jmpsec · javuto · Feb 23, 2026 · Feb 23, 2026 · Feb 23, 2026 · Feb 23, 2026
diff --git a/cmd/admin/static/js/query.js b/cmd/admin/static/js/query.js
@@ -117,9 +117,23 @@ function confirmDeleteSavedQueries(_names, _url) {
   $("#confirmModal").modal();
 }
 
-function queryResultLink(link, query, url) {
-  var external_link = '<a href="' + link + '" _target="_blank" rel="noopener noreferrer"><i class="fas fa-external-link-alt"></i></a>';
-  return '<span class="query-link"><a href="' + url + '">' + query + "</a> - " + external_link + "</span> ";
+function escapeHTML(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+
+function safeHref(href) {
+  const s = String(href || "").trim();
+  const lower = s.toLowerCase();
+  // Allow relative URLs (path, hash, or query only)
+  if (s.startsWith("/") || s.startsWith("#") || s.startsWith("?")) {
+    return s;
+  }
+  // Allow only http and https absolute URLs
+  if (lower.startsWith("http://") || lower.startsWith("https://")) {
+    return s;
+  }
+  // Fallback for disallowed or empty URLs
+  return "#";
 }
 
 function toggleSaveQuery() {

diff --git a/cmd/admin/templates/queries.html b/cmd/admin/templates/queries.html
@@ -1,4 +1,4 @@
-<!DOCTYPE html>
+<!doctype html>
 <html lang="en">
   {{ $metadata := .Metadata }} {{ $leftmeta := .LeftMetadata }} {{ template "page-head" . }}
 
@@ -13,9 +13,11 @@
           <div class="animated fadeIn">
             <div class="card mt-2">
               <div class="card-header">
-                <i class="nav-icon fab fa-searchengin"></i> On-demand queries in <b>{{ $leftmeta.EnvName }}</b>
+                <i class="nav-icon fab fa-searchengin"></i>
+                On-demand queries in
+                <b>{{ $leftmeta.EnvName }}</b>
                 <div class="card-header-actions">
-                  <button class="btn btn-sm btn-outline-primary" data-tooltip="true" data-placement="bottom" title="Refresh table" onclick="refreshTableNow('tableQueries');">
+                  <button class="btn btn-sm btn-outline-primary" data-tooltip="true" data-placement="bottom" title="Refresh table" onclick="refreshTableNow('tableQueries')">
                     <i class="fas fa-sync-alt"></i>
                   </button>
                 </div>
@@ -110,13 +112,24 @@
               width: '40%',
               data: 'query',
               render: function (data, type, row, meta) {
-                if (type === 'display') {
-                  return '<div style="max-width:400px; white-space:normal; word-break:break-word;">' +
-                    queryResultLink(data.link, data.query, "/query/{{ $leftmeta.EnvUUID }}/logs/" + data.name) +
-                    '</div>';
-                } else {
-                  return data;
+                if (type !== "display") {
+                  return data && data.query ? data.query : "";
                 }
+                const logUrl = "/query/{{ $leftmeta.EnvUUID }}/logs/" + encodeURIComponent(String(data.name || ""));
+                const wrapper = $("<div>", {
+                  style: "max-width:400px; white-space:normal; word-break:break-word;"
+                });
+                const queryLink = $("<a>", {
+                  href: safeHref(logUrl),
+                  text: String(data.query || "")
+                });
+                const externalLink = $("<a>", {
+                  href: safeHref(data.link),
+                  target: "_blank",
+                  rel: "noopener noreferrer"
+                }).append($("<i>", { class: "fas fa-external-link-alt" }));
+                wrapper.append($("<span>", { class: "query-link" }).append(queryLink).append(" - ").append(externalLink));
+                return wrapper.prop("outerHTML");
               }
             },{
               targets: 2,