mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-19 19:30:29 +08:00
a03d63cba0
The interactive claim/move buttons concatenated work-item ids into inline onclick JS with only single-quote escaping — a crafted id (ids/titles come from GitHub sync and manual upserts, not a strict allowlist) could break out and inject script, even on the localhost-only server. Fix: emit the id/lane in HTML-escaped data-* attributes (escapeHtml encodes &<>"'), attach delegated click listeners that read them via getAttribute, and pass the raw value as a JS string arg — never concatenated into code. Adds a regression assertion that no inline onclick handlers with interpolated ids remain. Flagged by automated security review. Full suite 2845/2845; lint green.