Skip to content

Replace innerHTML with secure DOM APIs to prevent XSS#2

Merged
rwoll merged 3 commits into
mainfrom
copilot/update-secure-dom-apis
Jan 23, 2026
Merged

Replace innerHTML with secure DOM APIs to prevent XSS#2
rwoll merged 3 commits into
mainfrom
copilot/update-secure-dom-apis

Conversation

Copilot AI commented Jan 23, 2026

Copy link
Copy Markdown
Contributor

Using innerHTML can lead to XSS vulnerabilities when rendering dynamic content. This PR replaces all three occurrences with secure DOM APIs while maintaining vanilla JS.

Changes

  • renderUpcomingDates(): Use createElement(), appendChild(), and textContent instead of HTML string interpolation
  • populateSelectors(): Use Option constructor with select.add() for both month and year dropdowns

Before

container.innerHTML = dates.map((date, index) => `
  <div class="date-item ${isFirst ? 'highlight' : ''}">
    <span class="date">${formatDate(date)}</span>
  </div>
`).join('');

After

const dateItem = document.createElement('div');
dateItem.className = isFirst ? 'date-item highlight' : 'date-item';

const dateSpan = document.createElement('span');
dateSpan.className = 'date';
dateSpan.textContent = formatDate(date);

dateItem.appendChild(dateSpan);
container.appendChild(dateItem);
Original prompt

Using innerHtml is bad practice since it can lead to XSS. Please update the code to use more secure DOM APIs (e.g. .selected = true, .text = 'foo'. Still, keep the app simple and only use vanilla JS/HTML/CSS.


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 23, 2026 01:08
Co-authored-by: rwoll <11915034+rwoll@users.noreply.github.com>
Co-authored-by: rwoll <11915034+rwoll@users.noreply.github.com>
Copilot AI changed the title [WIP] Update code to use secure DOM APIs instead of innerHTML Replace innerHTML with secure DOM APIs to prevent XSS Jan 23, 2026
Copilot AI requested a review from rwoll January 23, 2026 01:10
@rwoll

rwoll commented Jan 23, 2026

Copy link
Copy Markdown
Owner

@copilot - Your current code change looks good. Do NOT make any additional changes, but please use the playwright MCP you have available to post a screenshot of the changes in the issue description.

@rwoll rwoll marked this pull request as ready for review January 23, 2026 01:14
@rwoll rwoll merged commit b53474a into main Jan 23, 2026
1 check failed
Copilot stopped work on behalf of rwoll due to an error January 23, 2026 01:14
Copilot AI requested a review from rwoll January 23, 2026 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants