marcel/familienarchiv
1
0
Fork 0
Code Issues 125 Pull Requests Actions Packages Projects Releases Wiki Activity
1,728 Commits 21 Branches 0 Tags
26519d029a3730415c4372069611d35ca3d61746
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Marcel 26519d029a feat(person-mention): reject non-UUID personIds at the renderer boundary 
Nora's CWE-601 (Open Redirect) defense-in-depth concern: today the backend
emits UUIDs, but renderTranscriptionBody concatenates personId straight into
an href. If a future "external person" feature ever flows a non-UUID through
the sidecar, the renderer would happily emit `<a href="javascript:…">`.

Add a strict UUID regex check before substituting. Non-UUID entries fall
through unchanged so the @-trigger remains as plain text — no silent data
loss, no clickable redirect.

Three new failing→passing tests cover javascript: scheme, absolute URL, and
the positive case (well-formed UUID still renders). Existing tests that used
synthetic IDs ("p-short", "p-first", etc.) updated to real UUIDs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-29 08:50:28 +02:00
.claude
chore: add Claude personas, skills, memory, and project docs
2026-04-14 23:21:15 +02:00
.devcontainer
fix: correct devcontainer workspace path mismatch
2026-03-15 13:44:06 +01:00
.gitea/workflows
test(ocr): add /train-sender auth tests and run sender registry tests in CI
2026-04-17 21:14:27 +02:00
.husky
chore(hooks): remove pre-push E2E hook
2026-03-22 22:15:00 +01:00
.vscode
fix: activate dev Spring profile in VS Code launch config
2026-03-15 14:17:07 +01:00
backend
migration(transcription): add unique constraint on (block_id, person_id) sidecar
2026-04-28 23:42:05 +02:00
docs
docs(adr): ADR-006 synchronous domain events inside the publisher's transaction
2026-04-28 21:42:03 +02:00
frontend
feat(person-mention): reject non-UUID personIds at the renderer boundary
2026-04-29 08:50:28 +02:00
ocr-service
fix(ocr): guard Kraken block extraction against missing boundary/baseline
2026-04-23 09:33:03 +02:00
proofshot-artifacts
chore(screenshots): retake proofshots after bg-canvas fix
2026-03-29 19:12:14 +02:00
scripts
feat(ocr): add DTA-derived historical German wordlist and generation script
2026-04-17 16:48:26 +02:00
.env.example
fix(deploy): increase OCR healthcheck start_period, comment ocr_cache volume, add token hint
2026-04-14 21:17:53 +02:00
.gitignore
fix(rate-limit): only trust X-Forwarded-For from known reverse proxies
2026-04-19 01:20:11 +02:00
CLAUDE.md
docs(claude): update back link pattern to use BackButton component
2026-04-22 10:50:35 +02:00
CODESTYLE.md
docs(codestyle): add Svelte 5 specific rules with examples
2026-03-20 15:58:40 +01:00
COLLABORATING.md
docs(collab): add user journey and E2E scenario requirements
2026-03-22 19:44:18 +01:00
docker-compose.ci.yml
ci: set up CI pipeline with unit, backend, and E2E test jobs
2026-03-19 12:03:37 +01:00
docker-compose.yml
chore(ocr): lower OCR_MAX_CACHED_MODELS to 2 with memory budget comment
2026-04-17 20:20:53 +02:00
Description
No description provided
44 MiB
Languages
Python 73.1%
TypeScript 11.5%
Java 10.9%
Svelte 4.2%
Shell 0.1%