malla: Stored XSS via Meshtastic node names in multiple frontend pages
Node names (long_name, short_name) received via MQTT are stored in SQLite without sanitization and rendered into the DOM without escaping. Any participant on a public Meshtastic MQTT broker can set a malicious node name that executes JavaScript in the browser of every Malla dashboard visitor. Affected files: src/malla/templates/traceroute_graph.html (line ~832) src/malla/templates/map.html (lines ~945, 1078) src/malla/templates/packet_detail.html (lines ~1402, 1452) src/malla/static/js/relay_node_analysis.js (line ~124) Steps to reproduce Publish a Meshtastic NODEINFO_APP packet to …