Potential fix for code scanning alert no. 23: DOM text reinterpreted as HTML

[thorsten]

Potential fix for https://github.com/thorsten/phpMyFAQ/security/code-scanning/23

In general, to fix DOM text reinterpreted as HTML, avoid assigning untrusted or non-HTML content to innerHTML. Instead, assign it to textContent/innerText or use DOM APIs to build elements, so the browser treats it strictly as text and not as markup.

Here, we never intend output to contain HTML—it's just a human-readable file size string. The best fix is:

• Replace fileSize.innerHTML = output; with fileSize.textContent = output;, so the value is inserted as plain text.
• Likewise, later when clearing the element, replace fileSize.innerHTML = ''; with fileSize.textContent = '';. This keeps the pattern consistent and removes unnecessary use of innerHTML.

These changes are localized to phpmyfaq/admin/assets/src/content/attachment-upload.ts:

• Around line 52: change the assignment to use textContent.
• Around line 111: likewise change the clearing assignment to textContent.

No extra imports, methods, or definitions are needed; textContent is a standard property of HTMLElement.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Bug Fixes
  • Improved security handling of file size display in the attachment upload feature by ensuring text content is rendered as plain text rather than HTML.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

❌ Error creating Unit Test PR.

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-23
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Unit test generation is an Early Access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.