The share button built the tweet text from a single-quoted string containing ${videoId}, so it shared the literal 'watch?v=${videoId}' instead of the actual video URL. Use a template literal so videoId interpolates.
dompurify 3.4.8 is flagged by yarn audit (npm advisory 1120805: a Trusted Types policy survives clearConfig and can poison later RETURN_TRUSTED_TYPE output, patched in >=3.4.9). It's the library behind SanitizeHtml — the client's XSS defence — so keep it current. After the bump yarn audit reports 0 vulnerabilities. typecheck 0, tests green.
@emoji-mart/data (~430 KB / ~82 KB gzip) was pulled into the initial load by three always-mounted views (catalog custom-prefix, nick-icon, chat-input emoji selector) importing it statically. Add LazyEmojiPicker — a Suspense wrapper that dynamically imports the data + Picker on first open — and use it in those three sites.
Verified via the build manifest: the entry chunk no longer imports vendor-emoji statically or dynamically; vendor-emoji is now a dynamicImport of src/index.tsx, loaded on first picker open. No behaviour change. typecheck 0, tests 545/545.
A seasonal currency with no purse.seasonal.currency.<type> text rendered the raw key (e.g. 'purse.seasonal.currency.11') in the purse. Share PurseView's existing localizeWithFallback helper (extracted to api/utils with a pure resolveLocalized core + tests) and use it in SeasonalView with an empty fallback, so an unnamed currency shows just its icon + amount. Verified in-app.
NotificationDefaultAlertView / NotificationDefaultBubbleView injected the server notification message (newline->br only) via dangerouslySetInnerHTML. Route through SanitizeHtml — the allow-list keeps the br/link/formatting these alerts use and strips anything else. Left Nitropedia (rich fetched HTML w/ tags outside the allow-list) and NitrobubbleHidden (<style> block) untouched on purpose: SanitizeHtml would break them.
URLs reached window.open from user/server-controlled content without a protocol check or noopener, allowing reverse-tabnabbing and (for the chat link handler) a javascript:/data: href running in our origin.
- add isSafeExternalUrl() (http/https only) + tests; gate the chat link opener (useOnClickChat) and external photo opener with it
- SanitizeHtml: afterSanitizeAttributes hook forces rel="noopener noreferrer" on any target=_blank anchor (overrides attacker-supplied rel)
- add noopener,noreferrer to the remaining window.open(_blank) sites (YouTube share, external photo, guide forum link); drop a stray console.log
Several dangerouslySetInnerHTML sinks rendered user-controlled strings (chat messages, usernames, chat history) without sanitisation, relying implicitly on upstream formatting or server-side charset limits. Route them all through the existing SanitizeHtml (DOMPurify) helper so the security guarantee is local to each render site.
Sinks fixed: ChatWidgetWindowView (name/message/original/translated), ChatHistoryView (name/message), AvatarInfoWidgetNameView + AvatarInfoWidgetAvatarView (username), SelectReportedUserView (username).
Add regression suites: SanitizeHtml.test.ts (XSS neutralised, chat markup preserved) and RoomChatFormatter.test.ts (pins the existing encodeHTML defence). No behaviour change: SanitizeHtml's allow-list keeps the b/i/u/span/strong/em/br markup the chat/profile UI relies on.
The flood/mute warning was rendered inside the inline-grid input-sizer with no
single-line constraint, so a long message (e.g. a large remaining time) wrapped
to a second line and, with the bar's overflow-visible, spilled out the top. Give
it its own centered, single-line, truncating container so it stays within the
bar regardless of length.
VaultView wired to the Earnings Center packets: requests data on open, renders
real amounts/claimable per category from EarningsCenterEvent, Riscatta + Richiedili
Tutti send the claim composers, refreshes on EarningsClaimResultEvent. Category
keys match the emulator contract; reward currencies derived from reward type.
Adds the real earnings_icon assets. Wired into MainView.
Move the .nitro-help blue-header / grey-body override to global CSS so it also
covers the separate SanctionStatusView card (was an inline <style> in HelpView,
so the sanctions body stayed teal). Replace the flat 'success' buttons with the
beveled Habbo-green button (.habbo-btn-green) matching the reference. Restructure
the sanctions box to a single column: text on top, safety link (left) + green
'Ho capito' (right) pinned to the bottom.
Centered single-column index (blue header + light grey body), the real
help_duck asset, two green buttons (report + player support), and three
green-arrow links: read more about safety, my sanctions, my reports. The
report-flow steps keep the original 2-column grid.
Request earnings on open (RequestEarningsCenterComposer), render real
amounts/claimable per category from EarningsCenterEvent, per-row Riscatta +
Richiedili Tutti send the claim composers, refresh on EarningsClaimResultEvent.
Category keys aligned to the emulator contract; reward currencies derived from
reward type; rows fall back to the static skeleton before data lands.
Target .nitro-card-content-shell for the grey body (the previous .content-area
selector didn't match), and tighten row height (smaller icon box + less gap) to
match the more compact Habbo reference.
Use the real gamedata keys (earnings.title, earnings.dailygift.label,
earnings.achievements.label, earnings.claim.button, ...) instead of invented
ones, so the window is properly localized. 'games'/'clubwork' have no standard
key — custom key + Italian fallback.
Replace the FontAwesome placeholders with the hotel's actual earnings_icon_*
PNGs (daily gift, games, achievements, marketplace, HC payday, level
progression, donations, bonus bag, surprise). Club e Lavoro uses the generic
earnings icon (no dedicated asset).
Each row is now a white bordered card (icon + name) with the currencies and a
gray disabled Riscatta button outside it, plus a gray disabled Richiedili Tutti
at the bottom — matching the reference screenshot.
Wire the dead 'Guadagni' purse button (habboUI/open/vault) to a new VaultView:
the 10 earning categories from the reference, each with currency icons, a 0
placeholder amount and a disabled Riscatta button, plus a disabled Richiedili
Tutti. Amounts/claims are placeholders until the emulator exposes the data.
Bring back the purse gear dropdown (Audio/Discord/Chat/Altre/Filtro) instead of
the tabbed window, and add a 'Gestione Account' item that opens the account
settings window.
Match the account window's look across all settings tabs: each control sits in
a rounded white card row with a section label, and the window width is 340px.
Replace the gear dropdown with a single tabbed window: Audio / Chat / Altre /
Account. Audio/Chat/Altre reuse the existing volume + preference controls;
Account recovers UserAccountSettingsView (now embeddable via an 'embedded' prop
that renders its body without its own card). Removes the dropdown menu + dead css.
The purse gear now opens a dropdown (Audio / Discord / Chat / Altre / Filtro
Parole). Audio/Chat/Altre open UserSettingsView focused on that section
(reusing the existing volume + preference controls) with a Back button; Discord
and Filtro Parole are placeholders for now.
DuckieTM