From 78675924d5ad1706994e1dd5908ba67f9452f24d Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 13:50:56 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix(security):=20resolve=20XSS?=
 =?UTF-8?q?=20vulnerability=20in=20app.js=20account=20dropdown?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaced `innerHTML` assignment with safe DOM manipulation methods (`createElement`, `textContent`, `src`) to prevent Cross-Site Scripting (XSS) when rendering GitHub account details.

Co-authored-by: megawron <52606827+megawron@users.noreply.github.com>
---
 app.js | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/app.js b/app.js
index 72bc3e8..976e69f 100644
--- a/app.js
+++ b/app.js
@@ -1169,10 +1169,17 @@ async function fetchInstallations() {
             installations.forEach(inst => {
                 const item = document.createElement('div');
                 item.className = 'dropdown-item';
-                item.innerHTML = `
-                    <img src="${inst.account.avatar_url}" class="account-avatar">
-                    <span>${inst.account.login}</span>
-                `;
+
+                const img = document.createElement('img');
+                img.src = inst.account.avatar_url;
+                img.className = 'account-avatar';
+
+                const span = document.createElement('span');
+                span.textContent = inst.account.login;
+
+                item.appendChild(img);
+                item.appendChild(span);
+
                 item.onclick = (e) => {
                     e.stopPropagation();
                     ui.accountDropdown.classList.remove('open');