Browse Source
lineDataToElements() was building a span via innerHTML with an unsanitized line.value template literal — an XSS vector if lineData ever receives user-supplied content. Replaced with createElement + setAttribute + textContent, which cannot execute injected markup regardless of input. Remaining innerHTML usages (container clears and static label strings) are safe and unchanged. Some code in this commit was written with assistance from Claude Sonnet 4.6 (AI).pull/15381/head
1 changed files with 12 additions and 4 deletions
Loading…
Reference in new issue