Dorian d9b4478512 fix: Phase 5 — XSS sanitization, cookie security, redirect validation, input trimming ...

- BootScreen + Settings: v-html now uses DOMPurify.sanitize() for SVG content
- FileBrowser cookie: added Secure flag and 24h expiration
- TOTP secret: hidden by default with reveal toggle button
- Login redirect: validates URL is local-origin before redirecting
- Auth fields: password inputs trimmed before submission
- Route params: appId validated against safe pattern, invalid IDs redirect to /apps

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-03-18 00:55:00 +00:00

..

Old Plans

fix: resolve did:dht compilation errors

2026-03-14 04:14:04 +00:00

pentest

chore: add security pentest reports and remediation plan

2026-03-06 03:08:14 +00:00

loop.sh

chore: add pentest-fix prompt and wire verification into loop.sh

2026-03-06 03:53:36 +00:00

pentest.yaml

chore: add security pentest reports and remediation plan

2026-03-06 03:08:14 +00:00

plan.md

fix: Phase 5 — XSS sanitization, cookie security, redirect validation, input trimming

2026-03-18 00:55:00 +00:00

prepare.sh

feat: AIUI chat mode integration with iframe, context broker, overnight loop

2026-03-04 12:06:20 +00:00

prompt-pentest-fix.md

chore: add pentest-fix prompt and wire verification into loop.sh

2026-03-06 03:53:36 +00:00

prompt.md

fix: add 6 missing apps to first-boot and fix penpot icon path

2026-03-09 00:18:28 +00:00

testing.md

fix: zero-amount invoices, identity.verify DID extraction, tor service permissions

2026-03-09 09:53:36 +00:00