vikunja/frontend/src
kolaente 111ac9c726 fix: prevent XSS via innerHTML injection in link edit prompt
Replace innerHTML with DOM API calls in inputPrompt.ts. The oldValue
parameter (sourced from a link's href attribute in the TipTap editor)
was interpolated directly into an HTML string, allowing stored XSS if
an attacker crafted a malicious href. Using document.createElement and
setting .value as a property ensures the value is never parsed as HTML.
2026-02-25 12:01:57 +01:00
..
assets feat: add subsets for all supported languages 2025-08-17 23:11:30 +02:00
components fix: prevent reflected HTML injection via filter URL parameter 2026-02-25 12:01:57 +01:00
composables feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
constants refactor: extract auth route names into shared constant 2026-02-06 10:58:50 +01:00
directives fix(frontend): make v-focus directive work with wrapper components 2026-01-10 21:59:06 +01:00
helpers fix: prevent XSS via innerHTML injection in link edit prompt 2026-02-25 12:01:57 +01:00
i18n feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
indexes chore: fix indentation 2025-06-19 10:53:35 +02:00
message feat: merge duplicate notifications (#2056) 2026-01-06 17:36:29 +00:00
modelSchema/common chore: fix indentation 2025-06-19 10:53:35 +02:00
modelTypes feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
models feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
modules fix: iterate past rejected middle matches in matchDateAtBoundary() 2026-02-06 10:57:50 +01:00
router feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
services feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
stores feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
styles refactor: move bulma button styles to button component 2026-01-08 13:23:38 +01:00
types chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
views feat: add frontend session management with refresh tokens 2026-02-25 10:30:25 +01:00
App.vue fix: guard against undefined route.name in auth layout check 2026-02-06 10:58:50 +01:00
histoire.setup.ts chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
main.ts chore(tests): remove Cypress, use Playwright exclusively (#1976) 2025-12-12 20:07:18 +00:00
pinia.ts chore: move frontend files 2024-02-07 14:56:56 +01:00
registerServiceWorker.ts fix: lint issues 2024-10-29 09:57:53 +00:00
sentry.ts fix: migrate Sentry integration to SDK v8 API (#1769) 2025-11-07 15:20:57 +00:00
sw.ts fix: prevent browser from caching API responses 2026-02-24 10:37:49 +01:00
urls.ts feat: add utm tag to powered by link 2024-09-23 12:07:06 +02:00
version.json chore: add missing eof newlines (#969) 2025-06-17 09:11:32 +00:00