Add task category feature with predefined priority levels

[Claude]

• Understand the PR review feedback
• Add category allowlist validation in backend createTask (return 400 for invalid values, normalize case)
• Add category allowlist validation in backend updateTask (return 400 for invalid values, normalize case)
• Fix XSS vulnerability in addTaskToDOM by using DOM methods instead of innerHTML
• Add aria-label to the category <select> in index.html for accessibility

[Copilot]

Pull request overview

This PR introduces a predefined “category/priority” field for tasks (Low/Medium/High) across the backend API and the vanilla JS frontend, including UI controls and styling for category badges.

Changes:

• Backend: adds category support on task creation (defaulting to Medium) and task updates.
• Frontend: adds a category <select> in the task form and sends the selected category when creating tasks.
• UI: adds CSS variables and badge styles to visually distinguish categories in both light/dark themes.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
backend/controllers/tasksController.js	Persists category on create and update endpoints.
frontend/index.html	Adds a category dropdown to the create-task form.
frontend/script.js	Sends category on create and renders a category badge per task.
frontend/style.css	Adds theme variables and styles for the category select + category badges.

[Copilot]

category is accepted directly from req.body without validation/normalization. Since the UI and frontend rendering assume one of Low|Medium|High, storing arbitrary values can lead to inconsistent data and (because the frontend interpolates task.category into HTML/class attributes) potential XSS. Consider enforcing an allowlist (case-insensitive), defaulting to Medium, and returning 400 for invalid values.

[rtraidcleverit]

@copilot apply changes based on this feedback

[Copilot]

Applied in commit d7112dc. The changes address all four review points:

• Backend createTask: Added a VALID_CATEGORIES allowlist (['Low', 'Medium', 'High']); category is now normalized (case-insensitive) and returns 400 for any value not in the list.
• Backend updateTask: Same allowlist validation applied when category is present in the request body.
• Frontend XSS fix: addTaskToDOM now uses createElement, textContent, classList, and addEventListener instead of innerHTML, eliminating injection risk.
• Accessibility: Added aria-label="Task priority category" to the <select> element so screen readers announce it properly.

[Copilot]

updateTask allows updating task.category to any arbitrary value from req.body.category with no validation. If categories are meant to be predefined (Low|Medium|High), reject invalid inputs (400) and/or normalize case to avoid persisting unexpected values.

[Copilot]

addTaskToDOM interpolates task.category into both an element’s class attribute and its inner HTML via innerHTML. If a task is created/updated with a malicious category value (backend currently allows arbitrary strings), this can break markup and enable XSS. Prefer building the DOM with textContent/classList and mapping category values to a known set of CSS classes rather than concatenating raw values into HTML.

[Copilot]

The new <select> relies on title for its accessible name, but title is not a reliable label for screen readers. Add an explicit <label for="categorySelect">…</label> or at least an aria-label/aria-labelledby so the control is properly announced.