Skip to content

Bugfix/ab#31590 notificationsetting js sonar #1925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
AndreGAot wants to merge 5 commits into
base: dev
Choose a base branch
from
Draft

Bugfix/ab#31590 notificationsetting js sonar #1925

AndreGAot wants to merge 5 commits into from

Conversation

@AndreGAot
Copy link
Contributor

@AndreGAot AndreGAot commented Jan 20, 2026

No description provided.

@AndreGAot AndreGAot marked this pull request as draft January 20, 2026 21:40
@AndreGAot AndreGAot requested a review from Copilot January 20, 2026 21:40
@github-actions
Copy link

github-actions bot commented Jan 20, 2026

🧪 Unit Test Results (Parallel Execution)

Tests

📊 Summary

Result Count
✅ Passed 289
❌ Failed 0
⚠️ Skipped 0

📄 HTML Reports

  • Merged Tests (HTML): Included in artifacts
    Generated automatically by CI.

Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the Notifications settings JS to address maintainability/complexity concerns (Sonar) while preserving existing notification settings and template-management behavior.

Changes:

  • Reworks initialization to use a single $(function(){ ... }) entrypoint and organizes settings-form change tracking.
  • Extracts many previously-nested functions (template CRUD, editor setup, card event handlers) into standalone helpers to reduce cyclomatic complexity.
  • Rebuilds template card rendering via generateCardHtml() and centralized handler wiring (setupCardEventHandlers).
Comments suppressed due to low confidence (1)

applications/Unity.GrantManager/modules/Unity.Notifications/src/Unity.Notifications.Web/Views/Settings/NotificationsSettingGroup/Default.js:242

  • Template fields are interpolated into attribute values (value="${...}") without escaping. If name/sendFrom/subject contain quotes or markup from the API, this can break the attribute context and enable XSS. Use DOM APIs to set input values (e.g., .val(...)) or escape attribute values before building the HTML string.
                            <label class="form-label">Template Name</label>
                            <input type="text" class="form-control form-input" name="templateName" value="${data?.name || ''}" ${disabled} required>
                        </div>
                        <div class="mb-3">
                            <label class="form-label">Send From</label>
                            <input type="text" class="form-control form-input" name="sendFrom" value="${data?.sendFrom || ''}" ${disabled} required>
                        </div>
                        <div class="mb-3">
                            <label class="form-label">Subject</label>
                            <input type="text" class="form-control form-input" name="subject" value="${data?.subject || ''}" ${disabled} required>

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link

github-actions bot commented Jan 20, 2026

🧪 Unit Test Results (Parallel Execution)

Tests

📊 Summary

Result Count
✅ Passed 289
❌ Failed 0
⚠️ Skipped 0

📄 HTML Reports

  • Merged Tests (HTML): Included in artifacts
    Generated automatically by CI.

@github-actions
Copy link

github-actions bot commented Jan 20, 2026

🧪 Unit Test Results (Parallel Execution)

Tests

📊 Summary

Result Count
✅ Passed 289
❌ Failed 0
⚠️ Skipped 0

📄 HTML Reports

  • Merged Tests (HTML): Included in artifacts
    Generated automatically by CI.

@AndreGAot AndreGAot requested a review from Copilot January 20, 2026 23:46
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

applications/Unity.GrantManager/modules/Unity.Notifications/src/Unity.Notifications.Web/Views/Settings/NotificationsSettingGroup/Default.js:243

