fix: sanitize dynamic innerHTML in templates (#47)

2026-03-14 15:06:31 -04:00
parent bb287b2c73
commit 591954891a
2 changed files with 11 additions and 4 deletions
--- a/src/dashboard/templates/base.html
+++ b/src/dashboard/templates/base.html
@@ -327,7 +327,11 @@
        .then(function(data) {
          var list = document.getElementById('notif-list');
          if (!data.length) {
-            list.innerHTML = '<div class="mc-notif-empty">No recent notifications</div>';
+            list.innerHTML = '';
+            var emptyDiv = document.createElement('div');
+            emptyDiv.className = 'mc-notif-empty';
+            emptyDiv.textContent = 'No recent notifications';
+            list.appendChild(emptyDiv);
            return;
          }
          list.innerHTML = '';
--- a/src/dashboard/templates/partials/agent_panel_chat.html
+++ b/src/dashboard/templates/partials/agent_panel_chat.html
@@ -120,14 +120,17 @@

  function updateFromData(data) {
    if (data.is_working && data.current_task) {
-      statusEl.innerHTML = '<span style="color: #ffaa00;">working...</span>';
+      statusEl.textContent = 'working...';
+      statusEl.style.color = '#ffaa00';
      banner.style.display = 'block';
      taskTitle.textContent = data.current_task.title;
    } else if (data.tasks_ahead > 0) {
-      statusEl.innerHTML = '<span style="color: #888;">queue: ' + data.tasks_ahead + ' ahead</span>';
+      statusEl.textContent = 'queue: ' + data.tasks_ahead + ' ahead';
+      statusEl.style.color = '#888';
      banner.style.display = 'none';
    } else {
-      statusEl.innerHTML = '<span style="color: #00ff88;">ready</span>';
+      statusEl.textContent = 'ready';
+      statusEl.style.color = '#00ff88';
      banner.style.display = 'none';
    }
  }