Security hardening: URL encoding, SAS state isolation, JWT validation

[Copilot]

Codebase audit found several security issues and a state corruption bug in the SAS URL preview flow.

Security fixes

• ARM API path injection — subscriptionId, resourceGroup, accountName interpolated raw into REST URL paths. Added _encArmSegment() wrapper using encodeURIComponent on all ARM URL path segments.

• URL hash encoding — App link construction used #${item.name} without encoding, breaking URLs with special characters. Now uses encodeURIComponent.

• JWT structure validation — _parseJwt() blindly split and decoded without checking 3-part structure or that the payload is a non-null object.

State corruption fix

• SAS preview mutated global state — _showOpenSasModal called activateSasMode() on every keystroke to preview SAS URL metadata, temporarily corrupting CONFIG.storage and _SAS_STATE. Extracted a pure parseSasUrl() function that returns parsed metadata without side effects. activateSasMode() now delegates to it internally.

// Before: mutate global state → read → undo (race-prone)
const info = activateSasMode(raw);
const state = getSasState();
deactivateSasMode();

// After: read-only parse for preview
const info = parseSasUrl(raw);

Code quality

• innerHTML → textContent in _showInfoModal's addRow() — uses textContent by default, innerHTML only when explicitly passing trusted HTML.
• Silent catch blocks — added console.warn to metadata fetch failures in edit/upload flows.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.