  • Template fields from the server (data.name, data.sendFrom, data.subject, etc.) are interpolated directly into HTML (including attribute values) without escaping. If these values can be user-controlled, this enables stored XSS / HTML injection. Use an escaping helper for text/attribute contexts or build the DOM with jQuery and set values via .text() / .val() instead of string concatenation.
        <div class="card mb-3 shadow-sm" id="${elementIds.wrapperId}" data-id="${cardDataId}">
            <div class="card-header d-flex justify-content-between align-items-center">
                <strong class="template-title">${data?.name || 'Untitled Template'}</strong>
                <div class="d-flex align-items-center gap-3">
                    <div class="text-muted small text-end me-3">
                        <div>Type<br /><span class="fw-normal">${displayInfo.type}</span></div>
                    </div>
                    <div class="text-muted small text-end me-3">
                        <div>Last Edited<br /><span class="fw-normal">${displayInfo.lastEdited}</span></div>
                    </div>
                    <button class="btn btn-sm btn-link text-decoration-none" type="button"
                        data-bs-toggle="collapse" data-bs-target="#${elementIds.cardId}" aria-expanded="false"
                        aria-controls="${elementIds.cardId}">
                        <i class="unt-icon-sm fa-solid fa-chevron-down"></i>
                    </button>
                </div>
            </div>
            <div class="collapse" id="${elementIds.cardId}">
                <div class="card-body">
                    <form id="${elementIds.formId}">
                        <div class="mb-3">
                            <label class="form-label">Template Name</label>
                            <input type="text" class="form-control form-input" name="templateName" value="${data?.name || ''}" ${disabled} required>
                        </div>
                        <div class="mb-3">
                            <label class="form-label">Send From</label>
                            <input type="text" class="form-control form-input" name="sendFrom" value="${data?.sendFrom || ''}" ${disabled} required>
                        </div>
                        <div class="mb-3">
                            <label class="form-label">Subject</label>
                            <input type="text" class="form-control form-input" name="subject" value="${data?.subject || ''}" ${disabled} required>

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

...otifications/src/Unity.Notifications.Web/Views/Settings/NotificationsSettingGroup/Default.js Outdated
Comment on lines 332 to 339
$(`#${formId} input[name="templateName"]`).on('input', function () {
const templateInput = $(this);
const newTitle = templateInput.val().trim() || 'Untitled Template';
$(`#${wrapperId} .template-title`).text(newTitle);

checkTemplateNameUnique(newTitle, id, function (isUnique) {
toggleTemplateNameValidation(templateInput, formId, isUnique);
});
Copy link

Copilot AI Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

setupTemplateNameValidation triggers an AJAX uniqueness check on every input event (each keystroke). This can generate a large number of requests and cause UI flicker/out-of-order results. Consider debouncing the call (e.g., 300–500ms) and/or aborting the previous pending request before issuing a new one.

Suggested change
$(`#${formId} input[name="templateName"]`).on('input', function () {
const templateInput = $(this);
const newTitle = templateInput.val().trim() || 'Untitled Template';
$(`#${wrapperId} .template-title`).text(newTitle);
checkTemplateNameUnique(newTitle, id, function (isUnique) {
toggleTemplateNameValidation(templateInput, formId, isUnique);
});
const $templateInput = $(`#${formId} input[name="templateName"]`);
let debounceTimer = null;
let lastRequestedName = null;
$templateInput.on('input', function () {
const templateInput = $(this);
const newTitle = templateInput.val().trim() || 'Untitled Template';
$(`#${wrapperId} .template-title`).text(newTitle);
// Debounce the uniqueness check to avoid excessive AJAX calls.
if (debounceTimer) {
clearTimeout(debounceTimer);
}
debounceTimer = setTimeout(function () {
const nameForRequest = templateInput.val().trim() || 'Untitled Template';
lastRequestedName = nameForRequest;
checkTemplateNameUnique(nameForRequest, id, function (isUnique) {
// Ignore responses for stale values to prevent out-of-order UI updates.
if (nameForRequest !== lastRequestedName) {
return;
}
toggleTemplateNameValidation(templateInput, formId, isUnique);
});
}, 300);

Copilot uses AI. Check for mistakes.
@github-actions
Copy link

github-actions bot commented Jan 21, 2026

🧪 Unit Test Results (Parallel Execution)

Tests

📊 Summary

Result Count
✅ Passed 289
❌ Failed 0
⚠️ Skipped 0

📄 HTML Reports

  • Merged Tests (HTML): Included in artifacts
    Generated automatically by CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndreGAot