From c580a50fd4265cb1818b2d9eaebb6fc4ba542e22 Mon Sep 17 00:00:00 2001
From: claude-bot <claude-bot@tkrmagid.kr>
Date: Wed, 20 May 2026 10:29:06 +0900
Subject: [PATCH] installer: escape agreement tab labels (XSS hardening)

RP installer already escapes k.tab; main installer was injecting it raw.
Add escapeHtml helper and apply to tab id/label so admin-supplied
agreement labels can't break the HTML.
---
 installer/renderer.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/installer/renderer.js b/installer/renderer.js
index 13b2437..d333438 100644
--- a/installer/renderer.js
+++ b/installer/renderer.js
@@ -208,7 +208,7 @@ function renderAgreementWithKinds(KINDS) {
     '<p class="formMessage">' + tt('agreement.intro') + '</p>' +
     '<div class="tabBar" id="agTabs">' +
     KINDS.map(function (k, i) {
-      return '<button type="button" class="tabBtn' + (i === 0 ? ' active' : '') + '" data-ag="' + k.id + '">' + k.tab + '</button>'
+      return '<button type="button" class="tabBtn' + (i === 0 ? ' active' : '') + '" data-ag="' + escapeHtml(k.id) + '">' + escapeHtml(k.tab) + '</button>'
     }).join('') +
     '</div>' +
     '<div class="agreementBody" id="agBody">' + tt('agreement.loading') + '</div>' +
@@ -960,6 +960,12 @@ function renderStep5() {
   })
 }
 
+function escapeHtml(s) {
+  return String(s).replace(/[&<>"']/g, function (c) {
+    return c === '&' ? '&amp;' : c === '<' ? '&lt;' : c === '>' ? '&gt;' : c === '"' ? '&quot;' : '&#39;'
+  })
+}
+
 // 시작 진입점: 사전을 먼저 받아서 정적 텍스트 갱신 후 첫 페이지 렌더.
 ;(async function () {
   try {