Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.3 KiB
1.3 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 118 | Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer | low | Security |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer
Severity: low Domain: Security Labels: security, frontend, xss, dead-code
Description
src/layouts/components/notifications-drawer.backup/notification-item.tsx:32 renders a notification title via dangerouslySetInnerHTML, creating an XSS sink. The .backup directory is likely dead code but may be imported somewhere or re-enabled in the future.
Options
- Delete the entire
.backupdirectory if unused — removes dead code and the XSS sink. - Replace
dangerouslySetInnerHTMLwith plain text rendering. - Keep HTML but sanitize via DOMPurify.
Recommendation
Confirm nothing imports the .backup directory and delete it. If any live notification rendering uses dangerouslySetInnerHTML elsewhere, switch to text or DOMPurify.
Affected Files
frontend/src/layouts/components/notifications-drawer.backup/notification-item.tsx:32
References
- Full Codebase Audit 2026-05-30 — DEC-5