hai/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-21 03:40:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: adversarial review fixes for ux-audit and heatmap

Browse Source 
Security:
- Remove live form value extraction from ux-audit (leaked input field values)
- Add ux-audit to PAGE_CONTENT_COMMANDS (untrusted content wrapping)

Correctness:
- Scope youAreHere selector to nav containers (was matching animation classes)
- Validate heatmap JSON is a plain object (string/array/null produced garbage)
- Use textContent instead of innerText for word count (avoids layout computation)
- Remove dead url variable and unused LINK_CAP constant

Found by Codex + Claude adversarial review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-14 09:08:57 -07:00
parent c12c30e191
commit e2ab41502e
3 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
browse/src/snapshot.ts
View File

@@ -482,9 +482,13 @@ export async function handleSnapshot(
let colorAssignments: Record<string, string>;
try {
colorAssignments = JSON.parse(opts.heatmap);
const parsed = JSON.parse(opts.heatmap);
if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
throw new Error('not an object');
}
colorAssignments = parsed;
} catch {
throw new Error('Invalid heatmap JSON. Expected: \'{"@e1":"green","@e3":"red"}\'');
throw new Error('Invalid heatmap JSON. Expected object: \'{"@e1":"green","@e3":"red"}\'');
}
// Validate colors