stats: replace innerHTML with DOM API in loadPackages()#1645
Open
doromajin wants to merge 1 commit into
Open
Conversation
Package names displayed in the Top Packages table are fetched from
/api/v1/top-packages and inserted into the DOM via an innerHTML
template-literal assignment:
tbody.innerHTML = data.packages.map(p =>
`<tr><td>${p.name}</td><td>${p.count}</td></tr>`
).join("");
innerHTML parses its argument as HTML, so any data containing '<', '>'
or '"' would be interpreted as markup. The current server-side validation
(STRING_PATTERN = r"^[\w.,-]*$" in BuildRequest) excludes those characters,
making the page safe in practice. The pattern is nevertheless fragile: a
future change to package-name rules, a direct Redis write, or a migration
script could introduce HTML-unsafe values without any visible change in
stats.html.
Replace the assignment with insertRow() / insertCell() / textContent, which
treats all values as plain text regardless of content:
tbody.replaceChildren();
for (const { name, count } of data.packages) {
const tr = tbody.insertRow();
tr.insertCell().textContent = name;
tr.insertCell().textContent = count;
}
No functional change; rendered output is identical.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Package names displayed in the Top Packages table are fetched from /api/v1/top-packages and inserted into the DOM via an innerHTML template-literal assignment:
tbody.innerHTML = data.packages.map(p =>
<tr><td>${p.name}</td><td>${p.count}</td></tr>).join("");
innerHTML parses its argument as HTML, so any data containing '<', '>' or '"' would be interpreted as markup. The current server-side validation (STRING_PATTERN = r"^[\w.,-]*$" in BuildRequest) excludes those characters, making the page safe in practice. The pattern is nevertheless fragile: a future change to package-name rules, a direct Redis write, or a migration script could introduce HTML-unsafe values without any visible change in stats.html.
Replace the assignment with insertRow() / insertCell() / textContent, which treats all values as plain text regardless of content:
tbody.replaceChildren();
for (const { name, count } of data.packages) {
const tr = tbody.insertRow();
tr.insertCell().textContent = name;
tr.insertCell().textContent = count;
}
No functional change; rendered output is identical.