Files
nick-doc/Issues/ISSUE-118-frontend-notification-title-rendered-via-dangerouslysetinnerht.md
Siavash Sameni dceaf82934 audit: 2026-05-30 full-codebase audit — report, issues, docs, runbooks
Full-codebase-audit 2026-05-30 outputs:
- Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md
- 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer).
- Scanner docs from scratch (was zero): architecture, data model, API ref, payment
  flow, operations runbook + repo README.
- Doc-sync updates across API reference, data models, flows, design system.
- Secret Rotation Runbook (08 - Operations) for the exposed credentials.
- Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js.

Issues remain status:open intentionally — the code fixes are uncommitted-then-committed
working-tree changes per repo and aren't "resolved" until merged/deployed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-05-30 18:48:04 +04:00

1.3 KiB

issue, title, severity, domain, labels, status, created, source
issue title severity domain labels status created source
118 Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer low Security
security
frontend
xss
dead-code
open 2026-05-30 Full Codebase Audit 2026-05-30

Frontend: notification title rendered via dangerouslySetInnerHTML in .backup drawer

Severity: low Domain: Security Labels: security, frontend, xss, dead-code

Description

src/layouts/components/notifications-drawer.backup/notification-item.tsx:32 renders a notification title via dangerouslySetInnerHTML, creating an XSS sink. The .backup directory is likely dead code but may be imported somewhere or re-enabled in the future.

Options

  1. Delete the entire .backup directory if unused — removes dead code and the XSS sink.
  2. Replace dangerouslySetInnerHTML with plain text rendering.
  3. Keep HTML but sanitize via DOMPurify.

Recommendation

Confirm nothing imports the .backup directory and delete it. If any live notification rendering uses dangerouslySetInnerHTML elsewhere, switch to text or DOMPurify.

Affected Files

  • frontend/src/layouts/components/notifications-drawer.backup/notification-item.tsx:32

References