fix: Phase 5 — XSS sanitization, cookie security, redirect validation, input trimming
- BootScreen + Settings: v-html now uses DOMPurify.sanitize() for SVG content - FileBrowser cookie: added Secure flag and 24h expiration - TOTP secret: hidden by default with reveal toggle button - Login redirect: validates URL is local-origin before redirecting - Auth fields: password inputs trimmed before submission - Route params: appId validated against safe pattern, invalid IDs redirect to /apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -218,6 +218,17 @@ async function checkSessionWithTimeout(store: ReturnType<typeof useAppStore>): P
|
||||
* Navigation Guard
|
||||
* Handles authentication and onboarding flow routing
|
||||
*/
|
||||
function isLocalRedirect(path: unknown): path is string {
|
||||
if (typeof path !== 'string') return false
|
||||
try {
|
||||
if (path.startsWith('//') || path.includes('://')) return false
|
||||
const url = new URL(path, window.location.origin)
|
||||
return url.origin === window.location.origin
|
||||
} catch {
|
||||
return false
|
||||
}
|
||||
}
|
||||
|
||||
router.beforeEach(async (to, _from, next) => {
|
||||
const store = useAppStore()
|
||||
const isPublic = to.meta.public
|
||||
@@ -228,7 +239,8 @@ router.beforeEach(async (to, _from, next) => {
|
||||
// This prevents endless spinner on mobile when checkSession hangs (slow/unreachable network).
|
||||
if (to.path === '/login' && store.isAuthenticated) {
|
||||
// Redirect back to intended page (from ?redirect= query) or default to home
|
||||
const redirectTo = (to.query.redirect as string) || '/dashboard'
|
||||
const rawRedirect = to.query.redirect
|
||||
const redirectTo = isLocalRedirect(rawRedirect) ? rawRedirect : '/dashboard'
|
||||
if (store.needsSessionValidation()) {
|
||||
next()
|
||||
checkSessionWithTimeout(store).then((valid) => {
|
||||
|
||||
Reference in New Issue
Block a user