chore(release): set APP_VERSION to v1.9.9 [skip ci]

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## Changes 11/16/2025 (v1.9.9)
+
+release(v1.9.9): fix(branding): sanitize custom logo URL preview
+
+- Sanitize branding.customLogoUrl on the server before writing siteConfig.json
+- Allow only http/https or site-relative paths; strip invalid/sneaky values
+- Update adminPanel.js live logo preview to set img src/alt safely
+- Addresses CodeQL XSS warning while keeping Pro branding logo overrides working
+
+---
+
 ## Changes 11/16/2025 (v1.9.8)
 
 release(v1.9.8): feat(pro): wire core to Pro licensing + branding hooks

public/js/adminPanel.js

@@ -85,7 +85,15 @@ function updateHeaderLogoFromAdmin() {
       url = '/' + url;
     }
 
-    if (url) {
+    // ---- Sanitize URL (mirror AdminModel::sanitizeLogoUrl) ----
+    const isHttp = /^https?:\/\//i.test(url);
+    const isSiteRelative = url.startsWith('/') && !url.includes('://');
+
+    // Strip any CR/LF just in case
+    url = url.replace(/[\r\n]+/g, '');
+
+    if (url && (isHttp || isSiteRelative)) {
+      // safe enough for <img src="...">
       logoImg.setAttribute('src', url);
       logoImg.setAttribute('alt', 'Site logo');
     } else {

public/js/version.js

@@ -1,2 +1,2 @@
 // generated by CI
-window.APP_VERSION = 'v1.9.8';
+window.APP_VERSION = 'v1.9.9';