Skip to content

2.2.4 — Output safety: attribute-safe escaping, ARIA wiring, input sanity

Latest
Latest

Choose a tag to compare

View all tags
@csthink csthink released this 16 Jun 05:53
· 3 commits to main since this release
v2.2.4
9db76b4

A patch, not a feature: same inputs, same self-contained-HTML output contract. Three generator-internal hardening items.

Fixed

  • A \" (or ') in any label / id no longer corrupts the output. esc() escaped only & < >, yet its result feeds attribute contexts (data-grp, data-grp-id, <title>/<desc>); a single quote broke out of the attribute, so the SVG stopped parsing as XML and arbitrary markup could go live. It now also escapes \"&quot; and '&#39; — lossless (rendered identically as text; check_fidelity unescapes before comparing, so labels stay verbatim). No attacker needed; a Mermaid label with a quote triggered it.
  • A malformed group parent cycle no longer hangs the engine forever. The layout walked the parent chain in three places with no cycle guard, so a loop spun indefinitely — a silent hang that ate the whole latency budget. Generation now validates up front and exits with a named cycle.

Added

  • Style-token validation (fail-safe-to-render). Journey dot color, classDef semStroke/semDash, and legendExtra stroke/dash are validated (color = hex or rgb[a], dash numeric). An unrecognized value falls back to the engine default and prints a one-line stderr notice; it never drops a node or aborts the render.
  • ARIA wiring on the output SVG. <title>/<desc> now carry ids; the <svg> links them via aria-labelledby/aria-describedby and sets aria-roledescription (flowchart / architecture diagram). Invisible to sighted users; the file stays self-contained.
  • Pre-render input sanity (fail-closed). Missing id/from/to, edge/journey endpoints referencing unknown nodes, and group parent referencing an unknown group are all reported at once with a readable list instead of a deep traceback. Not a general schema validator — only the invariants the engine assumes.

Verified

  • run_checks 11/11, check_diagram 0 violations (incl. C9) on all 12 fixtures, check_fidelity PASS. End-to-end medium-effort run: 11/11 cases verified, a fresh bianque-class 30+ node diagram in ~3 min (inside the 8-min gate). Performance-neutral: model output unchanged; render +~0.8 ms/figure, output +~1.4% (ARIA attributes).

Install: npx skills add csthink/dashmotion -a claude-code -g; upgrade: npx skills update dashmotion -g -y; or download the zip.

Assets 3
Loading