Potential fix for code scanning alert no. 24: DOM text reinterpreted as HTML

[dmetzner]

Potential fix for https://github.com/Catrobat/Catroweb/security/code-scanning/24

In general, to fix DOM text reinterpreted as HTML issues, ensure that data coming from the DOM (or any untrusted source) is not written back to the DOM via HTML sinks (innerHTML, jQuery .html(), etc.) without proper escaping. For content that should be displayed as plain text (like a filename), use text-only properties (textContent, innerText) or safe APIs that treat it as text, not HTML.

For this concrete case, the best fix is to stop using innerHTML when setting the current file name and instead use textContent. The file parameter is just a file identifier/name that should be displayed as text. Replacing:

document.getElementById('currentFileName').innerHTML = file

with:

document.getElementById('currentFileName').textContent = file

preserves the existing behavior (showing the filename) but prevents any HTML markup or scripts in file from being parsed or executed. No other code changes are necessary in this file: the logic around loading the file content and inserting the fetched HTML into innerLogContainer remains as-is, since that content is presumably server-generated HTML rather than DOM text being “unescaped.”

This change is confined to assets/Admin/SystemManagement/Logs.js at line 93; no new imports or helper methods are needed.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 50.00%. Comparing base (d6e19a2) to head (d61a34c).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@              Coverage Diff              @@
##             develop    #6129      +/-   ##
=============================================
- Coverage      50.01%   50.00%   -0.01%     
  Complexity      7481     7481              
=============================================
  Files            722      722              
  Lines          24100    24100              
=============================================
- Hits           12053    12051       -2     
- Misses         12047    12049       +2     

Flag	Coverage Δ
behat	47.70% <ø> (-0.01%)	⬇️
phpunit	10.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.