You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reviewed the 5 changed files (diff vs origin/dev). This is a sizeable, well-structured feature (status/QR, group creation, broadcasts, polls, scheduling, templates, failed-job retries, and a member reconciliation audit). The code is readable and consistent. Below are the issues I found, ordered by severity.
🔴 High — Stored XSS via un-escaped backend data
Several render paths inject server-derived strings straight into innerHTML without escaping. WhatsApp group names and member names are user-controllable, so this is a realistic stored-XSS vector in the admin console.
admin/whatsapp/messages.js:211-215 — resolvedName and targetJid are interpolated raw. (Note textContent on line 282 is escaped, so the helper is clearly available — just not applied here.)
admin/whatsapp/messages.js:811-831 — populateFailedJobsTable injects job.action, job.groupJid, job.phone, and job.payload.name raw, and also drops job.error into a title="..." attribute unescaped.
admin/whatsapp/whatsapp.js:207, 260 — utsav.name / shibir.name injected raw into the row.
admin/whatsapp/whatsapp.js:182-183, 235-236 — jid injected raw into <code> and into both the onclick="copyToClipboard('${jid}')" arg and href="messages.html?jid=${jid}".
You already have escapeHtml() in messages.js — wrap these values with it (and encodeURIComponent for the href JID). Consider exporting one shared escapeHtml/showToast rather than the two copies.
admin/whatsapp/messages.js:1219 — same for 'remove'
A perfectly ordinary name like O'Brien will break the handler (and is another injection path). Prefer attaching listeners via addEventListener with the value stored in a data-* attribute, or at minimum JSON-encode + escape the arguments. The raw +${m.phone} cells should also be escaped.
loadEvents loses role flags on reload — admin/whatsapp/whatsapp.js:304 calls setTimeout(loadEvents, 5000) with no args, so it defaults showUtsav/showShibir to true and re-fetches resources a restricted admin can't access (e.g. a utsavAdmin will trigger the Shibir fetch). Capture the flags and pass them through, e.g. setTimeout(() => loadEvents(showUtsav, showShibir), 5000).
Malformed SVG in the Create-Group button — whatsapp.js:200 and :253: <line x1="23" y1="11" x2="17" y2="11"></svg> is missing the </line> close before </svg>. Browsers tolerate it, but it's a copy-paste slip.
Polling intervals never cleared — messages.js:40 (7s) and whatsapp.js:37 (10s) setIntervals run forever and aren't paused when a modal is open or the tab is hidden. Consider clearInterval on unload / document.hidden checks to avoid redundant fetches.
No 401/auth handling — all fetches surface a generic error on an expired token rather than redirecting to login. Other admin pages may handle this centrally; worth confirming.
Path inconsistency — new files use /sessionstorage.js (absolute) while the rest of the repo (e.g. admin/utsav/index.html) uses ../../sessionstorage.js. Equivalent only if the site is served from domain root; align for consistency.
Duplicated helpers — showToast (and the toast SVGs) are duplicated verbatim across whatsapp.js and messages.js. Extracting to a shared file would cut ~80 lines.
prompt()/confirm() are used for template naming and confirmations — fine for an internal tool, just noting they're blocking and unstyled vs. the otherwise polished UI.
Summary
No blocking logic bugs in the happy path — the queueing/scheduling/audit flows look coherent. The XSS escaping (High) and onclick quoting (Medium) items are the ones worth addressing before merge; the rest are polish. Nice work overall.
Note: I couldn't verify against backend API contracts (endpoints live in a separate repo), so payload-shape assumptions weren't checked.
· feat/whatsapp-grp-automation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.