fix: Phase 5 — XSS sanitization, cookie security, redirect validation, input trimming

- BootScreen + Settings: v-html now uses DOMPurify.sanitize() for SVG content - FileBrowser cookie: added Secure flag and 24h expiration - TOTP secret: hidden by default with reveal toggle button - Login redirect: validates URL is local-origin before redirecting - Auth fields: password inputs trimmed before submission - Route params: appId validated against safe pattern, invalid IDs redirect to /apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:55:00 +00:00
parent 5853b6a065
commit 3418c273d4
10 changed files with 84 additions and 24 deletions
--- a/neode-ui/src/api/filebrowser-client.ts
+++ b/neode-ui/src/api/filebrowser-client.ts
@@ -59,7 +59,8 @@ class FileBrowserClient {
      // FileBrowser returns the JWT as a plain string (possibly quoted)
      this.token = text.replace(/^"|"$/g, '')
      // Store token as cookie for img/video/audio src requests (avoids token in URL)
-      document.cookie = `auth=${this.token}; path=/app/filebrowser; SameSite=Strict`
+      const expires = new Date(Date.now() + 24 * 60 * 60 * 1000).toUTCString()
+      document.cookie = `auth=${this.token}; path=/app/filebrowser; SameSite=Strict; Secure; expires=${expires}`
      return true
    } catch {
      return false