From fb4360bbf19a22cbbcc679ad026c5ed3f2080e5e Mon Sep 17 00:00:00 2001
From: 0902young <0902songyang@gmail.com>
Date: Sat, 2 May 2026 14:13:27 +0800
Subject: [PATCH] Update budget.js

Fixed the XSS cross-site scripting attack vulnerability.
---
 budget.js | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/budget.js b/budget.js
index 24651d7..274941c 100644
--- a/budget.js
+++ b/budget.js
@@ -148,15 +148,23 @@ function updateUI() {
 }
 
 function showEntry(list, type, title, amount, id) {
-  const entry = `<li id="${id}" class="${type}">
-                    <div class="entry">${title} : $${amount}</div>
-                    <div id="edit"></div>
-                    <div id="delete"></div>
-                  </li>`;
-  const position = "afterbegin";
-  list.insertAdjacentHTML(position, entry);
-}
+  const li = document.createElement("li");
+  li.id = id;
+  li.className = type;
+
+  const entryDiv = document.createElement("div");
+  entryDiv.className = "entry";
+  entryDiv.textContent = `${title} : $${amount}`;  // 安全！
+
+  const editDiv = document.createElement("div");
+  editDiv.id = "edit";
 
+  const deleteDiv = document.createElement("div");
+  deleteDiv.id = "delete";
+
+  li.append(entryDiv, editDiv, deleteDiv);
+  list.insertAdjacentElement("afterbegin", li);
+}
 function clearElement(elements) {
   elements.forEach((element) => {
     element.innerHTML = "";