- Delete Finder-duplicate artifacts: "webpack.config copy 2.js",
"testQuiz copy.html".
- Delete pre-rewrite orphan
create_quiz_button_grp_original_with_good_reinialization.js.js
(double .js.js extension, zero importers).
- Delete legacy webpack.config.js: not referenced by any npm script or
tooling; the widget has fully migrated to Vite's single-file bundle.
- Delete vite.config.coop.mjs and vite.dev.config.mjs: not referenced
by package.json scripts; COOP/COEP headers are already applied by
the active dev and prod configs.
No functional change; all referenced sources and configs are untouched.
bbe85444 deleted both 'copy_download copy.js' (orphan) and
'copy_download.js' (live import). index.js line 122 imports
initializeAllMessageButtons from this file — restore it.
- showQuizStats.js: add escapeHtml() and sanitize fileName/reason/details
before injecting into verificationModal.innerHTML (XSS: DOM text reinterpreted as HTML)
- injectQuizBtn.js: replace quizTitle string interpolation in innerHTML with
DOM construction (textContent) to prevent XSS (DOM text reinterpreted as HTML)
- highlight_menu.js: fix 'classList.contains === "hidden"' type error —
was comparing function reference to string; now correctly called as
classList.contains("hidden") (comparison between inconvertible types)
- index.html + indexHtml.js: rename malformed space-containing id attributes
'Show answers' -> 'show-answers' and 'Show chain of thought' -> 'show-chain-of-thought'
- settings.js: update three matching string keys to kebab-case to stay in sync
with renamed HTML ids (coordinated rename, no functionality change)
- demo_reference_rendering.html: add safeParseReferences() fallback wrapper,
replace direct parseReferences() call which was undefined in this context
- test_reference_renderer.js: remove parseReferences import (not exported),
rewrite testReferenceParsing() to use processReferences() with HTML output assertions
- XSS: validate URL (same-origin, http/https only) before window.location.href
in streamdown_markdown.js and reference_renderer.js
- XSS: replace tooltip.innerHTML with DOM construction in streamdown_markdown.js
- XSS: sanitize mermaid SVG with DOMPurify in renderMermaid() and at call site
- XSS: sanitize customContainerHtml, mathDiv, and preview.innerHTML with DOMPurify
- XSS: replace button.innerHTML with textContent for question buttons
- XSS: add escapeHtml() for mermaid error messages interpolated into innerHTML
- Add DOMPurify ^3.4.0 to dependencies
- Remove duplicate diagramId assignments in highlight.js and markdown.js
- Remove unused percentLineIndex variable in markdown.js and streamdown_markdown.js
- Remove useless targetElement assignment in streamdown_markdown.js
- chart.js: replace /auto import with tree-shaken named imports in spaced-repetition-stats.js
- Add _comments to package.json documenting bundle size analysis per dependency
