Conversation
… XSS Adds whitelist-based URL sanitizer that only allows http:, https:, mailto:, relative, and fragment URLs. Blocks javascript:, data:, vbscript: and other dangerous protocols. Closes #43 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add rehype-sanitize to the markdown rendering pipeline to prevent HTML injection attacks (script tags, forms, style-based content spoofing) in thread conversations. Uses GitHub-style sanitization schema. Closes #44 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Local commands (/clear, /help, /compact) use <local-command-stdout> tags instead of <instructions>/<output>. The parser now detects these and emits a LocalCommandBlock with its own component, icon, and i18n label. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix: XSS injection in thread pages via URL sanitization (#43)
Combines rehype-sanitize (HTML sanitization) from this branch with urlTransform (URL sanitization) from develop for defense in depth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tion fix: sanitize markdown HTML to prevent injection in threads
Cache Supabase queries using unstable_cache (Next.js Data Cache) with
on-demand revalidation via tags. No rendering model changes — pages
stay dynamic, no Suspense boundaries needed.
Cache layer:
- getCachedThread: cached per thread ID, tag "thread-{id}"
- getCachedMessages: cached per session, no tags (immutable data)
- getCachedFeaturedThreads: cached with tag "featured-threads"
Revalidation:
- like() → revalidateTag("thread-{id}")
- toggleVisibility() → revalidateTag("thread-{id}")
- deleteThread() → revalidateTag("thread-{id}")
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
feat: add data caching for threads, messages, and featured threads
fix: render local CLI commands as distinct block type
vtemian
added a commit
that referenced
this pull request
Feb 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brief description of changes.
Changes
Claudebin Session
🔗 Session Link
Testing
How did you test this?
Checklist
bun checkpassesbun type-checkpasses