Priority: P3 · Review finding: #19
static/js/home.js / review.js build handlers as onclick="_fn('${escAttr(x)}')". escAttr turns ' into ', but the HTML parser decodes that back to ' before the JS engine parses the attribute — so a single quote in a module/template/profile name breaks the handler (and is theoretically injectable). Module names come from directory names, so it's reachable.
Fix: move to event delegation with data-* attributes (one listener per list container). Fixes the escaping class-wide and removes a lot of string-building. Requires a screenshot-baseline check since markup changes.
Priority: P3 · Review finding: #19
static/js/home.js/review.jsbuild handlers asonclick="_fn('${escAttr(x)}')".escAttrturns'into', but the HTML parser decodes that back to'before the JS engine parses the attribute — so a single quote in a module/template/profile name breaks the handler (and is theoretically injectable). Module names come from directory names, so it's reachable.Fix: move to event delegation with
data-*attributes (one listener per list container). Fixes the escaping class-wide and removes a lot of string-building. Requires a screenshot-baseline check since markup changes.