Skip to content

Bugfix/audit 31 05 2026#31

Merged
hexplus merged 37 commits into
mainfrom
bugfix/audit-31-05-2026
Jun 1, 2026
Merged

Bugfix/audit 31 05 2026#31
hexplus merged 37 commits into
mainfrom
bugfix/audit-31-05-2026

Conversation

@hexplus

@hexplus hexplus commented Jun 1, 2026

Copy link
Copy Markdown
Owner

Description

Consolidates three security guards that had been re-implemented (and had drifted apart) across the codebase into single, shared, individually-tested helpers, so the same class of bug can't reappear in one code path while another stays fixed.

  • src/utils/guards.ts (new) — isUnsafeKey() / stripUnsafeKeys() for prototype-pollution keys (__proto__/constructor/prototype). Replaces 5 hand-rolled copies in globalStore, machine, persist, dragDrop, and routerSSR.
  • src/utils/sanitize.tsisEventHandlerAttr() unifies 6 divergent on*-handler checks (some strict, some loose) into the spec-accurate rule; stripControlChars() replaces 4 inline copies of the URL control-character strip used by sanitizeUrl, the router's isSafeNavigationTarget, and the SSR/head meta-refresh guards.
  • Added tests/guards.test.ts (9 adversarial cases) hitting the shared guards directly.

No public API changes. One minor behavior note: the previously-loose on* sites now use the strict rule, so a non-handler attribute like on-foo is no longer blocked (harmless — setAttribute doesn't execute it; real on* handlers are still refused).

Related Issue

Closes #

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactor / security hardening (no behavior change)

Checklist

  • I have read CONTRIBUTING.md
  • My code builds without errors
  • I have tested my changes
  • I have updated documentation if needed

hexplus added 30 commits March 28, 2026 15:11
hexplus added 7 commits May 29, 2026 17:22
Sanitize RouterLink and SSR output, fix the htm parser, reactive-child
ordering/disposal, router/scheduler/data correctness, and assorted
memory leaks. Adds SSR request-scoped query cache, infiniteQuery
maxPages, and mutation cancellation. See CHANGELOG for details.
… URL control-char guards into shared tested helpers
@hexplus hexplus merged commit bab27d0 into main Jun 1, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant