Sourcery review has flagged usage of unsafe DOM APIs in the codebase, specifically at src/scripts/popup.js:768, where user-controlled data is being assigned to this.innerHTML. Patterns like innerHTML, outerHTML, and document.write are considered anti-patterns because they directly inject HTML into the DOM without sanitization, making the application vulnerable to cross-site scripting (XSS) attacks. This issue proposes systematically replacing these patterns with safer alternatives such as textContent, createElement, and appendChild, or using trusted sanitization libraries where HTML rendering is unavoidable. The goal is to eliminate direct HTML injection points, enforce secure coding practices, and ensure that any dynamic content is safely handled. Refactoring should include reviewing all instances across the codebase, adding linting rules to prevent regressions, and validating that functionality remains intact after the changes.
Sourcery review has flagged usage of unsafe DOM APIs in the codebase, specifically at
src/scripts/popup.js:768, where user-controlled data is being assigned tothis.innerHTML. Patterns likeinnerHTML,outerHTML, anddocument.writeare considered anti-patterns because they directly inject HTML into the DOM without sanitization, making the application vulnerable to cross-site scripting (XSS) attacks. This issue proposes systematically replacing these patterns with safer alternatives such astextContent,createElement, andappendChild, or using trusted sanitization libraries where HTML rendering is unavoidable. The goal is to eliminate direct HTML injection points, enforce secure coding practices, and ensure that any dynamic content is safely handled. Refactoring should include reviewing all instances across the codebase, adding linting rules to prevent regressions, and validating that functionality remains intact after the changes.