fix: Phase 5 — XSS sanitization, cookie security, redirect validation, input trimming
- BootScreen + Settings: v-html now uses DOMPurify.sanitize() for SVG content - FileBrowser cookie: added Secure flag and 24h expiration - TOTP secret: hidden by default with reveal toggle button - Login redirect: validates URL is local-origin before redirecting - Auth fields: password inputs trimmed before submission - Route params: appId validated against safe pattern, invalid IDs redirect to /apps Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -482,7 +482,14 @@ const route = useRoute()
|
||||
const store = useAppStore()
|
||||
const { t } = useI18n()
|
||||
|
||||
const appId = computed(() => route.params.id as string)
|
||||
const appId = computed(() => {
|
||||
const id = route.params.id
|
||||
if (typeof id !== 'string' || !/^[a-z0-9][a-z0-9._-]*$/.test(id) || id.length > 64) {
|
||||
router.replace('/apps')
|
||||
return ''
|
||||
}
|
||||
return id
|
||||
})
|
||||
|
||||
// Web-only app detection (no container — external websites)
|
||||
const WEB_ONLY_APP_URLS: Record<string, string> = {
|
||||
|
||||
Reference in New Issue
Block a user