duckietm/Nitro-V3
1
0
Fork 0
mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 15:06:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ff3bd1691b45f4a82e08ff3056e233abe57f1523
Nitro-V3/src/components/help
T
History
simoleo89 301294ecf4 fix(security): sanitize user-controlled HTML in chat & username sinks 
Several dangerouslySetInnerHTML sinks rendered user-controlled strings (chat messages, usernames, chat history) without sanitisation, relying implicitly on upstream formatting or server-side charset limits. Route them all through the existing SanitizeHtml (DOMPurify) helper so the security guarantee is local to each render site.

Sinks fixed: ChatWidgetWindowView (name/message/original/translated), ChatHistoryView (name/message), AvatarInfoWidgetNameView + AvatarInfoWidgetAvatarView (username), SelectReportedUserView (username).

Add regression suites: SanitizeHtml.test.ts (XSS neutralised, chat markup preserved) and RoomChatFormatter.test.ts (pins the existing encodeHTML defence). No behaviour change: SanitizeHtml's allow-list keeps the b/i/u/span/strong/em/br markup the chat/profile UI relies on.
2026-06-17 19:00:42 +02:00
..
views
fix(security): sanitize user-controlled HTML in chat & username sinks
2026-06-17 19:00:42 +02:00
HelpView.tsx
fix(help): Habbo-green buttons + restyle sanctions box
2026-06-15 22:23:16 +02:00