Patrick Bass Area: Account (re-run) (audit p1r) · Surface: /notifications · Dimension: native-dialog · Severity: minor
Not a native dialog (the notif modal is a custom in-page modal, which is correct), but the close affordances are wired with inline onclick attributes rather than the nonce'd addEventListener pattern the rest of this same file uses for .notif-open-btn and .notif-toggle-unread-btn. It keeps the page dependent on script-src 'unsafe-inline' and is inconsistent with the file's own modern handlers a few lines below. Low severity — polish/consistency, not a functional break.
Evidence
platform/templates/partials/notifications.php:224 `<div class="modal-overlay hidden" id="notifModal" onclick="if(event.target===this)closeNotifModal();">`, :231 `<button ... onclick="closeNotifModal();">`, :240 `<button ... onclick="closeNotifModal();">`. These are legacy inline event handlers, which the templates/CLAUDE.md notes are only tolerated for CSP-legacy reasons and that NEW inline scripts should be nonce'd listeners.Suggested fix. Move the three onclick handlers into the existing nonce'd <script> block: bind the overlay backdrop-click and the two close buttons via addEventListener, matching how openNotifModal is already attached.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
