fix: validate type parameter against allow-list in showMessage (#83)

Adds allow-list validation for the 'type' parameter in showMessage()
to prevent class injection vulnerabilities. The type is now checked
against ['success', 'error'] before being passed to addClass(), with
a safe fallback to 'error' for any unexpected values.

Addresses review feedback from PR #47 (gemini-code-assist finding).
Closes #76

admin/js/update-source-selector.js

@@ -147,17 +147,21 @@
     /**
 		 * Show a message in the modal
 		 *
-		 * @param {string} type Message type (success, error)
+		 * @param {string} type    Message type (success, error)
 		 * @param {string} message Message text
 		 */
     showMessage: function (type, message) {
       const $message = this.$modal.find( '.wpst-modal-message' );
 
-      // Set message as plain text to prevent XSS, then apply type class.
-      $message.text( message ).removeClass( 'success error' ).addClass( type ).show();
+      // Validate type against allow-list to prevent class injection vulnerabilities.
+      const allowedTypes = [ 'success', 'error' ];
+      const safeType = allowedTypes.includes( type ) ? type : 'error';
+
+      // Set message as plain text to prevent XSS, then apply validated type class.
+      $message.text( message ).removeClass( 'success error' ).addClass( safeType ).show();
 
       // Hide message after a delay for success messages.
-      if (type === 'success') {
+      if (safeType === 'success') {
         setTimeout(
           function () {
             $message.fadeOut( 300 );