fix: harden API, DB, and web layer from audit findings

- Cap list API limit at 200 to prevent unbounded queries - Sanitize markdown output with DOMPurify to prevent XSS - Add v4 migration with indexes on deleted_at and modified_at - Fix v2 migration swallowed ALTER TABLE errors - Tighten ~/.nib directory permissions to 0o700
2026-05-20 20:41:53 -04:00
parent 1ac4196547
commit 8663beeb96
5 changed files with 54 additions and 5 deletions
@@ -1946,7 +1946,8 @@
  function renderMd(s) {
    if (!s) return '';
    if (typeof marked === 'undefined') return escHtml(s);
-    return marked.parse(s, { breaks: true });
+    const html = marked.parse(s, { breaks: true });
+    return typeof DOMPurify !== 'undefined' ? DOMPurify.sanitize(html) : escHtml(s);
  }

  function isSafeUrl(url) {