Caspian Notes v1.3.4 — security hardening pass #3
CaspianTools
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Security-focused release. No user-facing behavior change.
textContent-only XSS invariant in the webview — two static-stringinnerHTMLcallsites (empty-state heading, pin-button SVG) now build their DOM properly viacreateElement/createElementNS. Documented invariant restored.THREAT_MODEL.md§F. The preview sendsmarked.parse(body)toinnerHTML, which is safe under the existing CSP (blocks<script>,on*handlers,javascript:URIs,<iframe>, remote<img>). No runtime sanitizer needed; future contributors warned via inline comment.@typescript-eslint6 → 8 — closes all 6 high-severitynpm auditfindings..gitignorehardened with.env*, credential files, private keys.Grab it on the VS Code Marketplace: https://marketplace.visualstudio.com/items?itemName=CaspianTools.caspian-notes
Full notes: https://github.com/Caspian-Explorer/caspian-notes/releases/tag/v1.3.4
Beta Was this translation helpful? Give feedback.
All reactions