fix: validate type parameter against allow-list in showMessage (#83)

Adds allow-list validation for the 'type' parameter in showMessage()
to prevent class injection vulnerabilities. The type is now checked
against ['success', 'error'] before being passed to addClass(), with
a safe fallback to 'error' for any unexpected values.

Addresses review feedback from PR #47 (gemini-code-assist finding).
Closes #76

admin/js/update-source-selector.js

@@ -153,11 +153,15 @@
     showMessage: function (type, message) {
       const $message = this.$modal.find( '.wpst-modal-message' );
 
-      // Set message as plain text to prevent XSS, then apply type class.
+      // Validate type against allow-list to prevent class injection vulnerabilities.
-      $message.text( message ).removeClass( 'success error' ).addClass( type ).show();
+      const allowedTypes = [ 'success', 'error' ];
+      const safeType = allowedTypes.includes( type ) ? type : 'error';
+
+      // Set message as plain text to prevent XSS, then apply validated type class.
+      $message.text( message ).removeClass( 'success error' ).addClass( safeType ).show();
 
       // Hide message after a delay for success messages.
-      if (type === 'success') {
+      if (safeType === 'success') {
         setTimeout(
           function () {
             $message.fadeOut( 300 );