RSS feed-URL Copy button silently fails with no fallback or toast when clipboard API is unavailable

Area: Account (re-run) (audit p1r) · Surface: /account/rss · Dimension: law1-polish · Severity: minor

The recruit dashboard does this correctly (clipboard with a Promise rejection handler that shows App.toast 'Could not copy — select the link and Ctrl-C'), but the RSS settings copy button uses a fire-and-forget inline onclick that (a) lies by showing 'Copied' even on failure and (b) can throw an uncaught TypeError when navigator.clipboard is missing. The RSS URL contains a private token, so a user who thinks they copied it but didn't will paste an empty/old value into their reader.

Evidence

platform/templates/account/rss.php:34-37: `<button type="button" ... onclick="var el=document.getElementById('rssUrl'); el.select(); navigator.clipboard.writeText(el.value); this.textContent='Copied';">`. The button text flips to 'Copied' unconditionally before navigator.clipboard.writeText resolves, and there is no .catch and no fallback. On non-HTTPS contexts or browsers where navigator.clipboard is undefined, this throws and the URL is never copied, yet the button still says 'Copied'.

Suggested fix. Mirror the recruit/dashboard.php pattern: guard navigator.clipboard, only flip the label to 'Copied' inside .then(), and on rejection show App.toast('Could not copy — select the URL and Ctrl-C', 'warning'). Move it out of inline onclick into the nonce'd script block.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.