pi-mono

vrr/pi-mono

Fork 0

mirror of https://github.com/badlogic/pi-mono.git synced 2026-05-30 20:43:50 +00:00

Commit graph

Author	SHA1	Message	Date
Justin Barnett	57787b6557	fix(coding-agent): escape exported session metadata (#3883 )	2026-04-28 11:46:42 +02:00
Justin Barnett	7617c1ad92	fix(coding-agent): escape exported image data (#3819 ) Fixes #3811	2026-04-27 23:22:06 +02:00
Samuel Painter	ee462dd70d	fix(coding-agent): sanitize markdown links in exported session HTML (#3532 ) marked v15 does not filter dangerous URL protocols. The default link renderer passes href values through verbatim, so markdown like `[click](javascript:alert(1))` renders as a clickable XSS link in shared/exported session HTML. Add custom link and image renderers that: - Block javascript:, vbscript:, and data: protocol URLs - Escape href/title/alt attributes via escapeHtml() Also escape img.mimeType in session image rendering to prevent attribute breakout from crafted session JSONL. Fixes #3531	2026-04-22 10:53:03 +02:00

Author

SHA1

Message

Date

Justin Barnett

57787b6557

fix(coding-agent): escape exported session metadata (#3883 )

2026-04-28 11:46:42 +02:00

Justin Barnett

7617c1ad92

fix(coding-agent): escape exported image data (#3819 )

Fixes #3811

2026-04-27 23:22:06 +02:00

Samuel Painter

ee462dd70d

fix(coding-agent): sanitize markdown links in exported session HTML (#3532 )

marked v15 does not filter dangerous URL protocols. The default link
renderer passes href values through verbatim, so markdown like
`[click](javascript:alert(1))` renders as a clickable XSS link in
shared/exported session HTML.

Add custom link and image renderers that:
- Block javascript:, vbscript:, and data: protocol URLs
- Escape href/title/alt attributes via escapeHtml()

Also escape img.mimeType in session image rendering to prevent
attribute breakout from crafted session JSONL.

Fixes #3531

2026-04-22 10:53:03 +02:00

3 commits