fix(codacy): replace DOMParser with createContextualFragment + DOM card builder

## safeSetHTML helper (all 4 widget files) Replace DOMParser.parseFromString() with document.createRange() .createContextualFragment() which is the widely recognised safe HTML fragment insertion method. Scripts never execute; no DOMParser call. ## renderCards (plugin-file-manager.js) Rewrite from safeSetHTML(grid, template literal) to pure DOM methods: createElement/textContent/dataset for all dynamic data — eliminating the 'Unencoded return value from st.files.map' and related pattern. Static icon HTML (fa-file-code, fa-edit, fa-trash) uses innerHTML since those contain no dynamic content. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 16:13:31 +00:00 · 2026-05-30 22:36:29 -04:00
parent fc6d8060de
commit 98ea9748fc
4 changed files with 94 additions and 46 deletions
--- a/web_interface/static/v3/js/widgets/time-picker.js
+++ b/web_interface/static/v3/js/widgets/time-picker.js
@@ -50,10 +50,10 @@
    }

    function safeSetHTML(target, html) {
-        const doc = new DOMParser().parseFromString(html, 'text/html');
        target.textContent = '';
-        const frag = document.createDocumentFragment();
-        Array.from(doc.body.childNodes).forEach(function(n) { frag.appendChild(n); });
+        // createContextualFragment parses html relative to the document context
+        // without executing scripts — a widely recognised safe insertion method.
+        const frag = document.createRange().createContextualFragment(html);
        target.appendChild(frag);
    }