From 68dd129c0f9db866b2907a41ad8e3d47af53ac12 Mon Sep 17 00:00:00 2001
From: Jonathan Miller <jmiller@noreply.git.mokoconsulting.tech>
Date: Sun, 28 Jun 2026 13:16:11 -0500
Subject: [PATCH] fix: XSS escaping in menu, SPDX header, orphaned docblock,
 getDbo()

- htmlspecialchars() on all icon/title output in menu module
- SPDX license header on cache Dispatcher
- Moved orphaned requestNew() docblock to correct location
- Replaced deprecated Factory::getDbo() with DI container pattern

Claude-Session: https://claude.ai/code/session_01Jo2JpjCwfHAh2HHRSjczKq
---
 .../admin/src/Helper/SupportPinHelper.php          | 14 +++++++-------
 .../admin/src/View/Dashboard/HtmlView.php          |  2 +-
 .../src/Dispatcher/Dispatcher.php                  |  9 +++++++++
 .../mod_mokosuiteclient_menu/tmpl/default.php      | 12 ++++++------
 4 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/source/packages/com_mokosuiteclient/admin/src/Helper/SupportPinHelper.php b/source/packages/com_mokosuiteclient/admin/src/Helper/SupportPinHelper.php
index 8119c97d..73215741 100644
--- a/source/packages/com_mokosuiteclient/admin/src/Helper/SupportPinHelper.php
+++ b/source/packages/com_mokosuiteclient/admin/src/Helper/SupportPinHelper.php
@@ -108,13 +108,6 @@ class SupportPinHelper
 		return 'MOKO-' . strtoupper(substr($hash, 0, 4)) . '-' . strtoupper(substr($hash, 4, 4));
 	}
 
-	/**
-	 * Request a new PIN: stamps the current time into plugin params and returns the PIN.
-	 *
-	 * @param   DatabaseInterface  $db  Database driver.
-	 *
-	 * @return  array{success: bool, pin?: string, message: string}
-	 */
 	/**
 	 * Render PIN badge HTML (active PIN with copy, or request button).
 	 *
@@ -257,6 +250,13 @@ class SupportPinHelper
 JS;
 	}
 
+	/**
+	 * Request a new PIN: stamps the current time into plugin params and returns the PIN.
+	 *
+	 * @param   DatabaseInterface  $db  Database driver.
+	 *
+	 * @return  array{success: bool, pin?: string, message: string}
+	 */
 	public static function requestNew(DatabaseInterface $db): array
 	{
 		$state = self::getState($db);
diff --git a/source/packages/com_mokosuiteclient/admin/src/View/Dashboard/HtmlView.php b/source/packages/com_mokosuiteclient/admin/src/View/Dashboard/HtmlView.php
index 60ce45b3..dae6aef9 100644
--- a/source/packages/com_mokosuiteclient/admin/src/View/Dashboard/HtmlView.php
+++ b/source/packages/com_mokosuiteclient/admin/src/View/Dashboard/HtmlView.php
@@ -46,7 +46,7 @@ class HtmlView extends BaseHtmlView
 
 		// Detect Regular Labs data for import (source table must exist AND our destination table)
 		try {
-			$rlDb = \Joomla\CMS\Factory::getDbo();
+			$rlDb = \Joomla\CMS\Factory::getContainer()->get(\Joomla\Database\DatabaseInterface::class);
 			$rlTables = $rlDb->getTableList();
 			$rlPrefix = $rlDb->getPrefix();
 			$this->regularLabsAvailable =
diff --git a/source/packages/mod_mokosuiteclient_cache/src/Dispatcher/Dispatcher.php b/source/packages/mod_mokosuiteclient_cache/src/Dispatcher/Dispatcher.php
index 54b1a79b..8ef4f512 100644
--- a/source/packages/mod_mokosuiteclient_cache/src/Dispatcher/Dispatcher.php
+++ b/source/packages/mod_mokosuiteclient_cache/src/Dispatcher/Dispatcher.php
@@ -1,4 +1,13 @@
 <?php
+/**
+ * @package     MokoSuiteClient
+ * @subpackage  mod_mokosuiteclient_cache
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ */
+
 namespace Moko\Module\MokoSuiteClientCache\Administrator\Dispatcher;
 
 defined('_JEXEC') or die;
diff --git a/source/packages/mod_mokosuiteclient_menu/tmpl/default.php b/source/packages/mod_mokosuiteclient_menu/tmpl/default.php
index 176bbc51..3bdcb1d2 100644
--- a/source/packages/mod_mokosuiteclient_menu/tmpl/default.php
+++ b/source/packages/mod_mokosuiteclient_menu/tmpl/default.php
@@ -264,8 +264,8 @@ $iconStyle = 'display:inline-block!important;width:1.25em;text-align:center;marg
 			<?php if ($hasChildren): ?>
 			<li class="item parent item-level-2 mokosuiteclient-ext-item<?php echo $compActive ? ' mm-active' : ''; ?>">
 				<a class="has-arrow<?php echo $compActive ? ' mm-active' : ''; ?>" href="#">
-					<span class="<?php echo $comp['icon']; ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
-					<span class="sidebar-item-title"><?php echo $comp['title']; ?></span>
+					<span class="<?php echo htmlspecialchars($comp['icon'], ENT_QUOTES, 'UTF-8'); ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
+					<span class="sidebar-item-title"><?php echo htmlspecialchars($comp['title'], ENT_QUOTES, 'UTF-8'); ?></span>
 				</a>
 				<ul class="collapse-level-2 mm-collapse<?php echo $compActive ? ' mm-show' : ''; ?>" style="padding-inline-start:0.5rem;">
 					<?php foreach ($comp['children'] as $child): ?>
@@ -284,8 +284,8 @@ $iconStyle = 'display:inline-block!important;width:1.25em;text-align:center;marg
 					?>
 					<li class="item mokosuiteclient-ext-child<?php echo $childActive ? ' mm-active' : ''; ?>">
 						<a class="no-dropdown<?php echo $childActive ? ' mm-active' : ''; ?>" href="<?php echo Route::_($child['link']); ?>"<?php echo $childActive ? ' aria-current="page"' : ''; ?>>
-							<span class="<?php echo $child['icon']; ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
-							<span class="sidebar-item-title"><?php echo $child['title']; ?></span>
+							<span class="<?php echo htmlspecialchars($child['icon'], ENT_QUOTES, 'UTF-8'); ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
+							<span class="sidebar-item-title"><?php echo htmlspecialchars($child['title'], ENT_QUOTES, 'UTF-8'); ?></span>
 						</a>
 					</li>
 					<?php endforeach; ?>
@@ -294,8 +294,8 @@ $iconStyle = 'display:inline-block!important;width:1.25em;text-align:center;marg
 			<?php else: ?>
 			<li class="item mokosuiteclient-ext-item<?php echo $compActive ? ' mm-active' : ''; ?>">
 				<a class="no-dropdown<?php echo $compActive ? ' mm-active' : ''; ?>" href="<?php echo Route::_($comp['link']); ?>"<?php echo $compActive ? ' aria-current="page"' : ''; ?>>
-					<span class="<?php echo $comp['icon']; ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
-					<span class="sidebar-item-title"><?php echo $comp['title']; ?></span>
+					<span class="<?php echo htmlspecialchars($comp['icon'], ENT_QUOTES, 'UTF-8'); ?>" aria-hidden="true" style="<?php echo $iconStyle; ?>"></span>
+					<span class="sidebar-item-title"><?php echo htmlspecialchars($comp['title'], ENT_QUOTES, 'UTF-8'); ?></span>
 				</a>
 			</li>
 			<?php endif; ?>