Fix XSS in post title rendering

[boomzero]

What does this PR aim to accomplish?:

Fix a stored XSS vulnerability where unsanitized post titles are inserted via innerHTML, allowing arbitrary script execution (e.g., <img src=x onerror=alert('test')>).

How does this PR accomplish the above?:

Wrap ResponseData.Data.Title with the existing escapeHTML() function before inserting into PostTitle.innerHTML. This escapes <, >, ", ', and & so HTML tags in titles are rendered as text rather than parsed as DOM elements.

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributor's guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented on my proposed changes within the code and I have tested my changes.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the GNU General Public License v3.0
5. I have squashed any insignificant commits. (git rebase)
6. I have checked that another pull request for this purpose does not exist.
7. I have considered and confirmed that this submission will be valuable to others.
8. I accept that this submission may not be used, and the pull request can be closed at the will of the maintainer.
9. I give this submission freely and claim no ownership to its content.

---

• I have read the above and my PR is ready for review. Check this box to confirm

---

[cubic-dev-ai]

2 issues found across 3 files (changes from recent commits).

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="XMOJ.user.js">

<violation number="1" location="XMOJ.user.js:3">
P2: Manual version bump in the userscript header conflicts with the repository’s automated version management (UpdateVersion workflow). This should be left to the automation to keep XMOJ.user.js, package.json, and Update.json in sync.</violation>
</file>

<file name="package.json">

<violation number="1" location="package.json:3">
P2: Do not manually bump the package.json version. Version updates are automated by UpdateVersion.js and should not be edited in PRs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: Manual version bump in the userscript header conflicts with the repository’s automated version management (UpdateVersion workflow). This should be left to the automation to keep XMOJ.user.js, package.json, and Update.json in sync.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At XMOJ.user.js, line 3:

<comment>Manual version bump in the userscript header conflicts with the repository’s automated version management (UpdateVersion workflow). This should be left to the automation to keep XMOJ.user.js, package.json, and Update.json in sync.</comment>

<file context>
@@ -1,6 +1,6 @@
 // ==UserScript==
 // @name         XMOJ
-// @version      3.1.0
+// @version      3.1.1
 // @description  XMOJ增强脚本
 // @author       @XMOJ-Script-dev, @langningchen and the community
</file context>

[cubic-dev-ai]

P2: Do not manually bump the package.json version. Version updates are automated by UpdateVersion.js and should not be edited in PRs.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 3:

<comment>Do not manually bump the package.json version. Version updates are automated by UpdateVersion.js and should not be edited in PRs.</comment>

<file context>
@@ -1,6 +1,6 @@
 {
   "name": "xmoj-script",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "an improvement script for xmoj.tech",
   "main": "AddonScript.js",
</file context>