Potential fix for code scanning alert no. 16: DOM text reinterpreted as HTML

[veillette]

Potential fix for https://github.com/veillette/physics-book/security/code-scanning/16

In general, to fix “DOM text reinterpreted as HTML” problems, never assign untrusted strings directly to .innerHTML (or similar HTML-parsing sinks) unless they have been sanitized by a robust HTML sanitizer or you are absolutely sure the string is trusted. Instead, either (a) use .textContent/.innerText so the text is rendered literally, or (b) apply a well-vetted sanitizer before using .innerHTML.

Here, the code appears to be transforming text into a math-friendly form like $\theta_r = \theta_i$. That content should be safe to render as text, and any subsequent math renderer (MathJax/KaTeX) can process it from text nodes. Therefore, the best minimal-impact fix is to stop using innerHTML for caption and title and instead assign to textContent. This preserves all existing functionality except that any HTML markup inside title/data-title will now be escaped and shown literally, which is the safe default.

Concretely:

• In assets/js/book-viewer.js, around lines 272–280, change caption.innerHTML = captionText; to caption.textContent = captionText;.
• Around lines 281–290, change title.innerHTML = titleText; to title.textContent = titleText;.
• No new imports or helper methods are required; .textContent is a standard DOM API and works in place of .innerHTML for plain text.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
physics-book	Ready	Preview, Comment	Jan 8, 2026 5:53am