CRITICAL SECURITY FIXES for two XSS vulnerabilities
Mermaid XSS Fix (#190):
- Changed securityLevel from "loose" to "strict"
- Disabled htmlLabels to prevent HTML injection
- Blocks script execution and event handlers in SVG output
WikiLink XSS Fix (#191):
- Added alphanumeric whitelist validation for slugs
- Escape HTML entities in title attribute
- Reject slugs with special characters that could break attributes
- Return escaped text for invalid slugs
Security Impact:
- Prevents account takeover via cookie theft
- Blocks malicious script execution in user browsers
- Enforces strict content security for user-provided content
Fixes#190, #191
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements two key knowledge module features:
**#62 - Backlinks Display:**
- Added BacklinksList component to show entries that link to current entry
- Fetches backlinks from /api/knowledge/entries/:slug/backlinks
- Displays entry title, summary, and link context
- Clickable links to navigate to linking entries
- Loading, error, and empty states
**#64 - Wiki-Link Rendering:**
- Added WikiLinkRenderer component to parse and render wiki-links
- Supports [[slug]] and [[slug|display text]] syntax
- Converts wiki-links to clickable navigation links
- Distinct styling (blue color, dotted underline)
- XSS protection via HTML escaping
- Memoized HTML processing for performance
**Components:**
- BacklinksList.tsx - Backlinks display with empty/loading/error states
- WikiLinkRenderer.tsx - Wiki-link parser and renderer
- Updated EntryViewer.tsx to use WikiLinkRenderer
- Integrated BacklinksList into entry detail page
**API:**
- Added fetchBacklinks() function in knowledge.ts
- Added KnowledgeBacklink type to shared types
**Tests:**
- Comprehensive tests for BacklinksList (8 tests)
- Comprehensive tests for WikiLinkRenderer (14 tests)
- All tests passing with Vitest
**Type Safety:**
- Strict TypeScript compliance
- No 'any' types
- Proper error handling
