v0.3.4

Security

This release contains an XSS hardening fix. Earlier versions rendered mesh-sourced strings (adv_name, friendly_name, contact attributes, entity_picture URL, icon name) directly into card HTML via innerHTML. A node operator within LoRa range of any node connected to your HA instance could inject HTML/JS that executes in the HA frontend session. All users should update.

What's new

• Fixed: repeater status and metrics not showing. The card now detects the binary_sensor.*_online_* connectivity entity emitted by current meshcore-ha versions, treats "on" as online, and tolerates the new neighbor entity layout that previously broke metric discovery.
• Hardened: HTML escaping. All entity-sourced strings are escaped before rendering. entity_picture URLs and icon values are also validated against a safe-shape allow-list.

Full changelog: v0.3.2...v0.3.4