Skip to content

Harden registration system: XSS-safe DOM, email normalization, instanceof guard#3

Merged
mrobardsKO merged 2 commits intoaccelerate-with-copilotfrom
copilot/sub-pr-2
Mar 4, 2026
Merged

Harden registration system: XSS-safe DOM, email normalization, instanceof guard#3
mrobardsKO merged 2 commits intoaccelerate-with-copilotfrom
copilot/sub-pr-2

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 4, 2026
edited
Loading

Addresses three security/correctness issues flagged in review: unsafe HTML interpolation in the activity card renderer, missing type guard before closest(), and email inputs accepted without normalization (enabling duplicate-bypass via case or whitespace).

Changes

src/static/app.js

  • Replaced innerHTML string interpolation with DOM API construction (createElement, textContent, dataset) throughout the activity card renderer — eliminates stored XSS and attribute injection vectors
  • Added instanceof Element guard on event.target before calling .closest() in the unregister click handler
const target = event.target;
if (!(target instanceof Element)) return;
const removeButton = target.closest(".participant-remove-btn");

src/app.py

  • Normalize email with .strip().lower() in both signup_for_activity and unregister_from_activity before membership checks or storage, preventing case/whitespace bypass
email = email.strip().lower()
if email in activity["participants"]:
    raise HTTPException(status_code=400, detail="Student already signed up")

tests/test_app.py

  • Added tests covering: mixed-case email stored as lowercase, case-insensitive duplicate rejection, and case-insensitive unregister

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Mar 4, 2026
Merged
@mrobardsKO
Apply review feedback: instanceof Element guard in app.js, email norm…
a65d6b1 
…alization in app.py

Co-authored-by: mrobardsKO <113369208+mrobardsKO@users.noreply.github.com>
Copilot AI changed the title [WIP] Improve student activity registration system Harden registration system: XSS-safe DOM, email normalization, instanceof guard Mar 4, 2026
@mrobardsKO mrobardsKO marked this pull request as ready for review March 4, 2026 17:41
@mrobardsKO mrobardsKO self-requested a review March 4, 2026 17:42
@mrobardsKO mrobardsKO merged commit 16ef413 into accelerate-with-copilot Mar 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mrobardsKO mrobardsKO mrobardsKO approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mrobardsKO mrobardsKO

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrobardsKO