🔍 Issue
`src/components/ui/chart.tsx:81` uses `dangerouslySetInnerHTML` to render chart content.
Context
This appears to be a custom chart component that renders HTML inside the chart labels/tooltips. If any chart data (labels, tooltips, axis values) comes from user input (e.g., course names, professor names, review text), malicious HTML could be injected.
✅ Fix
If this is a shadcn/ui or Radix chart component, the `dangerouslySetInnerHTML` is likely unnecessary. Check:
- What data is being passed to the `__html` prop?
- Can any of that data be user-controlled?
- Switch to safe DOM text rendering or use DOMPurify if HTML rendering is required.
Additionally, `scripts/scrape_professors.py:51` uses `requests.get(url, verify=False)` — disabling SSL verification is dangerous and should be fixed in production.
🔍 Issue
`src/components/ui/chart.tsx:81` uses `dangerouslySetInnerHTML` to render chart content.
Context
This appears to be a custom chart component that renders HTML inside the chart labels/tooltips. If any chart data (labels, tooltips, axis values) comes from user input (e.g., course names, professor names, review text), malicious HTML could be injected.
✅ Fix
If this is a shadcn/ui or Radix chart component, the `dangerouslySetInnerHTML` is likely unnecessary. Check:
Additionally, `scripts/scrape_professors.py:51` uses `requests.get(url, verify=False)` — disabling SSL verification is dangerous and should be fixed in production.