feat(themes): create dropdown for order links #571
Conversation
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| item.addEventListener('click', function (event) { | ||
| event.preventDefault(); | ||
| window.open(item.href, '_blank'); | ||
| buttonContent.innerHTML = item.innerHTML; |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: User controlled data in a buttonContent.innerHTML is an anti-pattern that can lead to XSS vulnerabilities
The issue identified by the Semgrep linter is related to the assignment of item.innerHTML to buttonContent.innerHTML. Since item.innerHTML is derived from user-controlled data (the content of the clicked link), directly assigning it to innerHTML can lead to Cross-Site Scripting (XSS) vulnerabilities. An attacker could potentially inject malicious scripts through this mechanism, which would then be executed in the context of the current page.
To mitigate this risk, it's better to use safer methods for setting text content that do not interpret HTML. One common approach is to use textContent instead of innerHTML, which sets the text content of the element without parsing it as HTML.
Here’s the suggested code change:
| buttonContent.innerHTML = item.innerHTML; | |
| buttonContent.textContent = item.textContent; |
This comment was generated by an experimental AI tool.
| item.addEventListener('click', function (event) { | ||
| event.preventDefault(); | ||
| window.open(item.href, '_blank'); | ||
| buttonContent.innerHTML = item.innerHTML; |
There was a problem hiding this comment.
❌ Codacy found a critical Security issue: User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
The issue identified by the Semgrep linter pertains to the use of innerHTML to set the content of buttonContent. This practice can lead to Cross-Site Scripting (XSS) vulnerabilities if the item.innerHTML contains untrusted user input. An attacker could potentially inject malicious scripts into the page if they control the content of item.innerHTML.
To mitigate this risk, it is advisable to use safer methods for setting text content, such as textContent, which does not interpret HTML and thus prevents the execution of any embedded scripts.
Here is the suggested code change to address the issue:
| buttonContent.innerHTML = item.innerHTML; | |
| buttonContent.textContent = item.innerHTML; |
This comment was generated by an experimental AI tool.
| app.on('mouseover', item, () => { | ||
| let submenu = item.querySelector('.sub-menu .sub-menu'); | ||
| if (submenu) { | ||
| let rect = submenu.getBoundingClientRect(); |
There was a problem hiding this comment.
❌ Codacy found a critical ErrorProne issue: You have a misspelled word: rect on Identifier
The issue reported by the ESLint linter indicates that the variable name rect is considered to be misspelled according to the linter's configuration. While rect is a commonly used abbreviation for "rectangle," it seems that the linter is set to flag it as a potential spelling error.
To resolve this, we can rename the variable to a more explicit and correctly spelled term that conveys the same meaning. A suitable alternative could be rectangle.
Here’s the suggested change:
| let rect = submenu.getBoundingClientRect(); | |
| let rectangle = submenu.getBoundingClientRect(); |
This comment was generated by an experimental AI tool.
| if (item.classList.contains('change-menu-dir')) return; | ||
| app.on('mouseover', item, () => { | ||
| let submenu = item.querySelector('.sub-menu .sub-menu'); | ||
| if (submenu) { |
There was a problem hiding this comment.
❌ Codacy found a critical ErrorProne issue: You have a misspelled word: submenu on Identifier
The issue identified by the ESLint linter is that the word "submenu" is flagged as a misspelled identifier. This is likely due to the linter's configuration or dictionary settings, which may not recognize "submenu" as a valid word. However, "submenu" is a commonly used term in programming, particularly in UI development, to refer to a nested menu.
To resolve this issue, you can either adjust the linter's settings to recognize "submenu" as a valid term or, if you prefer to keep the linter's configuration as it is, you could rename the variable to something that the linter recognizes.
Here’s a suggestion that changes the variable name to "subMenu" (with a capital "M"), which is more conventional in JavaScript and may not trigger the linter:
| if (submenu) { | |
| let subMenu = item.querySelector('.sub-menu .sub-menu'); |
This comment was generated by an experimental AI tool.
jalmatari
left a comment
jalmatari
left a comment
There was a problem hiding this comment.
No ready yet, needs more enhancement
2 participants
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
What is the current behaviour? (You can also link to an open issue here)
What is the new behaviour? (You can also link to the ticket here)
Does this PR introduce a breaking change?
Screenshots (If appropriate)