mirror of
https://github.com/earendil-works/pi.git
synced 2026-06-18 15:54:04 +08:00
ee462dd70d
marked v15 does not filter dangerous URL protocols. The default link renderer passes href values through verbatim, so markdown like `[click](javascript:alert(1))` renders as a clickable XSS link in shared/exported session HTML. Add custom link and image renderers that: - Block javascript:, vbscript:, and data: protocol URLs - Escape href/title/alt attributes via escapeHtml() Also escape img.mimeType in session image rendering to prevent attribute breakout from crafted session JSONL. Fixes #3531
ee462dd70d
ยท
2026-04-22 10:53:03 +02:00
History