Fix phpcs and semgrep findings in editor files

allanhaggett · claude · allanhaggett · commit acee13effb8b · 2026-02-09T07:21:39.000Z
Remove blank line after opening class brace in external function
classes (Moodle coding standard). Replace innerHTML assignments with
safe DOM API calls (setChildren helper, textContent, createElement)
to eliminate XSS risk flagged by semgrep.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/amd/build/editor.min.js b/amd/build/editor.min.js
@@ -35,6 +35,25 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
     /** @type {Object} DOM element references */
     var dom = {};
 
+    /**
+     * Safely replace all children of an element.
+     *
+     * @param {HTMLElement} el
+     * @param {Array<HTMLElement|String>} children - DOM nodes or strings (inserted as text)
+     */
+    var setChildren = function(el, children) {
+        while (el.firstChild) {
+            el.removeChild(el.firstChild);
+        }
+        children.forEach(function(child) {
+            if (typeof child === 'string') {
+                el.appendChild(document.createTextNode(child));
+            } else {
+                el.appendChild(child);
+            }
+        });
+    };
+
     /**
      * Check if the editor has unsaved changes.
      *
@@ -243,17 +262,25 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
      */
     var loadTree = function() {
         Str.get_string('editor_loading', 'local_githubsync').then(function(loadingStr) {
-            dom.tree.innerHTML = '<div class="p-3 text-center text-muted">' +
-                '<div class="spinner-border spinner-border-sm" role="status"></div> ' +
-                loadingStr + '</div>';
+            var wrapper = document.createElement('div');
+            wrapper.className = 'p-3 text-center text-muted';
+            var spinner = document.createElement('div');
+            spinner.className = 'spinner-border spinner-border-sm';
+            spinner.setAttribute('role', 'status');
+            wrapper.appendChild(spinner);
+            wrapper.appendChild(document.createTextNode(' ' + loadingStr));
+            setChildren(dom.tree, [wrapper]);
 
             return Repository.getFileTree(state.courseid);
         }).then(function(result) {
             state.treeData = result.files;
             renderTree();
         }).catch(function(err) {
             Str.get_string('editor_treefailed', 'local_githubsync').then(function(msg) {
-                dom.tree.innerHTML = '<div class="p-3 text-danger">' + msg + '</div>';
+                var errDiv = document.createElement('div');
+                errDiv.className = 'p-3 text-danger';
+                errDiv.textContent = msg;
+                setChildren(dom.tree, [errDiv]);
             });
             Notification.exception(err);
         });
@@ -290,11 +317,14 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
                     Notification.addNotification({message: conflictMsg, type: 'error'});
                     return Str.get_string('editor_reload', 'local_githubsync');
                 }).then(function(reloadMsg) {
-                    dom.status.innerHTML = '<a href="#" id="githubsync-reload-link">' + reloadMsg + '</a>';
-                    document.getElementById('githubsync-reload-link').addEventListener('click', function(e) {
+                    var link = document.createElement('a');
+                    link.href = '#';
+                    link.textContent = reloadMsg;
+                    link.addEventListener('click', function(e) {
                         e.preventDefault();
                         loadFile(state.currentPath);
                     });
+                    setChildren(dom.status, [link]);
                 });
             } else if (result.success) {
                 state.currentSha = result.newsha;
@@ -313,7 +343,7 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
         }).then(function() {
             // Restore button regardless of outcome.
             Str.get_string('editor_save', 'local_githubsync').then(function(saveText) {
-                dom.saveBtn.innerHTML = saveText;
+                dom.saveBtn.textContent = saveText;
                 updateSaveButton();
             });
         });
diff --git a/amd/src/editor.js b/amd/src/editor.js
@@ -35,6 +35,25 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
     /** @type {Object} DOM element references */
     var dom = {};
 
