fix: render user-controlled names via textContent instead of innerHTM…

[Tamcodes4]

Description

This PR fixes a DOM-based XSS vulnerability caused by rendering user-controlled display names with innerHTML in the leaderboard.

The vulnerable rendering paths have been replaced with safe DOM construction using textContent, createTextNode, and createElement, preventing HTML or JavaScript supplied through user names from being interpreted by the browser.

As a defense-in-depth measure, a maxlength="100" attribute has also been added to the Full Name field on the registration form.

Linked Issue

Fixes #237

Changes Made

• Replaced unsafe innerHTML interpolation in the floating compare bar with safe DOM node construction.
• Rebuilt the comparison table using createElement and textContent instead of generating HTML strings.
• Replaced dynamic HTML generation in the recent changes panel with safe DOM APIs and DocumentFragment.
• Added maxlength="100" to the registration form's Full Name field as an additional client-side safeguard.

Type of Change

• Bug fix
• New feature
• UI/Visual update
• Documentation update
• Refactor

Testing

• Tested locally
• Tested on mobile viewport (if applicable)
• No console errors introduced

Manual verification

Verified locally using HTML/JavaScript payloads such as:

• <img src=x onerror=alert("XSS")>
• <script>alert("XSS")</script>
• <b>Bold User</b>

Confirmed that these payloads are rendered as plain text (not interpreted as HTML) in:

• Floating compare bar
• Comparison table headers
• Recent changes modal

No JavaScript execution or alert dialogs occurred.

Checklist

• My code follows the project's coding style
• I have formatted my code locally by running npx prettier --write . before submitting
• I am submitting my PR from a dedicated feature/* branch, not the main branch
• I have performed a self-review of my code
• My changes generate no new warnings or errors
• I have updated documentation if required
• I have linked the relevant issue

Screenshots

Not applicable.

[github-actions]

Thank you for submitting a pull request.

Please ensure your changes comply with the project's contribution guidelines and that all workflow checks pass successfully.

Formatting and Branching

• Please confirm you have formatted your code locally using npx prettier --write ., or you can simply comment /format on this PR to have our bot do it for you!
• Ensure this PR is made from a feature/* branch and not main.

Note: This project is currently maintained by a solo maintainer, so reviews and responses may sometimes take a little time. Thanks for your patience.

[Tamcodes4]

Hey @jagdish-15, kindly review this pr..