b42c86360b
CRITICAL SECURITY FIXES for two XSS vulnerabilities Mermaid XSS Fix (#190): - Changed securityLevel from "loose" to "strict" - Disabled htmlLabels to prevent HTML injection - Blocks script execution and event handlers in SVG output WikiLink XSS Fix (#191): - Added alphanumeric whitelist validation for slugs - Escape HTML entities in title attribute - Reject slugs with special characters that could break attributes - Return escaped text for invalid slugs Security Impact: - Prevents account takeover via cookie theft - Blocks malicious script execution in user browsers - Enforces strict content security for user-provided content Fixes #190, #191 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3.3 KiB
3.3 KiB