From 6f7305de899b283262e7c648bc3c8605f6ff42f0 Mon Sep 17 00:00:00 2001
From: umasankar098 <umasankaran1163@gmail.com>
Date: Mon, 9 Feb 2026 20:20:13 +0530
Subject: [PATCH 1/3] RDKB-56582 [Mesh_Disabled][2407] Auto channel selection
 option is missing in GUI (#98)

Signed-off-by: usi096 <umasankar.srinivasan@sky.uk>
Co-authored-by: usi096 <umasankar.srinivasan@sky.uk>
---
 .../Styles/xb3/jst/wireless_network_configuration_edit.jst | 7 +------
 .../Styles/xb6/jst/wireless_network_configuration_edit.jst | 7 +------
 .../jst/wireless_network_configuration_edit_onewifi.jst    | 7 +------
 3 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/source/Styles/xb3/jst/wireless_network_configuration_edit.jst b/source/Styles/xb3/jst/wireless_network_configuration_edit.jst
index 95eea23..c0410a5 100644
--- a/source/Styles/xb3/jst/wireless_network_configuration_edit.jst
+++ b/source/Styles/xb3/jst/wireless_network_configuration_edit.jst
@@ -918,12 +918,7 @@ function setResetInfo(info) {
 		</div>
 		<div class="form-row odd" id="div_channel_switch">
 			<label for="channel_automatic"  id="mocamess4">Channel Selection:</label>
-		<?%
-		$ModelName = getStr("Device.DeviceInfo.ModelName");
-		if(!('2.4'==$radio_band && $ModelName == "SR203")) {
-			echo(' <input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>');
-		}
-		?>
+			<input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>
 			<label for="channel_manual" class="acs-hide"></label>
 			<input type="radio"  name="channel" value="manual"  id="channel_manual"    <?% if ("false"==$channel_automatic) echo( 'checked="checked"');?> /><b id="wiremess10">Manual</b>
 		</div>
diff --git a/source/Styles/xb6/jst/wireless_network_configuration_edit.jst b/source/Styles/xb6/jst/wireless_network_configuration_edit.jst
index 8fa16f1..a57b84e 100644
--- a/source/Styles/xb6/jst/wireless_network_configuration_edit.jst
+++ b/source/Styles/xb6/jst/wireless_network_configuration_edit.jst
@@ -1119,12 +1119,7 @@ function setResetInfo(info) {
 		</div>
 		<div class="form-row odd" id="div_channel_switch">
 			<label for="channel_automatic"  id="mocamess4">Channel Selection:</label>
-		<?%
-		$ModelName = getStr("Device.DeviceInfo.ModelName");
-		if(!('2.4'==$radio_band && $ModelName == "SR203")) {
-			echo(' <input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>');
-		}
-		?>
+			<input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>
 			<label for="channel_manual" class="acs-hide"></label>
 			<input type="radio"  name="channel" value="manual"  id="channel_manual"    <?% if ("false"==$channel_automatic) echo( 'checked="checked"');?> /><b id="wiremess10">Manual</b>
 		</div>
diff --git a/source/Styles/xb6/jst/wireless_network_configuration_edit_onewifi.jst b/source/Styles/xb6/jst/wireless_network_configuration_edit_onewifi.jst
index d9a5425..f505bba 100644
--- a/source/Styles/xb6/jst/wireless_network_configuration_edit_onewifi.jst
+++ b/source/Styles/xb6/jst/wireless_network_configuration_edit_onewifi.jst
@@ -1222,12 +1222,7 @@ function setResetInfo(info) {
 		</div>
 		<div class="form-row odd" id="div_channel_switch">
 			<label for="channel_automatic"  id="mocamess4">Channel Selection:</label>
-		<?%
-		$ModelName = getStr("Device.DeviceInfo.ModelName");
-		if(!('2.4'==$radio_band && $ModelName == "SR203")) {
-			echo(' <input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>');
-		}
-		?>
+			<input type="radio"  name="channel" value="auto" id="channel_automatic" checked="checked"'+' /><b id="wiremess11">Automatic</b>
 			<label for="channel_manual" class="acs-hide"></label>
 			<input type="radio"  name="channel" value="manual"  id="channel_manual"    <?% if ("false"==$channel_automatic) echo( 'checked="checked"');?> /><b id="wiremess10">Manual</b>
 		</div>

