lerko/nib-v1
1
1
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

fix: code principles audit — correctness, security, testability

Browse Source 
- Add rows.Err() checks after all scan loops (entities, tags, resolve)
- Surface time.Parse errors instead of silently discarding
- Extract entityRow scan helper to eliminate Get/List duplication
- Cap request body at 1MB via MaxBytesReader
- Stop leaking internal errors to API clients (log server-side only)
- Block javascript: URIs in link card open button (XSS)
- Fix all go vet failures in api_test.go (unchecked http errors)
- Add tests for display package, generateCardData, absorb-source-card
- Run go mod tidy to fix direct/indirect dep markers
This commit is contained in:
Tyler Koenig
2026-05-14 17:41:30 -04:00
parent e708ea5c13
commit 6278cb1022
12 changed files with 500 additions and 104 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/app.js
+5 -1
View File
@@ -349,7 +349,7 @@
</div>`;
case 'link':
if (data.url) {
if (data.url && isSafeUrl(data.url)) {
return `<div style="margin-bottom:12px">
<button class="action-btn" onclick="window.open('${escAttr(data.url)}', '_blank')">open link</button>
</div>`;
@@ -754,6 +754,10 @@
return escHtml(s).replace(/'/g, '&#39;');
}
function isSafeUrl(url) {
return /^https?:\/\//i.test(url);
}
// ========== Theme ==========
const themeToggle = $('#theme-toggle');