+    /**
+     * Safely replace all children of an element.
+     *
+     * @param {HTMLElement} el
+     * @param {Array<HTMLElement|String>} children - DOM nodes or strings (inserted as text)
+     */
+    var setChildren = function(el, children) {
+        while (el.firstChild) {
+            el.removeChild(el.firstChild);
+        }
+        children.forEach(function(child) {
+            if (typeof child === 'string') {
+                el.appendChild(document.createTextNode(child));
+            } else {
+                el.appendChild(child);
+            }
+        });
+    };
+
     /**
      * Check if the editor has unsaved changes.
      *
@@ -243,17 +262,25 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
      */
     var loadTree = function() {
         Str.get_string('editor_loading', 'local_githubsync').then(function(loadingStr) {
-            dom.tree.innerHTML = '<div class="p-3 text-center text-muted">' +
-                '<div class="spinner-border spinner-border-sm" role="status"></div> ' +
-                loadingStr + '</div>';
+            var wrapper = document.createElement('div');
+            wrapper.className = 'p-3 text-center text-muted';
+            var spinner = document.createElement('div');
+            spinner.className = 'spinner-border spinner-border-sm';
+            spinner.setAttribute('role', 'status');
+            wrapper.appendChild(spinner);
+            wrapper.appendChild(document.createTextNode(' ' + loadingStr));
+            setChildren(dom.tree, [wrapper]);
 
             return Repository.getFileTree(state.courseid);
         }).then(function(result) {
             state.treeData = result.files;
             renderTree();
         }).catch(function(err) {
             Str.get_string('editor_treefailed', 'local_githubsync').then(function(msg) {
-                dom.tree.innerHTML = '<div class="p-3 text-danger">' + msg + '</div>';
+                var errDiv = document.createElement('div');
+                errDiv.className = 'p-3 text-danger';
+                errDiv.textContent = msg;
+                setChildren(dom.tree, [errDiv]);
             });
             Notification.exception(err);
         });
@@ -290,11 +317,14 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
                     Notification.addNotification({message: conflictMsg, type: 'error'});
                     return Str.get_string('editor_reload', 'local_githubsync');
                 }).then(function(reloadMsg) {
-                    dom.status.innerHTML = '<a href="#" id="githubsync-reload-link">' + reloadMsg + '</a>';
-                    document.getElementById('githubsync-reload-link').addEventListener('click', function(e) {
+                    var link = document.createElement('a');
+                    link.href = '#';
+                    link.textContent = reloadMsg;
+                    link.addEventListener('click', function(e) {
                         e.preventDefault();
                         loadFile(state.currentPath);
                     });
+                    setChildren(dom.status, [link]);
                 });
             } else if (result.success) {
                 state.currentSha = result.newsha;
@@ -313,7 +343,7 @@ define(['local_githubsync/repository', 'core/notification', 'core/str'], functio
         }).then(function() {
             // Restore button regardless of outcome.
             Str.get_string('editor_save', 'local_githubsync').then(function(saveText) {
-                dom.saveBtn.innerHTML = saveText;
+                dom.saveBtn.textContent = saveText;
                 updateSaveButton();
             });
         });
diff --git a/classes/external/get_file_content.php b/classes/external/get_file_content.php
@@ -31,7 +31,6 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class get_file_content extends external_api {
-
     /**
      * Parameters.
      *
diff --git a/classes/external/get_file_tree.php b/classes/external/get_file_tree.php
@@ -32,7 +32,6 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class get_file_tree extends external_api {
-
     /** @var array File extensions considered binary */
     private const BINARY_EXTENSIONS = [
         'png', 'jpg', 'jpeg', 'gif', 'bmp', 'ico', 'svg', 'webp',
diff --git a/classes/external/update_file.php b/classes/external/update_file.php
@@ -31,7 +31,6 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 class update_file extends external_api {
-
     /**
      * Parameters.
      *

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,6 @@`
`31`	`31`	`* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later`
`32`	`32`	`*/`
`33`	`33`	`class get_file_content extends external_api {`
`34`		`-`
`35`	`34`	`/**`
`36`	`35`	`* Parameters.`
`37`	`36`	`*`