From a0e7915cf2b8852f4338f7a004122697d18ca82a Mon Sep 17 00:00:00 2001
From: Scott <9237920-slruesch@users.noreply.gitlab.com>
Date: Sat, 13 Dec 2025 20:32:09 -0600
Subject: [PATCH 1/6] replace unsafe .innerHTML calls in motd.js

---
 app/frontend/static/assets/js/motd.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/app/frontend/static/assets/js/motd.js b/app/frontend/static/assets/js/motd.js
index 8f63e763..74761131 100644
--- a/app/frontend/static/assets/js/motd.js
+++ b/app/frontend/static/assets/js/motd.js
@@ -24,11 +24,11 @@ var styleMap = {
 function obfuscate(string, elem) {
     var magicSpan;
     if (string.indexOf('<br>') > -1) {
-        elem.innerHTML = string;
+        elem.innerText = string;
         elem.childNodes.array.forEach(currNode => {
             if (currNode.nodeType === 3) {
                 magicSpan = document.createElement('span');
-                magicSpan.innerHTML = currNode.nodeValue;
+                magicSpan.innerText = currNode.nodeValue;
                 elem.replaceChild(magicSpan, currNode);
                 init(magicSpan);
             }
@@ -43,7 +43,7 @@ function obfuscate(string, elem) {
         obfuscators.push(window.setInterval(function () {
             if (i >= len) i = 0;
             obsStr = replaceRand(obsStr, i);
-            el.innerHTML = obsStr;
+            el.innerText = obsStr;
             i++;
         }, 0));
     }
@@ -65,7 +65,7 @@ function applyCode(string, codes) {
             obfuscated = true;
         }
     });
-    if (!obfuscated) elem.innerHTML = string;
+    if (!obfuscated) elem.innerText = string;
     return elem;
 }
 function parseStyle(string) {
-- 
GitLab


From dbe847e5a5a446bab9026122835fbe7eab096584 Mon Sep 17 00:00:00 2001
From: Scott <9237920-slruesch@users.noreply.gitlab.com>
Date: Sat, 13 Dec 2025 20:34:03 -0600
Subject: [PATCH 2/6] replace unsafe .innerHTML calls in details_stats.html

---
 app/frontend/templates/panel/parts/details_stats.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/frontend/templates/panel/parts/details_stats.html b/app/frontend/templates/panel/parts/details_stats.html
index aefe871e..9d51c886 100644
--- a/app/frontend/templates/panel/parts/details_stats.html
+++ b/app/frontend/templates/panel/parts/details_stats.html
@@ -200,7 +200,7 @@
 
     if (server.version) {
       server_version.innerHTML = server.version;
-      server_input_motd.innerHTML = server.desc;
+      server_input_motd.innerText = server.desc;
     }
     else {
       server_version.innerHTML = `{{ translate('serverStats', 'unableToConnect', data['lang']) }}`;
-- 
GitLab


From 18a69515d7c90e502d6faf36eb33c10ce48ac281 Mon Sep 17 00:00:00 2001
From: Scott <9237920-slruesch@users.noreply.gitlab.com>
Date: Sat, 13 Dec 2025 20:49:50 -0600
Subject: [PATCH 3/6] restructure MOTD building in status.html to prevent
 injection

---
 app/frontend/templates/public/status.html | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/frontend/templates/public/status.html b/app/frontend/templates/public/status.html
index 67f53973..f7e08b8f 100644
--- a/app/frontend/templates/public/status.html
+++ b/app/frontend/templates/public/status.html
@@ -210,12 +210,17 @@
           m_motd = `<img class="w-25 mr-3" src="/static/assets/images/pack.png" alt="icon" /> `;
         }
 
