From 80cdaeeec4515676cfc6471f3d113dd1d84e978e Mon Sep 17 00:00:00 2001
From: bergeouss <bergeouss@users.noreply.github.com>
Date: Sat, 25 Apr 2026 17:55:01 +0000
Subject: [PATCH] fix: sanitize error message in checkUpdatesNow to avoid
 exposing paths

Review feedback: strip filesystem paths from error messages and cap
length to prevent internal details leaking into the UI.
---
 static/panels.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/static/panels.js b/static/panels.js
index 2600b702..370576b2 100644
--- a/static/panels.js
+++ b/static/panels.js
@@ -2535,7 +2535,9 @@ async function checkUpdatesNow(){
       }
     }
   } catch(e){
-    if(status){status.textContent=t('failed_colon')+e.message;status.style.color='var(--error)';}
+    // Sanitize error — avoid exposing internal paths/stack traces
+    const errMsg=(e&&e.message)?e.message.replace(/\/[^\s]*/g,'[path]').substring(0,120):t('settings_up_to_date');
+    if(status){status.textContent=t('failed_colon')+errMsg;status.style.color='var(--error)';}
   } finally {
     btn.disabled=false;
     if(spinner) spinner.style.display='none';