This commit addresses several XSS vulnerabilities by ensuring that
dynamic data from external APIs (GitHub) and error messages are
properly escaped before being rendered via innerHTML.
Affected areas:
- openVersionMenu error handling and version list
- showErrorModal title and button text
- showToast message content
All changes were verified with a reproduction test case.
Co-authored-by: TauNeutrino <1600410+TauNeutrino@users.noreply.github.com>
- Added `tests/test_api.js` to verify header generation in `src/api.js`.
- Included test cases for `githubHeaders` and `apiHeaders`.
- Followed the project's existing testing pattern using Node.js `vm` module.
Co-authored-by: TauNeutrino <1600410+TauNeutrino@users.noreply.github.com>
Moved `kantine.js` into a `src/` directory with multiple modularized files:
- `api.js`: All API calls and constants
- `state.js`: State management (auth, cache, theme, tags, etc.)
- `utils.js`: Helpers for UI and Date formatting
- `ui.js`: DOM manipulation logic
- `events.js`: Initial DOM event listeners and logic hooks
- `actions.js`: Data fetching actions, local processing logic
- `ui_helpers.js`: UI helper functions (rendering modals, handling DOM injections)
Updated the `build-bookmarklet.sh` to compile with Webpack via newly created `webpack.config.js`. Updated all relevant test scripts to use the new output `dist/kantine.bundle.js` and modified logic to work within Webpack scopes.
Co-authored-by: TauNeutrino <1600410+TauNeutrino@users.noreply.github.com>
