fix: replace Math.random ID generator with crypto-based genId to resolve security hotspot warnings

Author: linh2020

src/api/events.js

@@ -9,7 +9,6 @@ const wait = (ms = 300) => new Promise(r => setTimeout(r, ms));
 const NS = 'hgn_event_mock_v1:'; // storage namespace version
 
 const todayISO = () => new Date().toISOString();
-const randomPick = arr => arr[Math.floor(Math.random() * arr.length)];
 const clone = x => JSON.parse(JSON.stringify(x));
 
 function keyFor(id) {
@@ -205,7 +204,13 @@ export async function upsertScheduleSlot(activityId, date, slot /* {id?,start,en
   const next = clone(evt);
   const list = next.scheduleByDate[date] ?? [];
   if (!slot.id) {
-    slot.id = crypto.randomUUID ? crypto.randomUUID() : `slot_${Date.now()}`;
+    slot.id = crypto?.randomUUID
+      ? crypto.randomUUID()
+      : (() => {
+          const a = new Uint32Array(4);
+          crypto?.getRandomValues?.(a);
+          return `slot_${[...a].map(x => x.toString(16).padStart(8, '0')).join('')}`;
+        })();
     list.push(slot);
   } else {
     const idx = list.findIndex(s => s.id === slot.id);
@@ -278,7 +283,13 @@ export async function upsertResource(activityId, res /* {id?,type,title,url,size
   const next = clone(evt);
   const list = next.resources ?? [];
   if (!res.id) {
-    res.id = crypto.randomUUID ? crypto.randomUUID() : `res_${Date.now()}`;
+    res.id = crypto?.randomUUID
+      ? crypto.randomUUID()
+      : (() => {
+          const a = new Uint32Array(4);
+          crypto?.getRandomValues?.(a);
+          return `res_${[...a].map(x => x.toString(16).padStart(8, '0')).join('')}`;
+        })();
     list.push(res);
   } else {
     const idx = list.findIndex(r => r.id === res.id);

src/components/CommunityPortal/Activities/activityId/EventPageOrganizer/sections/DescriptionSection/DescriptionSection.jsx

@@ -4,6 +4,20 @@ import { Button } from '../../components/ui/button';
 import { Textarea } from '../../components/ui/textarea';
 import styles from './DescriptionSection.module.css';
 
+const genId = () => {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID();
+  }
+
+  if (typeof crypto !== 'undefined' && typeof crypto.getRandomValues === 'function') {
+    const a = new Uint32Array(4);
+    crypto.getRandomValues(a);
+    return [...a].map(x => x.toString(16).padStart(8, '0')).join('');
+  }
+
+  return `id_${Date.now().toString(36)}_${Math.trunc(performance.now()).toString(36)}`;
+};
+
 export const DescriptionSection = ({
   activityId = 'test-event',
   initialDescription = '',
@@ -27,9 +41,7 @@ export const DescriptionSection = ({
         try {
           const uploads = await Promise.all(files.map(f => uploadMediaFn(activityId, f)));
           const newMedia = uploads.map(u => ({
-            id: Math.random()
-              .toString(36)
-              .substr(2, 9),
+            id: genId(),
             url: u.url,
             name: u.name,
             size: u.size,
@@ -44,9 +56,7 @@ export const DescriptionSection = ({
       } else {
         // fallback: use local preview URLs
         const newMedia = files.map(file => ({
-          id: Math.random()
-            .toString(36)
-            .substr(2, 9),
+          id: genId(),
           url: URL.createObjectURL(file),
           name: file.name,
           size: file.size,