--- issue: 118 title: "Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer" severity: low domain: Security labels: [security, frontend, xss, dead-code] status: open created: 2026-05-30 source: Full Codebase Audit 2026-05-30 --- # Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer **Severity:** low **Domain:** Security **Labels:** security, frontend, xss, dead-code ## Description `src/layouts/components/notifications-drawer.backup/notification-item.tsx:32` renders a notification title via `dangerouslySetInnerHTML`, creating an XSS sink. The `.backup` directory is likely dead code but may be imported somewhere or re-enabled in the future. ## Options 1. Delete the entire `.backup` directory if unused — removes dead code and the XSS sink. 2. Replace `dangerouslySetInnerHTML` with plain text rendering. 3. Keep HTML but sanitize via DOMPurify. ## Recommendation Confirm nothing imports the `.backup` directory and delete it. If any live notification rendering uses `dangerouslySetInnerHTML` elsewhere, switch to text or DOMPurify. ## Affected Files - `frontend/src/layouts/components/notifications-drawer.backup/notification-item.tsx:32` ## References - [Full Codebase Audit 2026-05-30](../09%20-%20Audits/Full%20Codebase%20Audit%20-%202026-05-30.md) — DEC-5