fix: address security findings from final review
- Replace regex HTML sanitization with DOMPurify in NoteWidget (XSS fix) - Remove allow-same-origin from default iframe sandbox in EmbedWidget - Add URL scheme validation for embed URLs (http/https only) - Install isomorphic-dompurify dependency
This commit is contained in:
@@ -27,6 +27,7 @@
|
||||
"bcryptjs": "^2.4.3",
|
||||
"bits-ui": "^1.3.0",
|
||||
"clsx": "^2.1.0",
|
||||
"isomorphic-dompurify": "^3.7.1",
|
||||
"jsonwebtoken": "^9.0.2",
|
||||
"lucide-svelte": "^0.469.0",
|
||||
"marked": "^17.0.5",
|
||||
|
||||
Reference in New Issue
Block a user