Conversation
Shantanugupta43
left a comment
Shantanugupta43
left a comment
There was a problem hiding this comment.
Hey great work need a few changes and PR is good to merge.
src/popup/popup.js
Outdated
| setupEventListeners(); | ||
|
|
||
|
|
||
| async function loadDarkMode() { |
There was a problem hiding this comment.
the function is nested inside initialize(). Cut it out and paste it above initialize() as its own function because No other part of your popup script can reuse it and It becomes harder to debug or extend later
src/popup/popup.js
Outdated
There was a problem hiding this comment.
there may be an XSS risk the browser may interpret the text as HTML code. Would be better to make it
const strong = document.createElement('strong');
strong.textContent = 'Why: ';
derivationEl.appendChild(strong);
derivationEl.appendChild(document.createTextNode(derivation));
src/popup/popup.js
Outdated
| setupEventListeners(); | ||
|
|
||
|
|
||
| async function loadDarkMode() { |
There was a problem hiding this comment.
the function is nested inside initialize(). Cut it out and paste it above initialize() as its own function so that because no other part of your popup script can reuse it and It becomes harder to debug or extend later.
…ne top-level async function loadDarkMode() declared before initialize(). The dark mode DOM variable declarations (sign, outer, inner, text) were also moved up alongside it so they're in scope when the function runs.
Fix 2 — XSS-safe derivation rendering: The derivationEl.innerHTML = \<strong>Why:</strong> ${derivation}`line is replaced with explicit DOM construction —createElement('strong')withtextContent, then createTextNode(derivation)` appended separately — so user-supplied derivation text is never parsed as HTML.
Utkarsh-rwt
left a comment
Utkarsh-rwt
left a comment
There was a problem hiding this comment.
Fix 1 — loadDarkMode hoisted out of initialize(): It's now a standalone top-level async function loadDarkMode() declared before initialize(). The dark mode DOM variable declarations (sign, outer, inner, text) were also moved up alongside it so they're in scope when the function runs.
Fix 2 — XSS-safe derivation rendering: The derivationEl.innerHTML = <strong>Why: ${derivation}line is replaced with explicit DOM construction —createElement('strong')withtextContent, then createTextNode(derivation) appended separately — so user-supplied derivation text is never parsed as HTML.
2 participants
Fix popup dark mode reset by persisting theme state in chrome.storage.local and restoring it on initialization.