Potential fix for code scanning alert no. 3: DOM text reinterpreted as HTML

[agoudbg]

Potential fix for https://github.com/nm-Team/WebSite/security/code-scanning/3

Use text insertion instead of HTML insertion for user/DOM-influenced strings.

Best fix in this snippet:

• Replace .html(...) with .text(...) for all .dTip message writes that are plain text.
• Keep empty-clear behavior by using .text("") instead of .html("").

Specifically in src/js/questionnaire.js, update the .dTip writes at:

• lines 5, 9, 17, 21, 25, 29, and 57.

No new imports or helper methods are needed. This preserves functionality (showing validation messages) while preventing HTML interpretation/XSS.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates questionnaire validation message rendering to avoid injecting user/DOM-influenced strings as HTML, addressing code scanning alert #3 (DOM text reinterpreted as HTML / potential XSS).

Changes:

• Replaced .html(...) with .text(...) for .dTip validation message writes.
• Preserved “clear message” behavior by using .text("") instead of .html("").

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[agoudbg]

@copilot 你需要查看实际的问卷列表，来查看当前是否有问卷中有 HTML 结构，因为问卷可能利用了这个方法展示自定义 HTML 内容。

[Copilot]

@copilot 你需要查看实际的问卷列表，来查看当前是否有问卷中有 HTML 结构，因为问卷可能利用了这个方法展示自定义 HTML 内容。

已检查全部 9 个问卷 JSON 文件及模板代码，结论如下：

.dTip 元素仅用于验证提示信息，其内容来源为 questionnaireI18n 的 i18n 本地化字符串（must_input、select_min_limit、select_max_limit），均为纯文本，无 HTML 结构。所有问卷的 .dTip 写入均不依赖问卷 JSON 内容。

部分问卷 JSON 中确实存在 HTML 内容：

• nmfun_bug_report.json 的 description 含 <br> 标签
• product_accessibility_suggestion.json 的 title 含 <br> 及 <script> 标签

但这些内容是通过 PHP 模板的 echo $question->description / echo $question->title（index.php 第 61、64 行）直接输出的，与 .dTip 无关。

因此，将 .dTip 的写入从 .html() 改为 .text() 不会影响任何现有问卷的 HTML 内容展示，修改是安全的。