mirror of
https://github.com/safishamsi/graphify.git
synced 2026-07-14 11:27:10 +00:00
98c7ec039a
The HTML report's neighbor "focus" links dropped an unescaped JSON.stringify(nid) into a double-quoted inline onclick. The stringified value carries its own quotes, so the attribute was truncated on every node (links never worked), and a node id/label containing a double-quote broke out of the attribute and injected live event handlers. AST ids are [a-z0-9_]-safe, but ids/labels from documents or titles scraped via `graphify add <url>` are not, so a hostile source could plant an executable handler into a locally-opened report. Carry the id in an HTML-escaped data-nid attribute and dispatch via one delegated listener bound to document (survives the innerHTML rebuild that recreates #neighbors-list). Closes the injection and repairs the links. Reported by @edgestack-ai. Co-Authored-By: edgestack-ai <edgestack-ai@users.noreply.github.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>