chore: add schema and shell formatting script#10
Merged
Conversation
Add Prettier schema to .prettierrc for editor validation hints. Add shfmt-based fmt:shell script so shell files follow project style. Converted component and service imports to use type-only forms. Replaced bracket array syntax with Array<> for consistency. Improved bundle tree shaking and type-only dependency clarity.
186ad8f to
0de911c
Compare
ibetitsmike
added a commit
that referenced
this pull request
Feb 19, 2026
Decode encoded URL forms before blocked-scheme checks so obfuscated payloads like `java script:` and `java%0Ascript:` are stripped during Mermaid SVG sanitization. --- _Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.01`_ <!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.01 -->
github-merge-queue Bot
pushed a commit
that referenced
this pull request
Feb 20, 2026
## Summary Fix renderer XSS exposure in diff and markdown diagram paths by removing unsafe filename HTML rendering in `HunkViewer` and hardening Mermaid SVG insertion. ## Background A filename from workspace/repository content was being transformed into HTML and injected via `dangerouslySetInnerHTML` in `HunkViewer`. Because filenames are attacker-controlled, this enabled immediate XSS when viewing a crafted diff. Given renderer-accessible privileged surfaces, that XSS materially increased impact. ## Implementation - Replaced filename highlight HTML strings in `HunkViewer` with safe React element rendering (`<mark>` nodes) so React escaping remains in effect. - Removed `dangerouslySetInnerHTML` usage for `hunk.filePath` display. - Hardened Mermaid rendering: - switched Mermaid config from `securityLevel: "loose"` to `"strict"` - added `sanitizeMermaidSvg()` and route all rendered SVG through it before `innerHTML` assignment - removed active containers (`script`, `iframe`, `object`, `embed`) and stripped inline event handlers / dangerous URL schemes from URL-bearing attributes - canonicalized encoded URL values before scheme checks (decodes entity/percent encodings and strips control/whitespace obfuscation) so payloads like `java script:` are blocked - guarded numeric entity decoding against invalid Unicode code points so crafted values cannot throw during sanitization - preserved `<foreignObject>` nodes so Mermaid wrapped labels continue to render - Added explicit `SECURITY AUDIT` comments at unavoidable HTML sinks to document trust boundaries. - Added `Mermaid.sanitization.test.ts` to verify malformed SVG rejection, active-content stripping, encoded-scheme blocking, invalid-entity handling, and label preservation. - Added a new `Security: Renderer HTML & XSS` section in `docs/AGENTS.md` to codify safe patterns. ## Validation - `make static-check` (before initial push) - `bun test src/browser/components/Messages/Mermaid.sanitization.test.ts` - `make static-check` (after foreignObject-label follow-up) - `bun test src/browser/components/Messages/Mermaid.sanitization.test.ts` - `make static-check` (after encoded-scheme canonicalization follow-up) - `bun test src/browser/components/Messages/Mermaid.sanitization.test.ts` - `make static-check` (after invalid-entity guard follow-up) ## Risks - Mermaid `securityLevel: "strict"` may reduce support for some diagram features that relied on looser behavior (especially scriptable/unsafe links), but this is intentional hardening. - Sanitization is defense-in-depth; if Mermaid output format changes significantly, sanitizer assumptions should be revisited. --- _Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.01`_ <!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.01 -->
duynguyen020304
pushed a commit
to duynguyen020304/mux
that referenced
this pull request
May 10, 2026
…RY, tests Batch 1 — Compile Errors & Correctness: - Add TOGGLE_KANBAN to KEYBIND_LABELS and KEYBIND_GROUPS (coder#1) - Fix Ctrl+K conflict → Ctrl+Shift+K to avoid PREV_WORKSPACE collision (coder#2) - Add TOGGLE_KANBAN dispatch handler in App.tsx (coder#3) - Fix dirty-cache in promoteQueuedTask: move flag clearing after moveTask (coder#5) - Wrap 4 IPC helpers in KanbanBoard with try/catch (coder#4) Batch 2 — Consistency & DRY: - Deduplicate KanbanColumnSchema: import from canonical orpc/schemas (coder#6) - Remove unused KanbanBoardData import from kanbanStorage.test (coder#7) - Remove dead KANBAN_STORAGE_KEYS constant (coder#8) - Replace console.warn with log helper in kanbanStorage (coder#9) - Replace useEffect form reset with key prop in TaskDetailModal (coder#10) - Remove unsafe {} as KanbanTask cast, use EMPTY_FORM pattern (coder#11) - Add loading state + error logging to KanbanView (coder#12, coder#13) - Add KANBAN_STATUS_LABELS helper, use in TaskDetailModal (coder#14) - Validate column membership in reorderTasks (coder#15) - Use KanbanTaskPriority type import in TaskCreateModal (coder#16) Batch 3 — Tests: - Add 4 tests for updateColumn (coder#17) - Add 3 tests for promoteQueuedTask (coder#18) - Rename misleading test 'rejects empty title' → 'accepts empty title' (coder#19) 43 tests pass (was 36). No typecheck or lint regressions.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add the Prettier $schema to .prettierrc for editor validation hints.
Add the shfmt-based
bun fmt:shellscript so shell files follow the project style.Added eslint rules for type-only imports, simple-array bracket for consistency.