Code-Review: Path-Traversal-Fix, toten Code entfernt (formatClock, data.error Check), Emoji-Literal korrigiert, Einrückung fix

index.html

@@ -4,7 +4,7 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>🏆 Lara Kiesewetter – Live Schachturnier</title>
-        <link rel="stylesheet" href="https://unpkg.com/@chrisoakman/chessboardjs@1.0.0/dist/chessboard-1.0.0.min.css">
+    <link rel="stylesheet" href="https://unpkg.com/@chrisoakman/chessboardjs@1.0.0/dist/chessboard-1.0.0.min.css">
     <link rel="stylesheet" href="style.css">
 </head>
 <body>

js/app.js

@@ -334,8 +334,8 @@ function updateClocks(moveIndex) {
     const laraClock = laraIsWhite ? whiteClock : blackClock;
     const oppClock = laraIsWhite ? blackClock : whiteClock;
 
-    document.getElementById('black-clock').textContent = formatClock(oppClock);
-    document.getElementById('white-clock').textContent = formatClock(laraClock);
+    document.getElementById('black-clock').textContent = oppClock || '--:--:--';
+    document.getElementById('white-clock').textContent = laraClock || '--:--:--';
 }
 
 /**
@@ -568,10 +568,6 @@ async function updateStandings() {
                     round: currentRound,
                 };
                 const container = document.getElementById('standings-content');
-                if (!data || data.error) {
-                    container.innerHTML = '<div class="standings-loading">Daten nicht verfügbar</div>';
-                    return;
-                }
                 container.innerHTML = `
                     <div class="standings-rank">${data.rank}.</div>
                     <div class="standings-rank-label">Tabellenplatz</div>
@@ -602,15 +598,6 @@ async function updateStandings() {
     }
 }
 
-/**
- * Format clock string
- */
-function formatClock(clockStr) {
-    if (!clockStr) return '--:--:--';
-    // Format is HH:MM:SS
-    return clockStr;
-}
-
 /**
  * Update timestamp
  */

server.py

@@ -199,7 +199,11 @@ class Handler(http.server.BaseHTTPRequestHandler):
         if self.path == "/":
             self.path = "/index.html"
 
-        filepath = os.path.join(BASE_DIR, self.path.lstrip("/"))
+        filepath = os.path.normpath(os.path.join(BASE_DIR, self.path.lstrip("/")))
+        if not filepath.startswith(BASE_DIR):
+            self.send_response(403)
+            self.end_headers()
+            return
 
         if os.path.isfile(filepath):
             content_types = {
@@ -309,7 +313,7 @@ class Handler(http.server.BaseHTTPRequestHandler):
 
 def main():
     print("=" * 50)
-    print("  [TROPHY] Lara Kiesewetter - Live Schachturnier")
+    print("  Lara Kiesewetter - Live Schachturnier")
     print("=" * 50)
     print(f"  Server laeuft auf: http://localhost:{PORT}")
     if os.path.exists(STOCKFISH_PATH) or STOCKFISH_PATH == "stockfish":
@@ -321,7 +325,7 @@ def main():
 
     socketserver.ThreadingTCPServer.allow_reuse_address = True
     with socketserver.ThreadingTCPServer(("", PORT), Handler) as httpd:
-        print(f"\n[SERVER] Server gestartet: http://localhost:{PORT}\n")
+        print(f"\n[SERVER] Bereit für Anfragen\n")
         try:
             httpd.serve_forever()
         except KeyboardInterrupt: