From bd8b53cd6046cef9802d593d8257392d81afb5ce Mon Sep 17 00:00:00 2001
From: Osmium Sorcerer <os@sof.beauty>
Date: Wed, 3 Jun 2026 11:08:07 +0000
Subject: Eliminate innerHTML manipulation

Construct DOM nodes directly instead of trying to sanitize every input
string and dynamically updating HTML.

Replace all uses of innerHTML with textContent, replaceChildren, and
appendChild.

This removes the need to use safeTags and replace newlines, but now
requires preserving whitespace via CSS pre-wrap.

Every OOC chat line is now placed into its own element instead of simply
being appended to the log. This might be worse, and createTextNode
is another alternative.
---
 webAO/master.ts | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

(limited to 'webAO/master.ts')

diff --git a/webAO/master.ts b/webAO/master.ts
index b40763d..569795e 100644
--- a/webAO/master.ts
+++ b/webAO/master.ts
@@ -167,13 +167,31 @@ function addServer(server: AOServer) {
 
   servers.push(server);
 
-  document.getElementById("masterlist").innerHTML +=
-    `<details name="servers">` +
-    `<summary><p>${safeTags(server.name)} (${server.players})</p>` +
-    `<a class="button" href="${fullClientJoinURL}" target="_blank">Join</a>` +
-    `<a class="button" href="${fullClientWatchURL}" target="_blank">Watch</a></summary>` +
-    `<p>${safeTags(server.description)}</p>` +
-    `</details>`;
+  const masterlist = document.getElementById("masterlist");
+  const details = document.createElement("details");
+  details.name = "servers";
+  const summary = document.createElement("summary");
+  const title = document.createElement("p");
+  title.textContent = `${server.name} (${server.players})`;
+
+  const join = document.createElement("a");
+  join.className = "button";
+  join.href = fullClientJoinURL;
+  join.target = "_blank";
+  join.textContent = "Join";
+
+  const watch = document.createElement("a");
+  watch.className = "button";
+  watch.href = fullClientWatchURL;
+  watch.target = "_blank";
+  watch.textContent = "Watch";
+
+  summary.append(title, join, watch);
+  const desc = document.createElement("p");
+  desc.className = "server-description";
+  desc.textContent = server.description;
+  details.append(summary, desc);
+  masterlist.appendChild(details);
 }
 
 function processServerlist(serverlist: AOServer[]) {
@@ -196,10 +214,10 @@ async function getMasterVersion(): Promise<string> {
 }
 
 function processClientVersion(data: string) {
-  document.getElementById("clientinfo").innerHTML = `Client version: ${data}`;
+  document.getElementById("clientinfo").textContent = `Client version: ${data}`;
 }
 
 function processMasterVersion(data: string) {
-  document.getElementById("serverinfo").innerHTML =
+  document.getElementById("serverinfo").textContent =
     `Master server version: ${data}`;
 }
-- 
cgit