fix: eliminate all 1600 SEC-015 security info findings

Add safe-pattern exceptions to the x-html check in validate_security.py for $icon(), $store methods, and window.icons lookups. Suppress remaining 8 legitimate x-html uses (admin-authored content, app-controlled JS) with noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 18:02:59 +01:00
parent 6458ab13d7
commit eaab47f2f8
10 changed files with 26 additions and 25 deletions
--- a/app/modules/messaging/templates/messaging/admin/notifications.html
+++ b/app/modules/messaging/templates/messaging/admin/notifications.html
@@ -175,7 +175,7 @@
                                      'bg-blue-100 text-blue-600 dark:bg-blue-900 dark:text-blue-300': notif.priority === 'normal',
                                      'bg-gray-100 text-gray-600 dark:bg-gray-700 dark:text-gray-300': notif.priority === 'low'
                                  }">
-                                <span x-html="getNotificationIcon(notif.type)"></span>
+                                <span x-html="getNotificationIcon(notif.type)"></span> <!-- noqa: SEC015 sanitized: app-controlled JS method -->
                            </span>
                        </div>