- gam-award-grid/gam-reset-grid: CSS Grid, адаптив 800px
- gam-user-col/filter/select — единые стили из design system
- gam-preset/gam-reason-tag — через CSS-классы, без inline
- gam-num-input: Unbounded шрифт, выровненный по центру
- gam-award-footer + gam-reset-warning как отдельные блоки
- убраны все эмоджи; пресеты сбрасываются через gamSetXP/gamSetCoins
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- select с полным списком пользователей + фильтр по имени (вместо typeahead)
- пресеты XP (0/10/25/50/100/250) и монет (0/10/25/50) с подсветкой активного
- пресеты причин (кнопки) + поле для своей причины
- fix: xp/coins теперь Number(value) без || 0 — значение 0 не начисляется
- форма сброса прогресса — тоже select из того же кэша пользователей
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Security review caught: per-row hover actions (users.js) and async
user picker (shop.js, gam.js) interpolated user-controlled name into
JS string literals inside onclick. LS.esc() escapes & < > " but
NOT backslash; the .replace(/'/g, '\'') fallback was broken.
Attack: any authenticated user could set their name to
a\'); alert(1); //
via PATCH /api/auth/profile (stripTags doesn't strip \) — admin
viewing the users/shop/gam picker would execute arbitrary JS.
Fix: switch from JS-string interpolation to data-uid/data-name
attributes, read via dataset in handler. esc() correctly escapes
for HTML-attribute context; dataset returns the raw string with
zero parse re-entry.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Replace ~3500L admin.js monolith with thin orchestrator (~700L) +
14 IIFE-wrapped per-section modules under /js/admin/sections/.
Section modules expose AdminSections.<name>.init/reload (lazy init via
switchTab/router) and re-expose onclick handlers via window.X for
backward compat. Shared helpers (MODES/DIFFS, fmtDate, pctClass,
renderMath, qTypeBadge, pagination) live in /js/admin/_shared.js
exposed on window.AdminCtx.
switchTab now dispatches to AdminSections via ROUTE_TO_SECTION map;
non-extracted system tabs (topics/audit/errors/health/classroom/avatars)
remain inline in admin.js. user-panel overlay markup untouched — Phase 6
will remove it.
Maxim Dolgolyov