct.ID.substring(0, 12);
+                        var webui = resolveContainerWebUI(ct.WebUI);
                         // Parse image to get repo and tag
                         var image = ct.Image || '';
                         var imageDisplay = image.replace(/^.*\//, ''); // Remove registry prefix
@@ -471,8 +488,8 @@ $script = <<<'EOT'
                         var ctUptime = formatUptime(ct.StartedAt, isRunning);
 
                         html += '<div class="compose-dash-container">';
-                        html += '<span class="compose-dash-ct-icon" id="' + ctElId + '" onclick="addContainerContext(\'' + ctElId + '\',\'' + escapedName + '\',\'' + shortId + '\',' + isRunning + ',\'' + webui + '\',\'' + shell + '\')">';
-                        html += '<img src="' + imgSrc + '" onerror="this.src=\'/plugins/dynamix.docker.manager/images/question.png\';">';
+                        html += '<span class="compose-dash-ct-icon" id="' + ctElId + '" data-ct-name="' + ct.Name + '" data-ct-id="' + shortId + '" data-ct-running="' + (isRunning ? '1' : '0') + '" data-ct-webui="' + escapeAttr(webui) + '" data-ct-shell="' + escapeAttr(shell) + '">';
+                        html += '<img src="' + escapeAttr(imgSrc) + '" onerror="this.src=\'/plugins/dynamix.docker.manager/images/question.png\';">';
                         html += '</span>';
                         html += '<span class="compose-dash-ct-info">';
                         html += '<div class="compose-dash-ct-name">' + ct.Name + '</div>';
@@ -540,14 +557,13 @@ $script = <<<'EOT'
                     var uptimeText = formatUptime(stack.startedAt, isRunning);
 
                     // WebUI
-                    var webui = (stack.webui || '').replace(/'/g, "\\'");
+                    var webui = (stack.webui || '');
 
-                    var escapedFolder = stack.folder.replace(/'/g, "\\'");
                     // Add state class for filtering (like Docker tile)
                     var stateClass = state === 'stopped' ? 'stopped' : 'started';
-                    html += '<div class="compose-dash-stack outer stacks ' + stateClass + '" data-stackid="' + stackId + '" data-folder="' + escapedFolder + '">';
+                    html += '<div class="compose-dash-stack outer stacks ' + stateClass + '" data-stackid="' + stackId + '" data-folder="' + stack.folder + '">';
                     html += '<i class="fa fa-chevron-right compose-dash-expand" id="compose-dash-exp-' + stackId + '"></i>';
-                    html += '<span class="compose-dash-icon" id="compose-dash-icon-' + stackId + '" onclick="addStackContext(\'compose-dash-icon-' + stackId + '\',\'' + escapedFolder + '\',' + isRunning + ',\'' + webui + '\')"><img src="' + imgSrc + '" onerror="this.src=\'/plugins/dynamix.docker.manager/images/question.png\';"></span>';
+                    html += '<span class="compose-dash-icon" id="compose-dash-icon-' + stackId + '" data-stack-folder="' + stack.folder + '" data-stack-running="' + (isRunning ? '1' : '0') + '" data-stack-webui="' + escapeAttr(webui) + '"><img src="' + escapeAttr(imgSrc) + '" onerror="this.src=\'/plugins/dynamix.docker.manager/images/question.png\';"></span>';
                     html += '<span class="compose-dash-info">';
                     html += '<div class="compose-dash-name">' + $('<div>').text(stack.name).html() + '</div>';
                     html += '<div class="compose-dash-state ' + stateColor + '"><i class="fa ' + stateIcon + '"></i> ' + stateText + '</div>';
@@ -628,6 +644,32 @@ $script = <<<'EOT'
     window.composeToggleStack = toggleStack;
     window.addStackContext = addStackContext;
 
+    // Event delegation for container icon clicks (replaces inline onclick)
+    $(document).on('click', '.compose-dash-ct-icon[data-ct-name]', function(e) {
+        e.stopPropagation();
+        var $el = $(this);
+        addContainerContext(
+            $el.attr('id'),
+            $el.data('ct-name'),
+            $el.data('ct-id'),
+            $el.data('ct-running') === '1' || $el.data('ct-running') === 1,
+            $el.data('ct-webui') || '',
+            $el.data('ct-shell') || '/bin/bash'
+        );
+    });
+
+    // Event delegation for stack icon clicks (replaces inline onclick)
+    $(document).on('click', '.compose-dash-icon[data-stack-folder]', function(e) {
+        e.stopPropagation();
+        var $el = $(this);
+        addStackContext(
+            $el.attr('id'),
+            $el.data('stack-folder'),
+            $el.data('stack-running') === '1' || $el.data('stack-running') === 1,
+            $el.data('stack-webui') || ''
+        );
+    });
+
     // Check if any stacks are visible (for "no stacks" message)
     function noStacks() {
         if ($('#compose_dash_content .compose-dash-stack:visible').length === 0 && $('#compose_dash_content .compose-dash-stack').length > 0) {