Garry Tan 461a6e6b18 fix(ui): use textContent for security banner layer labels ...

Was `div.innerHTML = \`<span>\${label}</span>...\`` with label coming
from an event field. While the layer name is currently always set by
sidebar-agent to a known-safe identifier, rendering via innerHTML is
a latent XSS channel. Switch to document.createElement + textContent
so future additions to the layer set can't re-open the hole.

Caught by pre-landing review.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-20 07:17:07 +08:00

..

icons

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517)

2026-03-26 11:15:24 -06:00

background.js

fix: community security wave — 8 PRs, 4 contributors (v0.15.13.0) (#847)

2026-04-06 00:47:04 -07:00

content.css

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517)

2026-03-26 11:15:24 -06:00

content.js

refactor: AI slop reduction with cross-model quality review (v0.16.3.0) (#941)

2026-04-10 17:13:15 -10:00

inspector.css

feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650)

2026-03-30 12:51:05 -06:00

inspector.js

refactor: AI slop reduction with cross-model quality review (v0.16.3.0) (#941)

2026-04-10 17:13:15 -10:00

manifest.json

feat: sidebar CSS inspector + per-tab agents (v0.13.9.0) (#650)

2026-03-30 12:51:05 -06:00

popup.html

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517)

2026-03-26 11:15:24 -06:00

popup.js

feat: headed mode + sidebar agent + Chrome extension (v0.12.0) (#517)

2026-03-26 11:15:24 -06:00

sidepanel.css

fix(ui): banner z-index above shield icon so close button is clickable

2026-04-20 05:40:54 +08:00

sidepanel.html

feat(ui): add security shield icon in sidepanel header (3 states)

2026-04-19 19:20:26 +08:00

sidepanel.js

fix(ui): use textContent for security banner layer labels

2026-04-20 07:17:07 +08:00