kimi/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Pull Requests Activity

Security: XSS Prevention in Mission Control Dashboard (#117)

Browse Source 
* security: prevent XSS in mission control dashboard by using textContent and DOM manipulation instead of innerHTML

* docs: document XSS prevention decision in DECISIONS.md
This commit is contained in:
Alexander Whitestone
2026-03-02 07:31:27 -05:00
committed by GitHub
parent f7c574e0b2
commit 785440ac31
2 changed files with 51 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
DECISIONS.md
View File

@@ -32,6 +32,18 @@ This file documents major architectural decisions and their rationale.
---
## Decision: XSS Prevention in Mission Control Dashboard
**Date:** 2026-03-02
**Context:** The Mission Control dashboard was using `innerHTML` to render dependency details and recommendations from the `/health/sovereignty` endpoint. While these sources are currently internal, using `innerHTML` with dynamic data is a security risk and violates the "Non-Negotiable Rules" in `AGENTS.md`.
**Decision:** Refactored the JavaScript in `mission_control.html` to use `document.createElement` and `textContent` for all dynamic data rendering.
**Rationale:** This approach provides built-in XSS protection by ensuring that any data from the API is treated as plain text rather than HTML, fulfilling the security requirements of the project.
---
## Add New Decisions Above This Line
When making significant architectural choices, document: