From b7f861f6835e8e66a344904ded84e43b6b6184ce Mon Sep 17 00:00:00 2001
From: Your Name <dbose272@gmail.com>
Date: Tue, 2 Jun 2026 16:31:52 +0530
Subject: [PATCH] security: implement advanced sanitization for XSS prevention

---
 js/cart-manager.js | 5 +++--
 js/main.js         | 8 ++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/js/cart-manager.js b/js/cart-manager.js
index 3520d5b..9828c0e 100644
--- a/js/cart-manager.js
+++ b/js/cart-manager.js
@@ -67,9 +67,10 @@ class CartManager {
   // NORMALIZE ITEM (CRITICAL FIX)
   // =====================
 normalize(item) {
+  const safeName = typeof sanitizeInput !== "undefined" ? sanitizeInput(item.name, 100) : item.name;
   return {
-    id: item.id || item.name + "-" + item.price,
-    name: item.name,
+    id: item.id || safeName + "-" + item.price,
+    name: safeName,
     price: Number(item.price),
 
     // ✅ SAFE IMAGE FIX (does NOT affect menu)
diff --git a/js/main.js b/js/main.js
index 0db96c1..6626c7e 100644
--- a/js/main.js
+++ b/js/main.js
@@ -272,7 +272,11 @@ function fuzzyMatch(target, query) {
  
 function highlightText(text, query) {
   if (!text)  return "";
-  if (!query) return text;
+  
+  // Always wrap text to be safe
+  const safeText = typeof escapeHTML !== "undefined" ? escapeHTML(text) : text;
+  
+  if (!query) return safeText;
 
   const escapedQuery = query.replace(
     /[-\/\\^$*+?.()|[\]{}]/g,
@@ -280,7 +284,7 @@ function highlightText(text, query) {
   );
 
   const regex = new RegExp(`(${escapedQuery})`, "gi");
-  return text.replace(regex, "<mark class='highlight'>$1</mark>");
+  return safeText.replace(regex, "<mark class='highlight'>$1</mark>");
 }
  
 // ===== Render Functions =====