mai
/
posimai-veil
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: add esc() and sanitize app.label in innerHTML

This commit is contained in:
posimai 2026-03-26 14:08:35 +09:00
parent 4dd291a5f8
commit eeaa812aa7
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
index.html
View File

@ -973,6 +973,11 @@ const CAT_LABELS = {
const CAT_ORDER = ['posimai','sns','media','news','tools','nav','shop'];
// ── HTML エスケープ ─────────────────────────────────────────
function esc(s) {
return String(s ?? '').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;').replace(/'/g,'&#39;');
}
// ── カスタムアプリ ──────────────────────────────────────────
function loadCustomApps() {
try {
@ -1147,21 +1152,21 @@ function renderApps() {
const isInitial = app.icon === '_initial';
const iconHTML = isInitial
? `<div class="app-initial" style="background:${color}22;color:${color}">${app.label.charAt(0).toUpperCase()}</div>`
: `<i data-lucide="${app.icon}" class="app-icon" style="stroke:${color}"></i>`;
? `<div class="app-initial" style="background:${color}22;color:${color}">${esc(app.label).charAt(0).toUpperCase()}</div>`
: `<i data-lucide="${esc(app.icon)}" class="app-icon" style="stroke:${color}"></i>`;
const delBtn = isCustom
? `<button class="custom-del-btn" data-del-id="${app.id}" aria-label="${app.label}を削除">&#x2715;</button>`
? `<button class="custom-del-btn" data-del-id="${app.id}" aria-label="${esc(app.label)}を削除">&#x2715;</button>`
: '';
return `
<div class="app-item${editCls}${hidden}"
data-id="${app.id}" role="button" tabindex="0"
aria-label="${app.label}"
aria-label="${esc(app.label)}"
style="${bgStyle}">
${delBtn}
${iconHTML}
<span class="app-label">${app.label}</span>
<span class="app-label">${esc(app.label)}</span>
<span class="check-badge" aria-hidden="true"
style="background:${color}">
<i data-lucide="check"