-        var desc_motd = `<span id="input_motd_` + server.id + `" class="input_motd align-middle">` + server.desc + `</span> <br />`;
-        m_motd = m_motd + `<div class="media-body"><span id="m_input_motd_` + server.id + `" class="input_motd align-middle">` + server.desc + `</span></div>`;
+        var desc_motd = `<span id="input_motd_` + server.id + `" class="input_motd align-middle">` + `{{ translate('serverStats', 'loadingMotd', data['lang']) }}` + `</span> <br />`;
+        m_motd = m_motd + `<div class="media-body"><span id="m_input_motd_` + server.id + `" class="input_motd align-middle">` + `{{ translate('serverStats', 'loadingMotd', data['lang']) }}` + `</span></div>`;
 
         motd = `<div class="row"><div class="col-auto">` + img_motd + `</div><div class="col-auto text-left align-items-center align-content-center">` + desc_motd + `</div></div>`;
         server_motd.innerHTML = motd;
         m_server_motd.innerHTML = m_motd;
+
+        server_input_motd = document.getElementById('input_motd_' + server.id);
+        m_server_input_motd = document.getElementByID('m_input_motd_' + server.id);
+        server_input_motd.innerText = server.desc;
+        m_server_input_motd.innerText = server.desc;
       }
 
       /* Version */
-- 
GitLab


From 2697082058a5b7e372bc5f66448ecd907676e72e Mon Sep 17 00:00:00 2001
From: Scott <9237920-slruesch@users.noreply.gitlab.com>
Date: Sat, 13 Dec 2025 21:01:29 -0600
Subject: [PATCH 4/6] correct casing typo in status.html

---
 app/frontend/templates/public/status.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/frontend/templates/public/status.html b/app/frontend/templates/public/status.html
index f7e08b8f..1f62f3c9 100644
--- a/app/frontend/templates/public/status.html
+++ b/app/frontend/templates/public/status.html
@@ -218,7 +218,7 @@
         m_server_motd.innerHTML = m_motd;
 
         server_input_motd = document.getElementById('input_motd_' + server.id);
-        m_server_input_motd = document.getElementByID('m_input_motd_' + server.id);
+        m_server_input_motd = document.getElementById('m_input_motd_' + server.id);
         server_input_motd.innerText = server.desc;
         m_server_input_motd.innerText = server.desc;
       }
-- 
GitLab


From 89b7b6ca720fe6bf655fc920231392b89df5a855 Mon Sep 17 00:00:00 2001
From: Scott <9237920-slruesch@users.noreply.gitlab.com>
Date: Sat, 13 Dec 2025 21:10:05 -0600
Subject: [PATCH 5/6] add var keyword to new variables - Sonar finding

---
 app/frontend/templates/public/status.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/frontend/templates/public/status.html b/app/frontend/templates/public/status.html
index 1f62f3c9..ca198b69 100644
--- a/app/frontend/templates/public/status.html
+++ b/app/frontend/templates/public/status.html
@@ -217,8 +217,8 @@
         server_motd.innerHTML = motd;
         m_server_motd.innerHTML = m_motd;
 
-        server_input_motd = document.getElementById('input_motd_' + server.id);
-        m_server_input_motd = document.getElementById('m_input_motd_' + server.id);
+        var server_input_motd = document.getElementById('input_motd_' + server.id);
+        var m_server_input_motd = document.getElementById('m_input_motd_' + server.id);
         server_input_motd.innerText = server.desc;
         m_server_input_motd.innerText = server.desc;
       }
-- 
GitLab


From 20d4b52c15224722ed79450b5e68a3ff186eea89 Mon Sep 17 00:00:00 2001
From: Zedifus <zedifus@zediverse.gg>
Date: Sun, 14 Dec 2025 23:26:38 +0000
Subject: [PATCH 6/6] Update changelog !928

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2b096cb3..e8ce6e88 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ TBD
 ### Bug fixes
 - Refactor translation parsing on creation pages ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/925))
 - [`CVE-2025-14700`] Security: Prevent users being able to access unsafe builtin attributes w/ jinja expressions ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/927))
+- [`CVE-2025-14701`] Security: Prevent MOTDs from being able to inject HTML ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/928))
 - Fix functionality of the webhook test button ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/930))
 ### Tweaks
 - Update documentation reference url in API index ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/921))
-- 
GitLab