Skip to content

refactor(web-components): escape innerHTML, add event cleanup, improve ARIA#18

Merged
Killea merged 1 commit intoKillea:mainfrom
bertheto:refactor/web-components-quality
Mar 1, 2026
Merged

refactor(web-components): escape innerHTML, add event cleanup, improve ARIA#18
Killea merged 1 commit intoKillea:mainfrom
bertheto:refactor/web-components-quality

Conversation

@bertheto
Copy link
Contributor

@bertheto bertheto commented Mar 1, 2026

Summary

Security, memory, and accessibility improvements across all Web Components.

Changes

XSS prevention — escape user-controlled values in innerHTML

�cb-filter-row.js

  • status attribute (from HTML) was interpolated raw into data-status and as text content
  • Now escaped via a local escAttr() helper

�cb-agent-status-item.js

  • state and offlineDisplay (server-provided) were raw in
  • Now escaped via the existing esc() function already used in titles

�cb-thread-item.js

  • his._thread.status was interpolated raw into CSS class and text in the badge
  • Now escaped; imeAgo() result also escaped

Memory leak prevention — disconnectedCallback for event cleanup

�cb-icon-button.js

  • Added constructor to hold reference to the bound click handler
  • Added disconnectedCallback to
    emoveEventListener when the element is removed from DOM

Accessibility — ARIA roles

�cb-thread-item.js

  • Added
    ole='listitem' on each thread item
  • Added �ria-current='true/false' reflecting the active thread

�cb-thread-context-menu.js

  • Added
    ole='menu' on the menu container
  • Added
    ole='menuitem' on all four action buttons

Tests

  • Vitest unit tests: 18/18 passed
  • Python unit tests (pytest): 54/54 passed

@bertheto
refactor(web-components): escape innerHTML, add event cleanup, improv…
03af57c 
…e ARIA

- acb-filter-row.js: escape status attribute and text content in innerHTML (XSS prevention)
- acb-agent-status-item.js: escape state and offlineDisplay in innerHTML (were raw strings)
- acb-icon-button.js: add constructor + disconnectedCallback to remove click listener on teardown
- acb-thread-item.js: add role=listitem and aria-current for active state; escape status badge
- acb-thread-context-menu.js: add role=menu and role=menuitem on all action buttons for accessibility
@bertheto bertheto mentioned this pull request Mar 1, 2026
Merged
@Killea Killea merged commit a3bc771 into Killea:main Mar 1, 2026
1 check passed
@bertheto bertheto deleted the refactor/web-components-quality branch March 1, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bertheto @Killea