fix(security): replace innerHTML with safe DOM APIs, add destroy() cleanup

Replace innerHTML assignments in app-tabs.js and app-password-toggle.js
with createElement/appendChild to prevent potential XSS vectors. Add
destroy() methods to app-tabs, app-filter-drawer, and
app-toggle-aside-panels so document/window-level listeners can be
properly removed when components are torn down.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 22:35:01 +01:00
parent 2b915f5a43
commit 35a36f1144
4 changed files with 59 additions and 26 deletions

View File

@@ -34,7 +34,10 @@ export function initPasswordToggles() {
toggle.type = 'button';
toggle.className = 'login-password-toggle';
toggle.setAttribute('aria-label', showLabel);
toggle.innerHTML = '<i class="bi bi-eye" aria-hidden="true"></i>';
const icon = document.createElement('i');
icon.className = 'bi bi-eye';
icon.setAttribute('aria-hidden', 'true');
toggle.appendChild(icon);
input.replaceWith(wrapper);
wrapper.appendChild(input);
@@ -46,9 +49,7 @@ export function initPasswordToggles() {
toggle.addEventListener('click', () => {
const isPassword = input.type === 'password';
input.type = isPassword ? 'text' : 'password';
toggle.innerHTML = isPassword
? '<i class="bi bi-eye-slash" aria-hidden="true"></i>'
: '<i class="bi bi-eye" aria-hidden="true"></i>';
icon.className = isPassword ? 'bi bi-eye-slash' : 'bi bi-eye';
toggle.setAttribute('aria-label', isPassword ? hideLabel : showLabel);
input.focus();
});