Skip to content

chore: add schema and shell formatting script#10

Merged
ammario merged 1 commit into
mainfrom
thomask33/10-02-add_type_imports_and_array_syntax
Oct 2, 2025
Merged

chore: add schema and shell formatting script#10
ammario merged 1 commit into
mainfrom
thomask33/10-02-add_type_imports_and_array_syntax

Conversation

@ThomasK33

@ThomasK33 ThomasK33 commented Oct 2, 2025

Copy link
Copy Markdown
Member

Add the Prettier $schema to .prettierrc for editor validation hints.
Add the shfmt-based bun fmt:shell script so shell files follow the project style.
Added eslint rules for type-only imports, simple-array bracket for consistency.

Add Prettier schema to .prettierrc for editor validation hints.
Add shfmt-based fmt:shell script so shell files follow project style.

Converted component and service imports to use type-only forms.
Replaced bracket array syntax with Array<> for consistency.
Improved bundle tree shaking and type-only dependency clarity.
@ThomasK33 ThomasK33 force-pushed the thomask33/10-02-add_type_imports_and_array_syntax branch from 186ad8f to 0de911c Compare October 2, 2025 10:53
@ammario ammario merged commit 0c2f4c0 into main Oct 2, 2025
@ThomasK33 ThomasK33 deleted the thomask33/10-02-add_type_imports_and_array_syntax branch October 2, 2025 20:59
ibetitsmike added a commit that referenced this pull request Feb 19, 2026
Decode encoded URL forms before blocked-scheme checks so obfuscated payloads like `java&#10;script:` and `java%0Ascript:` are stripped during Mermaid SVG sanitization.

---

_Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: `$0.01`_

<!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.01 -->
github-merge-queue Bot pushed a commit that referenced this pull request Feb 20, 2026
## Summary
Fix renderer XSS exposure in diff and markdown diagram paths by removing
unsafe filename HTML rendering in `HunkViewer` and hardening Mermaid SVG
insertion.

## Background
A filename from workspace/repository content was being transformed into
HTML and injected via `dangerouslySetInnerHTML` in `HunkViewer`. Because
filenames are attacker-controlled, this enabled immediate XSS when
viewing a crafted diff. Given renderer-accessible privileged surfaces,
that XSS materially increased impact.

## Implementation
- Replaced filename highlight HTML strings in `HunkViewer` with safe
React element rendering (`<mark>` nodes) so React escaping remains in
effect.
- Removed `dangerouslySetInnerHTML` usage for `hunk.filePath` display.
- Hardened Mermaid rendering:
  - switched Mermaid config from `securityLevel: "loose"` to `"strict"`
- added `sanitizeMermaidSvg()` and route all rendered SVG through it
before `innerHTML` assignment
- removed active containers (`script`, `iframe`, `object`, `embed`) and
stripped inline event handlers / dangerous URL schemes from URL-bearing
attributes
- canonicalized encoded URL values before scheme checks (decodes
entity/percent encodings and strips control/whitespace obfuscation) so
payloads like `java&#10;script:` are blocked
- guarded numeric entity decoding against invalid Unicode code points so
crafted values cannot throw during sanitization
- preserved `<foreignObject>` nodes so Mermaid wrapped labels continue
to render
- Added explicit `SECURITY AUDIT` comments at unavoidable HTML sinks to
document trust boundaries.
- Added `Mermaid.sanitization.test.ts` to verify malformed SVG
rejection, active-content stripping, encoded-scheme blocking,
invalid-entity handling, and label preservation.
- Added a new `Security: Renderer HTML & XSS` section in
`docs/AGENTS.md` to codify safe patterns.

## Validation
- `make static-check` (before initial push)
- `bun test
src/browser/components/Messages/Mermaid.sanitization.test.ts`
- `make static-check` (after foreignObject-label follow-up)
- `bun test
src/browser/components/Messages/Mermaid.sanitization.test.ts`
- `make static-check` (after encoded-scheme canonicalization follow-up)
- `bun test
src/browser/components/Messages/Mermaid.sanitization.test.ts`
- `make static-check` (after invalid-entity guard follow-up)

## Risks
- Mermaid `securityLevel: "strict"` may reduce support for some diagram
features that relied on looser behavior (especially scriptable/unsafe
links), but this is intentional hardening.
- Sanitization is defense-in-depth; if Mermaid output format changes
significantly, sanitizer assumptions should be revisited.

---

_Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking:
`xhigh` • Cost: `$0.01`_

<!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh
costs=0.01 -->
duynguyen020304 pushed a commit to duynguyen020304/mux that referenced this pull request May 10, 2026
…RY, tests

Batch 1 — Compile Errors & Correctness:
- Add TOGGLE_KANBAN to KEYBIND_LABELS and KEYBIND_GROUPS (coder#1)
- Fix Ctrl+K conflict → Ctrl+Shift+K to avoid PREV_WORKSPACE collision (coder#2)
- Add TOGGLE_KANBAN dispatch handler in App.tsx (coder#3)
- Fix dirty-cache in promoteQueuedTask: move flag clearing after moveTask (coder#5)
- Wrap 4 IPC helpers in KanbanBoard with try/catch (coder#4)

Batch 2 — Consistency & DRY:
- Deduplicate KanbanColumnSchema: import from canonical orpc/schemas (coder#6)
- Remove unused KanbanBoardData import from kanbanStorage.test (coder#7)
- Remove dead KANBAN_STORAGE_KEYS constant (coder#8)
- Replace console.warn with log helper in kanbanStorage (coder#9)
- Replace useEffect form reset with key prop in TaskDetailModal (coder#10)
- Remove unsafe {} as KanbanTask cast, use EMPTY_FORM pattern (coder#11)
- Add loading state + error logging to KanbanView (coder#12, coder#13)
- Add KANBAN_STATUS_LABELS helper, use in TaskDetailModal (coder#14)
- Validate column membership in reorderTasks (coder#15)
- Use KanbanTaskPriority type import in TaskCreateModal (coder#16)

Batch 3 — Tests:
- Add 4 tests for updateColumn (coder#17)
- Add 3 tests for promoteQueuedTask (coder#18)
- Rename misleading test 'rejects empty title' → 'accepts empty title' (coder#19)

43 tests pass (was 36). No typecheck or lint regressions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants