fix: address security findings from final review

Browse Source

- Replace regex HTML sanitization with DOMPurify in NoteWidget (XSS fix)
- Remove allow-same-origin from default iframe sandbox in EmbedWidget
- Add URL scheme validation for embed URLs (http/https only)
- Install isomorphic-dompurify dependency

...

This commit is contained in:

Admin

2026-03-24 23:50:37 +03:00

parent 87ed928a3a

commit 5a6002be76

4 changed files with 788 additions and 37 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

package-lock.json

Generated

+734 -3

File diff suppressed because it is too large Load Diff