fix(security): replace innerHTML with safe DOM APIs, add destroy() cleanup

Replace innerHTML assignments in app-tabs.js and app-password-toggle.js
with createElement/appendChild to prevent potential XSS vectors. Add
destroy() methods to app-tabs, app-filter-drawer, and
app-toggle-aside-panels so document/window-level listeners can be
properly removed when components are torn down.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-13 22:35:01 +01:00
parent 2b915f5a43
commit 35a36f1144
4 changed files with 59 additions and 26 deletions

View File

@@ -202,7 +202,7 @@ export function initAsidePanels(options = {}) {
});
});
document.addEventListener('keydown', (event) => {
const onKeyDown = (event) => {
if (!(event.metaKey || event.ctrlKey)) {return;}
if (event.altKey) {return;}
if (isEditableTarget(event.target)) {return;}
@@ -212,8 +212,14 @@ export function initAsidePanels(options = {}) {
if (index < 0 || index >= shortcutItems.length) {return;}
event.preventDefault();
shortcutItems[index].click();
});
};
document.addEventListener('keydown', onKeyDown);
const destroy = () => {
document.removeEventListener('keydown', onKeyDown);
};
return { setActive, destroy };
}
if (document.readyState === 'loading') {