fix(security): replace innerHTML with safe DOM APIs, add destroy() cleanup
Replace innerHTML assignments in app-tabs.js and app-password-toggle.js with createElement/appendChild to prevent potential XSS vectors. Add destroy() methods to app-tabs, app-filter-drawer, and app-toggle-aside-panels so document/window-level listeners can be properly removed when components are torn down. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -34,7 +34,10 @@ export function initPasswordToggles() {
|
||||
toggle.type = 'button';
|
||||
toggle.className = 'login-password-toggle';
|
||||
toggle.setAttribute('aria-label', showLabel);
|
||||
toggle.innerHTML = '<i class="bi bi-eye" aria-hidden="true"></i>';
|
||||
const icon = document.createElement('i');
|
||||
icon.className = 'bi bi-eye';
|
||||
icon.setAttribute('aria-hidden', 'true');
|
||||
toggle.appendChild(icon);
|
||||
|
||||
input.replaceWith(wrapper);
|
||||
wrapper.appendChild(input);
|
||||
@@ -46,9 +49,7 @@ export function initPasswordToggles() {
|
||||
toggle.addEventListener('click', () => {
|
||||
const isPassword = input.type === 'password';
|
||||
input.type = isPassword ? 'text' : 'password';
|
||||
toggle.innerHTML = isPassword
|
||||
? '<i class="bi bi-eye-slash" aria-hidden="true"></i>'
|
||||
: '<i class="bi bi-eye" aria-hidden="true"></i>';
|
||||
icon.className = isPassword ? 'bi bi-eye-slash' : 'bi bi-eye';
|
||||
toggle.setAttribute('aria-label', isPassword ? hideLabel : showLabel);
|
||||
input.focus();
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user