Perf & security: DB indexes, partial updates, route dedup, XSS fix

[Copilot]

Several inefficiencies and one XSS vulnerability across the data layer, server routes, and client-side rendering.

Database (database.js)

• Missing indexes — added CREATE INDEX IF NOT EXISTS on completed, priority, and created_at DESC; previously every query did a full table scan
• Partial updates clobbered existing data — updateTask always sent all 4 columns, setting unprovided fields to NULL; now builds the SET clause dynamically from only the defined arguments

// Before: always overwrites every column
UPDATE tasks SET title = ?, description = ?, priority = ?, completed = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?

// After: only touches what was passed
if (title !== undefined)     { fields.push('title = ?');     values.push(title); }
if (description !== undefined) { ... }
// ...
const sql = `UPDATE tasks SET ${fields.join(', ')} WHERE id = ?`;

Server routes (index.js)

• GET / and GET /tasks were identical 10-line blocks; extracted into a single renderTasks handler

Client (public/script.js)

• Unnecessary API call on delete — deleting the last task fired a full GET /api/tasks reload; now renders the empty state directly
• XSS — title, description, priority, and id were interpolated raw into innerHTML; added escapeHtml() applied to all user-supplied values
• CSS class injection — task.priority was used as a class name without validation; whitelisted to low/medium/high with medium as fallback

Tests (tests/database.test.js)

New test file using an in-memory SQLite DB covering partial-update correctness and the no-fields error path of updateTask.

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.