Patrick Bass Area: Admin plane (audit p12) · Surface: /admin/learn/paths/{id}/edit · Dimension: native-dialogs · Severity: major
The path-item delete uses a native browser confirm(), which is on the banned list. It looks like malware, ignores the site theme, and is the lone holdout in an admin where every other destructive action already uses the data-confirm/App.modal pattern.
Evidence
platform/templates/learn/admin/paths/edit.php:153-154 — `<form ... action="/admin/learn/paths/<?= $pid ?>/items/<?= (int) $it['id'] ?>/delete" ... onsubmit="return confirm('Remove this item from the path?');">`. Native confirm()/alert()/prompt() are explicitly banned (use App.modal/data-confirm). Every OTHER delete in the same admin uses data-confirm (e.g. platform/templates/learn/admin/courses/modules/edit.php:88 `data-confirm="Delete module ..."`, questions/edit.php:14, team.php:63). The global handler exists and works: platform/public/js/app.min.js:49 `document.addEventListener('click',function(e){var btn=e.target.closest('[data-confirm]');...App.modal.confirm('Confirm',message,...)})`.Suggested fix. Remove the onsubmit="return confirm(...)" and add data-confirm="Remove this item from the path?" to the <form>, matching the pattern already used in modules/edit.php, questions/edit.php, and team.php.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
