security: fix vulnerabilities and harden code (2026-03-12)

Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)

XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)

Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)

Version bump: 1.2.2-beta → 1.2.3-beta

routes/Dpanel/API/DeleteFileFolder.js

@@ -26,8 +26,25 @@ router.post('/:folderName', authMiddleware, (req, res) => {
     const userId = req.userData.name;
     const { filename } = req.body;
 
-    const userFolderPath = path.join('cdn-files', userId || '');
-const filePath = path.join(userFolderPath, req.params.folderName, filename || '');
+    if (!userId || !filename) {
+        return res.status(400).json({ error: 'Paramètres manquants.' });
+    }
+
+    const userFolderPath = path.resolve('cdn-files', userId);
+    const filePath = path.resolve(userFolderPath, req.params.folderName, filename);
+
+    if (!filePath.startsWith(userFolderPath + path.sep)) {
+        return res.status(403).json({ error: 'Accès non autorisé.' });
+    }
+
+    try {
+        const stat = fs.lstatSync(filePath);
+        if (stat.isSymbolicLink()) {
+            return res.status(403).json({ error: 'Accès non autorisé.' });
+        }
+    } catch (e) {
+        return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });
+    }
 
     if (!fs.existsSync(filePath)) {
         return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });