Fixes Bug #3: Locations disappearing when switching tabs or on reload.
Root cause: inventory.stored could become corrupted (null, array, or
undefined) due to incomplete validation during load/save operations.
Solution - Defense in Depth:
1. **Persistence Layer** (src/core/persistence.js):
- New validateInventoryStructure() function
- Validates on loadSettings() and loadChatData()
- Checks all v2 fields (onPerson, stored, assets, version)
- Ensures stored is always a plain object
- Validates stored keys/values using validateStoredInventory()
- Auto-repairs corrupted data with console warnings
- Persists repairs immediately
2. **Form State Management** (src/systems/interaction/inventoryActions.js):
- Enhanced restoreFormStates() to detect deleted locations
- Cleans up orphaned form states automatically
- Prevents errors from forms referencing non-existent locations
Validation checks:
- ✓ inventory.stored is object (not null/array/undefined)
- ✓ All stored keys are safe (no __proto__, constructor, etc.)
- ✓ All stored values are strings
- ✓ onPerson and assets are strings
- ✓ version field exists
Auto-repair scenarios:
- Corrupted stored → reset to {}
- Invalid onPerson/assets → reset to "None"
- Missing version → set to 2
- Dangerous keys → removed with warning
Result:
- Locations persist across tab switches ✓
- Empty locations persist ✓
- Data corruption auto-repaired on load ✓
- Orphaned form states cleaned up ✓
- No crashes from invalid data ✓
Fixes: Location disappears when switching tabs or reloading
Created comprehensive security layer to protect against malicious input
and resource exhaustion attacks.
New security.js module:
- sanitizeLocationName(): Blocks __proto__, constructor, toString, etc.
- sanitizeItemName(): Enforces max length (500 chars)
- validateStoredInventory(): Validates entire stored object structure
- MAX_ITEMS_PER_SECTION: Limit of 500 items per section
Protected attack vectors:
1. Prototype pollution via location names
- Blocked: "__proto__", "constructor", "prototype", etc.
- Alert shown to user if attempted
2. DoS via extremely long names
- Location names: max 200 chars (truncated with warning)
- Item names: max 500 chars (truncated with warning)
3. DoS via massive item lists
- Max 500 items per section (truncated with warning)
Integration:
- itemParser.js: Uses sanitizeItemName() and enforces max items
- inventoryActions.js: Validates all user input before saving
- Manual location creation: blocked dangerous names
- Manual item addition: length limits enforced
Security best practices (2025):
- No regex DoS vulnerabilities (character-by-character parsing)
- Explicit hasOwnProperty checks to avoid inherited properties
- Console warnings for all security events (auditing)
- Graceful degradation (truncate, don't crash)
- Defense in depth (validation at multiple layers)
This protects against both malicious actors and accidental abuse.
Fixes bug where expanding an existing storage location would close
the "Add Location" form that was currently open. This happened
because renderInventory() recreated all HTML from scratch, resetting
all inline forms to hidden state.
Solution:
- Track open form states in inventoryActions module
- Restore form visibility after each re-render
- Applies to all inline forms: add location, add items (on person,
stored, assets)
This also fixes the related issue where switching tabs would close
open forms.
Fixes: Location disappears when expanding while adding new location
Implemented comprehensive individual item management system with toggleable view modes:
- Added item parsing utilities (parseItems/serializeItems) for comma-separated strings
- Implemented list view (full-width rows) and grid view (responsive cards)
- Added view mode toggle buttons per inventory section (onPerson, stored, assets)
- View preferences persist per-section in settings
- Replaced text-based editing with add/remove item controls
- Added inline forms for adding new items (matching existing UX patterns)
- Applied theme accent color (--rpg-highlight) to all outlines and active states
- Updated all tabs (desktop/mobile/inventory subtabs) with theme-consistent styling
Technical improvements:
- Created itemParser.js utility module for item string manipulation
- Enhanced inventory rendering with conditional list/grid HTML generation
- Added switchViewMode handler with settings persistence
- Fixed [object Object] display bug with comprehensive type checking
- All buttons and items now use transparent backgrounds with theme accent borders
Replaced all prompt() and confirm() dialogs with contenteditable fields
and inline UI components for a better user experience.
Changes:
- Made inventory fields (On Person, Stored items, Assets) contenteditable
with blur-to-save functionality
- Replaced "Add Location" prompt with inline form (hidden by default)
- Replaced "Remove Location" confirm with inline confirmation UI
- Added CSS styling for inline editing states (hover, focus, empty)
- Added CSS for inline forms, buttons, and confirmation UI
- Fixed bug where inventory sub-tabs were unclickable due to
incorrect container ID in toggleLocationCollapse() and
switchInventoryTab() functions
All inline edits now save automatically on blur, matching the UX
pattern used elsewhere in the extension (mood/conditions fields).