Skip to content

Commit 9f39373

Browse files
doromajinaparcar
authored andcommitted
stats: replace innerHTML with DOM API in loadPackages()
Package names displayed in the Top Packages table are fetched from /api/v1/top-packages and inserted into the DOM via an innerHTML template-literal assignment: tbody.innerHTML = data.packages.map(p => `<tr><td>${p.name}</td><td>${p.count}</td></tr>` ).join(""); innerHTML parses its argument as HTML, so any data containing '<', '>' or '"' would be interpreted as markup. The current server-side validation (STRING_PATTERN = r"^[\w.,-]*$" in BuildRequest) excludes those characters, making the page safe in practice. The pattern is nevertheless fragile: a future change to package-name rules, a direct Redis write, or a migration script could introduce HTML-unsafe values without any visible change in stats.html. Replace the assignment with insertRow() / insertCell() / textContent, which treats all values as plain text regardless of content: tbody.replaceChildren(); for (const { name, count } of data.packages) { const tr = tbody.insertRow(); tr.insertCell().textContent = name; tr.insertCell().textContent = count; } No functional change; rendered output is identical.
1 parent 6d73e93 commit 9f39373

1 file changed

Lines changed: 6 additions & 3 deletions

File tree

asu/templates/stats.html

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -105,9 +105,12 @@ <h2>Top Packages (last 30 days)
105105
const response = await fetch(url);
106106
const data = await response.json();
107107
const tbody = document.querySelector("#packagesTable tbody");
108-
tbody.innerHTML = data.packages.map(p =>
109-
`<tr><td>${p.name}</td><td>${p.count}</td></tr>`
110-
).join("");
108+
tbody.replaceChildren();
109+
for (const { name, count } of data.packages) {
110+
const tr = tbody.insertRow();
111+
tr.insertCell().textContent = name;
112+
tr.insertCell().textContent = count;
113+
}
111114
}
112115

113116
loadPackages();

0 commit comments

Comments
 (0)