Patrick Bass Area: Engagement (audit p9) · Surface: /projects/{slug}, /projects/{slug}/edit, /projects/{slug}/releases/{tag} · Dimension: native-dialogs · Severity: major
Native browser confirm() is explicitly banned (use data-confirm / App.modal.confirm). These 6 delete/remove buttons in the Projects area still call the native dialog, which ignores the theme, looks like a malware prompt, and is inconsistent with the migrated Events/Achievements/Marketplace surfaces. Every other delete in the Engagement area already uses data-confirm.
Evidence
platform/templates/projects/show.php:210 `<button type="submit" class="btn btn--danger btn--sm" onclick="return confirm('Delete this file?')">X</button>`; same pattern at show.php:291 (Remove this item?), show.php:481 (Delete this comment?), projects/edit.php:111 (Remove this link?), projects/releases/show.php:29 (Delete this release and all its files?). The rest of the platform already migrated to the data-confirm interceptor — e.g. events/show.php:143 uses `data-confirm="Delete this event?"` and admin/achievements/edit.php:280 uses data-confirm; app.js:1369 wires `[data-confirm]` to App.modal.confirm.Suggested fix. Replace each `onclick="return confirm('…')"` with `data-confirm="…"` on the enclosing <form> (matching the events/index.php:76 pattern). Drop the inline onclick entirely; the global app.js click interceptor handles submission after the modal confirms.
Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.
Patrick Bass
@mobieus
