Skip to content

Refactor callsign.js: eliminate XSS vulnerability, modernize codebase #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
phieri merged 4 commits into from
Oct 26, 2025
Merged

Refactor callsign.js: eliminate XSS vulnerability, modernize codebase #17

phieri merged 4 commits into from
Oct 26, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 26, 2025
edited
Loading

Complete refactoring addressing security, performance, and code quality issues throughout the library.

Security

  • Eliminated XSS vulnerability in searchCallsigns() - replaced innerHTML string manipulation with TreeWalker + DocumentFragment
  • Changed innerHTML assignments to textContent where applicable

Performance

  • Configuration caching eliminates repeated getElementById() calls
  • TreeWalker provides O(n) DOM traversal vs O(n²) innerHTML regex replacement

Code Quality

  • ES6+ modernization: const/let, template literals, arrow functions, object shorthand
  • Extracted helpers: getScriptElement(), getConfig(), createFlagElement()
  • Input validation with descriptive warnings for malformed call signs
  • Enhanced ESLint rules: complexity limits, best practices enforcement (20+ new rules)

API Extensions

  • New data-css-path attribute for custom stylesheet location
  • CSS custom properties for theming: 
    call-sign {
  --cs-border-color: #007acc;
  --cs-background-color: #e0f0ff;
}

Before/After

// Before: Dangerous innerHTML manipulation
static searchCallsigns() {
  let html = document.body.innerHTML;
  while ((match = html.match(SEARCH_REGEX)) !== null) {
    html = html.replace(match[1], '<call-sign>' + match[1] + '</call-sign>');
  }
  document.body.innerHTML = html;  // ⚠️ XSS risk, breaks event listeners
}

// After: Safe DOM manipulation
static searchCallsigns() {
  const walker = document.createTreeWalker(
    document.body,
    NodeFilter.SHOW_TEXT,
    { acceptNode(node) { /* filter logic */ } }
  );
  // ... collect nodes, build fragments, replace safely
}

Statistics: 5 files, +250/-51 lines. Backward compatible.

Test Results

Original prompt

Go through the entire codebase and suggest refactoring and other improvements

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI self-assigned this Oct 26, 2025
@phieri
Refactor: Improve code quality, performance, and security
d8f5fbc 
Co-authored-by: phieri <12006381+phieri@users.noreply.github.com>
@phieri phieri marked this pull request as ready for review October 26, 2025 22:02
Copilot AI and others added 2 commits October 26, 2025 22:02
@phieri
Improve CSS maintainability and documentation
c20402b 
Co-authored-by: phieri <12006381+phieri@users.noreply.github.com>
@phieri
Enhance ESLint configuration and apply modern JS patterns
8d5ea3e 
Co-authored-by: phieri <12006381+phieri@users.noreply.github.com>
Copilot AI changed the title [WIP] Suggest refactoring and improvement for codebase Refactor callsign.js: eliminate XSS vulnerability, modernize codebase Oct 26, 2025
Copilot AI requested a review from phieri October 26, 2025 22:08
@phieri phieri merged commit d296c5a into main Oct 26, 2025
3 checks passed
@phieri phieri deleted the copilot/suggest-code-refactoring branch October 26, 2025 22:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phieri phieri Awaiting requested review from phieri

Assignees

@phieri phieri

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phieri