| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | fix(security): escape badge source/designer to close stored XSS | Fuwn | 29 hours | 1 | -0/+56 |
| classifySource/classifyDesigner built <a> markup by raw-interpolating user-controlled badge fields and rendered it via {@html}, enabling stored XSS on public badge walls (any visitor who opened a crafted badge). Extract them into badgeLinks.ts returning {href,label} with http(s)-only href validation, render via escaped Svelte bindings, and add regression tests. | |||||