From eacc32c58738fcd1ba5144c7af40085aa4028c46 Mon Sep 17 00:00:00 2001
From: GrimbiXcode <grimbixcode@gmail.com>
Date: Tue, 21 Oct 2025 22:24:08 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 1: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/main.js | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/src/main.js b/src/main.js
index 788faef..d9081fb 100644
--- a/src/main.js
+++ b/src/main.js
@@ -2302,11 +2302,26 @@ class MTGScanner {
     // Create notification element
     const notification = document.createElement('div');
     notification.className = `notification ${type}`;
-    notification.innerHTML = `
-      <div class="notification-icon">${icons[type] || icons.info}</div>
-      <div class="notification-content">${message}</div>
-      <button class="notification-close" aria-label="Close notification">✕</button>
-    `;
+
+    // Icon (HTML-safe, from known set)
+    const iconElem = document.createElement('div');
+    iconElem.className = 'notification-icon';
+    iconElem.innerHTML = icons[type] || icons.info;
+
+    // Message (potentially user input, MUST use textContent)
+    const messageElem = document.createElement('div');
+    messageElem.className = 'notification-content';
+    messageElem.textContent = message;
+
+    // Close button (static)
+    const closeBtn = document.createElement('button');
+    closeBtn.className = 'notification-close';
+    closeBtn.setAttribute('aria-label', 'Close notification');
+    closeBtn.textContent = '✕';
+
+    notification.appendChild(iconElem);
+    notification.appendChild(messageElem);
+    notification.appendChild(closeBtn);
 
     // Add to container
     this.notificationContainer.appendChild(notification);