fix(security): replace innerHTML with safe DOM APIs, add destroy() cleanup
Replace innerHTML assignments in app-tabs.js and app-password-toggle.js with createElement/appendChild to prevent potential XSS vectors. Add destroy() methods to app-tabs, app-filter-drawer, and app-toggle-aside-panels so document/window-level listeners can be properly removed when components are torn down. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -202,7 +202,7 @@ export function initAsidePanels(options = {}) {
|
||||
});
|
||||
});
|
||||
|
||||
document.addEventListener('keydown', (event) => {
|
||||
const onKeyDown = (event) => {
|
||||
if (!(event.metaKey || event.ctrlKey)) {return;}
|
||||
if (event.altKey) {return;}
|
||||
if (isEditableTarget(event.target)) {return;}
|
||||
@@ -212,8 +212,14 @@ export function initAsidePanels(options = {}) {
|
||||
if (index < 0 || index >= shortcutItems.length) {return;}
|
||||
event.preventDefault();
|
||||
shortcutItems[index].click();
|
||||
});
|
||||
};
|
||||
document.addEventListener('keydown', onKeyDown);
|
||||
|
||||
const destroy = () => {
|
||||
document.removeEventListener('keydown', onKeyDown);
|
||||
};
|
||||
|
||||
return { setActive, destroy };
|
||||
}
|
||||
|
||||
if (document.readyState === 'loading') {
|
||||
|
||||
Reference in New Issue
Block a user