Skip to content

🔒 [security fix] Replace unsafe innerHTML with replaceChildren() in options.js#44

Merged
cmuench merged 1 commit intomainfrom
fix-security-innerHTML-1206267693465189982
Apr 5, 2026
Merged

🔒 [security fix] Replace unsafe innerHTML with replaceChildren() in options.js#44
cmuench merged 1 commit intomainfrom
fix-security-innerHTML-1206267693465189982

Conversation

@cmuench
Copy link
Copy Markdown
Contributor

@cmuench cmuench commented Apr 5, 2026

🔒 Security Vulnerability Fix

🎯 What:

Replaced unsafe innerHTML = "" assignments and redundant manual child-removal while loops in options/options.js with the modern replaceChildren() API.

⚠️ Risk:

Using innerHTML = "" for clearing elements, while common, is flagged as unsafe hygiene by security scanners and standard project guidelines. Direct innerHTML assignments are a potential vector for XSS if they are later modified to include data.

🛡️ Solution:

The fix utilizes Element.replaceChildren(), which is a standard, performant, and secure way to clear all children of a DOM element in modern browsers (Chrome 86+, Firefox 78+). It also simplifies the codebase by removing several multi-line manual loops used for the same purpose.

Changes made in options/options.js:

  • Lines 27-32: Replaced innerHTML = "" and while loop with list.replaceChildren().
  • Line 38: Replaced while loop with groupSelect.replaceChildren().
  • Line 206 (now 198): Replaced groupsList.innerHTML = "" with groupsList.replaceChildren().
  • Line 357: Replaced while loop with groupSelect.replaceChildren().
  • Line 677: Replaced variablesAutocomplete.innerHTML = "" with variablesAutocomplete.replaceChildren().
  • Lines 761, 860, 1380: Updated textContent = "" to replaceChildren() for consistency when clearing list/grid containers.

PR created automatically by Jules for task 1206267693465189982 started by @cmuench

@google-labs-jules @cmuench
🔒 fix: replace unsafe innerHTML assignments with replaceChildren()
f34a044 
Replaced all occurrences of unsafe `innerHTML = ""` and redundant child removal loops
with the modern `Element.replaceChildren()` API in `options/options.js`.
This addresses security hygiene issues and prevents potential XSS vectors
while standardizing element clearing logic.

Co-authored-by: cmuench <211294+cmuench@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules bot commented Apr 5, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@cmuench cmuench merged commit 9820169 into main Apr 5, 2026
1 check passed
@cmuench cmuench deleted the fix-security-innerHTML-1206267693465189982 branch April 5, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cmuench