stack/docs/scratchpads at 680d75f910104b7adc4808f96463df0a4090ac3a - stack - Mosaic Gitea

mosaic/stack

Files

History

Jason Woltje 680d75f910 fix(#190 ): fix XSS vulnerability in Mermaid rendering

CRITICAL SECURITY FIX - Prevents XSS attacks through malicious Mermaid diagrams

Changes:
1. MermaidViewer.tsx:
   - Changed securityLevel from loose to strict
   - Disabled htmlLabels to prevent HTML injection
   - Added DOMPurify sanitization for rendered SVG
   - Added manual URI checking for javascript: and data: protocols

2. useGraphData.ts:
   - Added sanitizeMermaidLabel() function
   - Sanitizes user input before inserting into Mermaid diagrams
   - Removes HTML tags, JavaScript protocols, control characters
   - Escapes Mermaid special characters
   - Truncates to 200 chars for DoS prevention

Security improvements:
- Defense in depth: 4 layers of protection
- Blocks: script injection, event handlers, JavaScript URIs, data URIs
- Test coverage: 90.15% (exceeds 85% requirement)
- All attack vectors tested and blocked

Fixes #190

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

2026-02-02 12:03:36 -06:00

..

1-project-scaffold.md

feat(#1 ): Set up monorepo scaffold with pnpm workspaces + TurboRepo

2026-01-28 13:31:33 -06:00

2-postgresql-pgvector-schema.md

feat(#2 ): Implement PostgreSQL 17 + pgvector database schema

2026-01-28 16:06:34 -06:00

3-prisma-orm-setup.md

feat(#3 ): Add comprehensive tests and improve Prisma seed script

2026-01-28 16:24:25 -06:00

4-authentik-oidc-final-status.md

feat(#4 ): Implement Authentik OIDC authentication with BetterAuth

2026-01-28 17:26:34 -06:00

4-authentik-oidc.md

feat(#4 ): Implement Authentik OIDC authentication with BetterAuth

2026-01-28 17:26:34 -06:00

5-crud-apis.md

feat(#5 ): Implement CRUD APIs for tasks, events, and projects

2026-01-28 18:43:12 -06:00

6-basic-web-ui.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

7-8-type-safety-fixes.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

7-activity-logging.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

8-docker-compose.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

36-traefik-integration.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00

122-llm-provider-interface.md

feat(#122 ): create LLM provider interface

2026-01-31 11:38:38 -06:00

123-ollama-provider.md

feat(#123 ): port Ollama LLM provider

2026-01-31 12:10:43 -06:00

126-llm-manager-service.md

feat(#126 ): create LLM Manager Service

2026-01-31 12:22:14 -06:00

128-llm-provider-schema.md

feat(#128 ): add LlmProviderInstance Prisma schema

2026-01-31 11:57:40 -06:00

143-validate-50-percent-rule.md

test(#143 ): Validate 50% rule prevents context exhaustion

2026-02-01 17:56:04 -06:00

149-test-rejection-loop.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

150-orchestration-loop.md

docs(#150 ): Add scratchpad for orchestration loop implementation

2026-02-01 20:22:07 -06:00

155-context-monitor.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

157-webhook-receiver.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

158-issue-parser.md

fix(#180 ): Update pnpm to 10.27.0 in Dockerfiles

2026-02-01 20:52:43 -06:00

163-bullmq-dependencies.md

feat(#163 ): Add BullMQ dependencies

2026-02-01 20:56:45 -06:00

164-database-schema-jobs.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

165-bullmq-module-setup.md

feat(#165 ): Implement BullMQ module setup

2026-02-01 21:01:25 -06:00

166-stitcher-module.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

167-runner-jobs-crud.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

168-job-steps-tracking.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

169-job-events-audit.md

feat(#168 ): Implement job steps tracking

2026-02-01 21:16:23 -06:00

170-discord-bridge.md

feat(#170 ): Implement mosaic-bridge module for Discord

2026-02-01 21:26:40 -06:00

171-command-parser.md

feat(#171 ): Implement chat command parsing

2026-02-01 21:32:53 -06:00

172-herald-status.md

feat(#172 ): Implement Herald status updates

2026-02-01 21:42:44 -06:00

173-websocket-gateway.md

feat(#173 ): Implement WebSocket gateway for job events

2026-02-01 21:22:41 -06:00

174-sse-endpoint.md

docs(#162 ): Finalize M4.2-Infrastructure token tracking report

2026-02-02 08:18:55 -06:00

175-e2e-harness.md

feat(#175 ): Implement E2E test harness

2026-02-01 21:44:04 -06:00

176-coordinator-integration.md

feat(#176 ): Integrate M4.2 infrastructure with M4.1 coordinator

2026-02-01 21:54:34 -06:00

179-security-nodejs-deps.md

fix(#179 ): Update vulnerable Node.js dependencies

2026-02-01 20:54:25 -06:00

180-security-pnpm-dockerfiles.md

feat(#167 ): Implement Runner jobs CRUD and queue submission

2026-02-01 21:09:03 -06:00

181-security-go-stdlib-postgres.md

fix(#181 ): Update Alpine packages to patch Go stdlib vulnerabilities in postgres image

2026-02-01 20:54:57 -06:00

182-fix-prisma-enum-tests.md

fix(#182 ): fix Prisma enum import in job-steps tests

2026-02-02 11:41:11 -06:00

183-remove-hardcoded-workspace-id.md

fix(#183 ): remove hardcoded workspace ID from Discord service

2026-02-02 11:41:38 -06:00

184-add-coordinator-auth.md

fix(#184 ): add authentication to coordinator integration endpoints

2026-02-02 11:52:41 -06:00

185-fix-herald-error-handling.md

fix(#185 ): fix silent error swallowing in Herald broadcasting

2026-02-02 11:47:11 -06:00

190-fix-mermaid-xss.md

fix(#190 ): fix XSS vulnerability in Mermaid rendering

2026-02-02 12:03:36 -06:00

security-fixes-activity-api.md

feat(#37-41): Add domains, ideas, relationships, agents, widgets schema

2026-01-29 12:29:21 -06:00