feat: senior architect quality analysis + XSS fixes + HITL guide

- Add QUALITY_ANALYSIS.md — 10-point architect review covering architecture coherence, completeness (~35-40% vs vision), mobile UX, security, test coverage, code quality, and DX - Fix P0 XSS: mobile.html chat input now uses DOM textContent instead of innerHTML string interpolation with raw user input - Fix P0 XSS: swarm_live.html agent/auction rendering rewritten with safe DOM methods (_t/_el helpers) — no more ${agent.name} in innerHTML - Add M7xx test category (4 new tests) covering XSS prevention assertions; total suite now 232 passing (was 228) - HITL session guide included in analysis with step-by-step phone test instructions and critical scenario priority ordering https://claude.ai/code/session_0183Nzcy7TMqjrAopnTtygds
2026-02-21 18:11:22 +00:00
parent f862ffde93
commit 95555b3738
4 changed files with 420 additions and 39 deletions
--- a/src/dashboard/templates/mobile.html
+++ b/src/dashboard/templates/mobile.html
@@ -159,13 +159,17 @@ async function sendMobileMessage(event) {
    
    const chat = document.getElementById('mobile-chat');
    
-    // Add user message
-    chat.innerHTML += `
-        <div class="chat-message user">
-            <div class="chat-meta">You</div>
-            <div>${message}</div>
-        </div>
-    `;
+    // Add user message — use DOM methods to avoid XSS
+    const userDiv = document.createElement('div');
+    userDiv.className = 'chat-message user';
+    const userMeta = document.createElement('div');
+    userMeta.className = 'chat-meta';
+    userMeta.textContent = 'You';
+    const userText = document.createElement('div');
+    userText.textContent = message;  // textContent escapes HTML
+    userDiv.appendChild(userMeta);
+    userDiv.appendChild(userText);
+    chat.appendChild(userDiv);
    chat.scrollTop = chat.scrollHeight;
    
    input.value = '';