Jason Woltje
e57271c278
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Added defense-in-depth security layers for wiki-link rendering: Slug Validation (isValidWikiLinkSlug): - Reject empty slugs - Block dangerous protocols: javascript:, data:, vbscript:, file:, about:, blob: - Block URL-encoded dangerous protocols (e.g., %6A%61%76%61... = javascript) - Block HTML tags in slugs - Block HTML entities in slugs - Only allow safe characters: a-z, A-Z, 0-9, -, _, ., / Display Text Sanitization (DOMPurify): - Strip all HTML tags from display text - ALLOWED_TAGS: [] (no HTML allowed) - KEEP_CONTENT: true (preserves text content) - Prevents event handler injection - Prevents iframe/object/embed injection Comprehensive XSS Testing: - 11 new attack vector tests - javascript: URLs - blocked - data: URLs - blocked - vbscript: URLs - blocked - Event handlers (onerror, onclick) - removed - iframe/object/embed - removed - SVG with scripts - removed - HTML entity bypass - blocked - URL-encoded protocols - blocked - All 25 tests passing (14 existing + 11 new) Files modified: - apps/web/src/components/knowledge/WikiLinkRenderer.tsx - apps/web/src/components/knowledge/__tests__/WikiLinkRenderer.test.tsx Fixes #201 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>