From de1fac1f9609d7c9165d9d0a7f0adad2a2bb8023 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 11 Mar 2026 06:31:13 +0000
Subject: [PATCH] security: replace unsafe innerHTML assignments with
 textContent in options.js

This change replaces assignments to innerHTML with textContent when
clearing element content in options.js. This addresses a security
vulnerability related to unsafe DOM manipulation and follows best
practices for browser extensions to prevent potential XSS and pass
automated security reviews.

Affected elements:
- webhook-list
- groups-list
- variables-autocomplete

Redundant node removal loops were also removed in favor of the more
efficient textContent = "" approach.

Co-authored-by: cmuench <211294+cmuench@users.noreply.github.com>
---
 options/options.js | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/options/options.js b/options/options.js
index 40029a2..76f2bc2 100644
--- a/options/options.js
+++ b/options/options.js
@@ -24,12 +24,9 @@ const loadWebhooks = async () => {
   const normalizedWebhooks = webhooks.map(normalizeWebhookRecord);
   const list = document.getElementById("webhook-list");
   const message = document.getElementById("no-webhooks-message");
-  list.innerHTML = "";
 
-  // Clear the webhook list safely
-  while (list.firstChild) {
-    list.removeChild(list.firstChild);
-  }
+  // Clear the webhook list safely using textContent
+  list.textContent = "";
 
   // Populate group dropdown safely
   const groupSelect = document.getElementById("webhook-group");
@@ -203,7 +200,7 @@ const loadGroups = async () => {
 // Function to render groups in the group management modal
 const renderGroups = async () => {
   const groups = await loadGroups();
-  groupsList.innerHTML = "";
+  groupsList.textContent = "";
 
   groups.forEach(group => {
     const listItem = document.createElement("li");
@@ -684,7 +681,7 @@ customPayloadInput.addEventListener('input', function(e) {
 
     if (matchingVars.length > 0) {
       // Show autocomplete dropdown
-      variablesAutocomplete.innerHTML = '';
+      variablesAutocomplete.textContent = '';
       variablesAutocomplete.classList.remove('hidden');
 
       matchingVars.forEach(variable => {