From e3a3440946a129cd8fc784c5a58fe784cb11430e Mon Sep 17 00:00:00 2001
From: Pavan Kumar Reddy B <57708013+pavankumar464@users.noreply.github.com>
Date: Mon, 16 Feb 2026 08:27:58 +0530
Subject: [PATCH 2/3] RDKB-61882: WebUI - HTML Injection in
 wifi_spectrum_analyzer.jst (#101)

Reason for change: WebUI - HTML Injection in wifi_spectrum_analyzer.jst

Test Procedure: Test for HTML Injection in wifi_spectrum_analyzer.jst

Risks:low
Priority: P0
Signed-off-by: pavankumarreddy_balireddy@comcast.com

Signed-off-by: pavankumarreddy_balireddy@comcast.com
---
 .../xb3/jst/actionHandler/ajax_at_saving.jst  | 118 +++++++++++++++++-
 1 file changed, 117 insertions(+), 1 deletion(-)

diff --git a/source/Styles/xb3/jst/actionHandler/ajax_at_saving.jst b/source/Styles/xb3/jst/actionHandler/ajax_at_saving.jst
index bc9fd28..fb90e82 100644
--- a/source/Styles/xb3/jst/actionHandler/ajax_at_saving.jst
+++ b/source/Styles/xb3/jst/actionHandler/ajax_at_saving.jst
@@ -21,6 +21,122 @@ if ($_SESSION["loginuser"] == "" || $_SESSION["loginuser"] == false || $_SESSION
 	echo( '<script type="text/javascript">alert("Please Login First!"); location.href="../index.jst";</script>');
 	exit(0);
 }
+
+function sanitize_html(input) {
+  // keepAttrs:       true  -> keep attributes for allowed tags (default)
+  // stripDangerous:  true -> remove on* handlers and javascript: urls
+  var KEEP_ATTRS      = true;
+  var STRIP_DANGEROUS = true;
+
+  var ALLOWED_TAGS = ["H2", "DIV", "TABLE", "TBODY", "TR", "TH", "TD"];
+
+  function isAllowed(tagName) {
+    for (var i = 0; i < ALLOWED_TAGS.length; i++) {
+      if (tagName === ALLOWED_TAGS[i]) return true;
+    }
+    return false;
+  }
+
+  // Optional lightweight attribute filter (only used if STRIP_DANGEROUS = true)
+  function filterAttributes(attrText) {
+    // Parse attributes in a conservative way: name[=value]
+    // Keeps spacing as minimal as possible when reconstructing.
+    var out = [];
+    var re = /([^\s=\/"'>]+)(?:\s*=\s*(?:"([^"]*)"|'([^']*)'|([^\s"'=<>`]+)))?/g;
+    var m;
+    while ((m = re.exec(attrText)) !== null) {
+      var name = (m[1] || '').toLowerCase();
+      var val  = (m[2] != null) ? m[2] : (m[3] != null ? m[3] : (m[4] != null ? m[4] : ''));
+
+      // Drop obvious dangerous attributes
+      if (name.indexOf('on') === 0) continue;       // onclick, onload, ...
+      if (name === 'style') continue;               // inline CSS often abused
+
+      // Disallow javascript: and data: in URLish attributes
+      if (name === 'href' || name === 'src' || name === 'xlink:href') {
+        var v = String(val).replace(/^\s+|\s+$/g, '').toLowerCase();
+        if (!v || v.indexOf('javascript:') === 0 || v.indexOf('data:') === 0) continue;
+      }
+
+      // Reconstruct attribute (quote with double-quotes)
+      if (val === '') out.push(name);
+      else out.push(name + '="' + val.replace(/"/g, '&quot;') + '"');
+    }
+    return out.length ? ' ' + out.join(' ') : '';
+  }
+
+  var result = "";
+  var i = 0;
+  var lowerInput = input.toLowerCase();
+
+  while (i < input.length) {
+    if (input[i] === '<') {
+      var start = i;
+      var end = input.indexOf('>', start);
+      if (end === -1) { 
+        // no closing '>' — append the rest and stop
+        result += input.slice(i);
+        break;
+      }
+
+      // Raw tag content between '<' and '>'
+      var raw = input.substring(start + 1, end);
+      var tagContent = raw.replace(/^\s+|\s+$/g, '');
+      var isClosing = tagContent.charAt(0) === '/';
+
+      // Separate tag name and attributes (for opening tags)
+      var namePart = isClosing ? tagContent.slice(1) : tagContent;
+      var spaceIdx = namePart.indexOf(' ');
+      var tagName = (spaceIdx === -1 ? namePart : namePart.slice(0, spaceIdx)).toUpperCase();
+      var attrsPart = (spaceIdx === -1 || isClosing) ? '' : namePart.slice(spaceIdx);
+
+      // Detect self-closing "/>" (rare for your table tags but harmless to support)
+      var selfClosing = /\/\s*$/.test(tagContent) && !isClosing;
+
+      if (isAllowed(tagName)) {
+        var tn = tagName.toLowerCase();
+        if (isClosing) {
+          result += "</" + tn + ">";
+        } else {
+          var attrsOut = '';
+          if (KEEP_ATTRS) {
+            attrsOut = STRIP_DANGEROUS ? filterAttributes(attrsPart) : (attrsPart || '');
+          }
+          // Normalize: ensure a leading space before attributes when present and not already spaced
+          if (attrsOut && !STRIP_DANGEROUS) {
+            // If original attrsPart doesn't start with space, add one
+            if (!/^\s/.test(attrsOut)) attrsOut = ' ' + attrsOut;
+          }
+          result += "<" + tn + (attrsOut || '') + (selfClosing ? "/>" : ">");
+        }
+        i = end + 1;
+        continue;
+      }
+
+      // Not allowed tag
+      if (!isClosing) {
+        // Strip the entire element including its content until the matching closing tag
+        // (simple depth-1 removal; good enough for this whitelist)
+        var closing = "</" + tagName.toLowerCase() + ">";
+        var nextClosing = lowerInput.indexOf(closing, end);
+        if (nextClosing !== -1) {
+          i = nextClosing + closing.length;
+          continue;
+        }
+      }
+
+      // For disallowed closing tags or unmatched structures, just skip the tag itself
+      i = end + 1;
+    } else {
+      result += input[i++];
+    }
+  }
+
+  return result;
+}
+
+$configInfo = sanitize_html($_POST['configInfo']);
+
 $myfile = fopen("/var/tmp/Wifi_Spectrum_Analyzer_Table.html", "w");
 fwrite($myfile, "<style>table th tr {}</style>");
 fwrite($myfile, "<style>");
@@ -29,7 +145,7 @@ fwrite($myfile, "table { border-collapse: collapse; clear: both; width: 100%; ba
 fwrite($myfile, "th { background: #39baf1; color: #fff; }");
 fwrite($myfile, "td { border: 1px solid white; }");
 fwrite($myfile, "</style>");
-fwrite($myfile, $_POST['configInfo']);
+fwrite($myfile, $configInfo);
 fclose($myfile);
 echo( htmlspecialchars(json_encode({"status": "success"}), ENT_NOQUOTES, 'UTF-8'));
 ?>

