Jason Woltje b42c86360b fix(#190,#191): fix XSS vulnerabilities in Mermaid and WikiLink rendering ...

CRITICAL SECURITY FIXES for two XSS vulnerabilities

Mermaid XSS Fix (#190):
- Changed securityLevel from "loose" to "strict"
- Disabled htmlLabels to prevent HTML injection
- Blocks script execution and event handlers in SVG output

WikiLink XSS Fix (#191):
- Added alphanumeric whitelist validation for slugs
- Escape HTML entities in title attribute
- Reject slugs with special characters that could break attributes
- Return escaped text for invalid slugs

Security Impact:
- Prevents account takeover via cookie theft
- Blocks malicious script execution in user browsers
- Enforces strict content security for user-provided content

Fixes #190, #191

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-02 12:05:33 -06:00

..

src

fix(#190,#191): fix XSS vulnerabilities in Mermaid and WikiLink rendering

2026-02-02 12:05:33 -06:00

.dockerignore

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

Dockerfile

fix(#180): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

eslint.config.js

fix(#1): Address code review findings

2026-01-28 15:07:04 -06:00

next-env.d.ts

feat(#1): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

next.config.ts

feat(#1): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

package.json

fix: resolve TypeScript errors in migrated components

2026-01-29 22:00:14 -06:00

tsconfig.json

fix: Resolve web package lint and typecheck errors

2026-01-30 21:34:12 -06:00

vitest.config.ts

test(CI): fix all test failures from lint changes

2026-01-31 01:01:21 -06:00

vitest.setup.ts

test(CI): fix all test failures from lint changes

2026-01-31 01:01:21 -06:00