Fix HIGH-level code scanning alerts: DOM XSS and unvalidated URL redirect

[Copilot]

Two HIGH-severity CodeQL alerts in client-side JavaScript: DOM-based XSS via HTML string concatenation and an unvalidated URL redirect via window.location assignment.

related-modal.js — DOM XSS (js/xss-through-dom)

• Replaced unsafe HTML string concatenation passed to jQuery's $() constructor (which uses innerHTML) with explicit DOM API calls that set attributes directly, eliminating the XSS sink.

// Before — iframeName/iframeSrc flow into innerHTML
const iframeHTML = '<iframe id="related-modal-iframe" name="' + iframeName + '" src="' + iframeSrc + '"></iframe>';
const modalEl = $(modalHTML);

// After — attributes set via DOM API, no HTML parsing
const iframeEl = $('<iframe>').attr({ id: 'related-modal-iframe', name: iframeName, src: iframeSrc });
const modalEl = $('<div>').addClass('related-modal-iframe-container').append(iframeEl);

dropdown-filter.js — Unvalidated URL redirect (js/client-side-unvalidated-url-redirection)

• Added URL validation before window.location assignment to block javascript: and protocol-relative (//evil.com) URLs. Django admin filter values are always query strings (?...) or path-relative (/...), so this is lossless.

// Before
if (value) { window.location = value; }

// After
if (value && (value.startsWith('?') || (value.startsWith('/') && !value.startsWith('//')))) {
    window.location = value;
}

Checklist before requesting a review

• I have performed a self-review of my code.
• I have added tests for the proposed changes.
• I have run the tests and there are not errors.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.48%. Comparing base (361d7a0) to head (00ac26a).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #480   +/-   ##
=======================================
  Coverage   97.48%   97.48%           
=======================================
  Files          40       40           
  Lines         438      438           
=======================================
  Hits          427      427           
  Misses         11       11           

Flag	Coverage Δ
unittests	97.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR addresses two HIGH-severity CodeQL findings in the admin UI JavaScript by removing an innerHTML-based DOM XSS sink and adding client-side validation before performing a window.location navigation.

Changes:

• Refactors related-modal iframe creation to avoid HTML string concatenation and jQuery HTML parsing of interpolated content.
• Adds a URL allowlist guard before assigning to window.location from dropdown filter selections.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
admin_interface/static/admin_interface/related-modal/related-modal.js	Builds the modal + iframe via element creation/attribute setting rather than concatenated HTML to remove the DOM XSS sink.
admin_interface/static/admin_interface/dropdown-filter/dropdown-filter.js	Adds a prefix-based allowlist check intended to prevent unsafe client-side redirects.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.