Add security hardening: URL validation, input sanitization, and JSON parsing guards

[Copilot]

Addressed missing security controls that left the app vulnerable to XSS, phishing, prompt injection, and cache poisoning attacks.

Changes

URL Validation (utils/url-validator.ts)

• Protocol whitelist enforcement (http/https only)
• Localhost/private IP blocking
• Phishing pattern detection (@ in hostname)
• Applied to ExternalLink component

Input Sanitization (utils/event-generation.ts)

• Strips control chars, quotes, backticks, JSON delimiters from location inputs
• Prevents prompt injection into AI event generation
• Length capped at 200 chars

JSON Parsing Guards (utils/event-cache.ts, utils/storage.ts)

• Type validation and timestamp bounds checking
• Auto-purges malformed cache entries
• Extracts magic numbers to constants

Web Security Headers (app/+html.tsx)

• X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy
• Documents safe use of dangerouslySetInnerHTML for static CSS

Example

// Before: URLs opened without validation
WebBrowser.openBrowserAsync(props.href);

// After: Validated before opening
if (!isValidUrl(props.href)) {
  console.error('[ExternalLink] Invalid or unsafe URL:', props.href);
  return;
}
WebBrowser.openBrowserAsync(props.href);

Audit Results

• npm audit: 0 vulnerabilities
• CodeQL: 0 alerts
• Test suite: 25+ cases for URL validator

Original prompt

Check for security issues

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.