This commit addresses several XSS vulnerabilities by ensuring that
dynamic data from external APIs (GitHub) and error messages are
properly escaped before being rendered via innerHTML.
Affected areas:
- openVersionMenu error handling and version list
- showErrorModal title and button text
- showToast message content
All changes were verified with a reproduction test case.
Co-authored-by: TauNeutrino <1600410+TauNeutrino@users.noreply.github.com>
Moved `kantine.js` into a `src/` directory with multiple modularized files:
- `api.js`: All API calls and constants
- `state.js`: State management (auth, cache, theme, tags, etc.)
- `utils.js`: Helpers for UI and Date formatting
- `ui.js`: DOM manipulation logic
- `events.js`: Initial DOM event listeners and logic hooks
- `actions.js`: Data fetching actions, local processing logic
- `ui_helpers.js`: UI helper functions (rendering modals, handling DOM injections)
Updated the `build-bookmarklet.sh` to compile with Webpack via newly created `webpack.config.js`. Updated all relevant test scripts to use the new output `dist/kantine.bundle.js` and modified logic to work within Webpack scopes.
Co-authored-by: TauNeutrino <1600410+TauNeutrino@users.noreply.github.com>
Complete implementation including:
- Express server with Bessa API proxy
- Puppeteer scraper for menu data
- Flag storage (file-based persistence)
- SSE manager for real-time updates
- Polling orchestrator for distributed polling
- Frontend with weekly view, ordering, and flagging UI
- Yellow/green glow indicators for flagged items
