Potential fix for code scanning alert no. 11: DOM text reinterpreted as HTML

[luni]

Potential fix for https://github.com/luni/dccbot/security/code-scanning/11

Use safe DOM APIs instead of composing HTML strings with untrusted content. Specifically in userscript/add-dccbot-btn.js at the h4.onclick handler (around line 811), replace:

• msg.innerHTML = '<textarea ...>' + all_results.join('\n') + '</textarea>';

with code that:

1. Clears existing content safely (msg.textContent = ''),
2. Creates a <textarea> node via document.createElement('textarea'),
3. Sets attributes/properties (style.width, rows),
4. Assigns joined results to textarea.value (or textContent),
5. Appends the textarea to msg.

This preserves functionality (showing batch lines in a textarea) while removing HTML parsing of tainted data.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

Refactor

• Enhanced the internal implementation of search results display to improve code quality and stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 38d5b82a-0257-4d39-b207-4a65f72b2909

📥 Commits

Reviewing files that changed from the base of the PR and between e3a6e4d and b5bad14.

📒 Files selected for processing (1)

• userscript/add-dccbot-btn.js

---

📝 Walkthrough

Walkthrough

The click handler displaying accumulated search results for xdcc.eu is refactored to construct the textarea element using DOM APIs instead of HTML string injection, improving code safety and clarity.

Changes

Cohort / File(s)	Summary
Userscript Textarea Construction userscript/add-dccbot-btn.js	Replaces innerHTML-based textarea creation with explicit DOM API calls: container is cleared, a textarea element is created, styling properties are assigned, content is set via the value property, and the element is appended to the container.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A rabbit knows the safest way,
To build a textarea, DOM's display—
No HTML strings left astray,
Just elements, clean and proper, hooray!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately reflects the main change: replacing HTML string injection with DOM API construction to fix a code scanning alert about DOM text reinterpreted as HTML.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-11

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!