fix(ui): jsAttrEsc for inline onclick handlers — apostrophe in product_name broke SKU mapping modal

HTML parser decodes ' back to ' inside onclick="..." before the JS parser runs, so esc() left inline handlers vulnerable: product names containing an apostrophe terminated the JS string literal ("missing ) after argument list"). New jsAttrEsc() escapes for JS-string-inside-HTML-attribute (\\, ', \n first; then &, ", <, >). Applied to all inline onclick sites that interpolate user-controlled sku/product_name/codmat: shared.js detail modal (lines 879/939), missing_skus.html (4 sites), mappings.js (3 sites). Cache-bust: shared.js v49→50, mappings.js v17→18. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 14:07:17 +00:00
parent 32974e3b85
commit a530ebfaff
5 changed files with 28 additions and 11 deletions
--- a/api/app/templates/base.html
+++ b/api/app/templates/base.html
@@ -169,7 +169,7 @@

    <script>window.ROOT_PATH = "{{ rp }}";</script>
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/js/bootstrap.bundle.min.js"></script>
-    <script src="{{ rp }}/static/js/shared.js?v=49"></script>
+    <script src="{{ rp }}/static/js/shared.js?v=50"></script>
    <script>
    // Dark mode toggle
    function toggleDarkMode() {