Dashboard: javascript: URL XSS + credential exposure in auth table + double-fetch race #252
Description
Bug 1: Stored XSS via javascript: URL
File: `dashboard/src/main.js`, lines 252 and 294
`window.open(item.source_url, '_blank')` — `source_url` is user-supplied with no scheme validation. A `javascript:alert(1)` URL executes code on click.
Fix: Validate URL scheme: `if (/^https?:\/\//i.test(url)) window.open(url, '_blank')`
Bug 2: Credential exposure in settings table
File: `dashboard/src/main.js`, lines 883-884
Auth table renders full credential values in plain text and in the `title` tooltip, defeating the purpose of password-type inputs for secret fields.
Fix: Mask credentials in display: `token: ••••xxxx`
Bug 3: Double extension auth fetch with wrong property names
File: `dashboard/src/main.js`, lines 27-55
`getAuthFromExtension()` is called twice. The second call (line 51) uses `extAuth.authToken` / `extAuth.authUser` but the function returns `{ token, user }`. If the second path executes, auth is set to `undefined`.
Fix: Use consistent property names: `setAuth(extAuth.token, extAuth.user)`
Bug 4: `new URL()` crash on malformed source_url
File: `dashboard/src/main.js`, line 280
`new URL(item.source_url)` throws if the URL is malformed, crashing the entire items list rendering.
Fix: Wrap in try/catch with a fallback.