From 3c299cb7f6d15d50e22c35aadceea08b8800a4f8 Mon Sep 17 00:00:00 2001
From: Nithishkumar-T <109725053+Nithishkumar-T@users.noreply.github.com>
Date: Wed, 18 Feb 2026 11:59:00 +0530
Subject: [PATCH 3/3] Add changelog for release 2.2.0

---
 CHANGELOG.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 13ee5af..d928dd5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,10 +4,19 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [2.2.0](https://github.com/rdkcentral/webui/compare/2.1.0...2.2.0)
+
+- RDKB-61882: WebUI - HTML Injection in wifi_spectrum_analyzer.jst [`#101`](https://github.com/rdkcentral/webui/pull/101)
+- RDKB-56582 [Mesh_Disabled][2407] Auto channel selection option is missing in GUI [`#98`](https://github.com/rdkcentral/webui/pull/98)
+- Merge tag '2.1.0' into develop [`e922576`](https://github.com/rdkcentral/webui/commit/e922576f72ecb5c977d0f467fa96a521fafb4e10)
+
 #### [2.1.0](https://github.com/rdkcentral/webui/compare/2.0.1...2.1.0)
 
+> 4 February 2026
+
 - RDKB-62953: Primary channel ID is incorrect in GUI for OFDM [`#97`](https://github.com/rdkcentral/webui/pull/97)
 - XER10-2533 : Observed duplicates of login message in admin page [`#96`](https://github.com/rdkcentral/webui/pull/96)
+- Add changelog for release 2.1.0 [`7b6e5fc`](https://github.com/rdkcentral/webui/commit/7b6e5fcd285b28112deb3480f26209fbd2ae90bf)
 - Merge tag '2.0.1' into develop [`05ddeee`](https://github.com/rdkcentral/webui/commit/05ddeee491c1657175ebcba152bf4ab8734dd9ea)
 
 #### [2.0.1](https://github.com/rdkcentral/webui/compare/2.0.0...2.0.1)