html-embed: minor hardening (strip root-node type-check; document client read-only relies solely on server strip) #30
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Found in security review of PR #16 (merged in
7a03321d).Severity: nit.
stripHtmlEmbedNodesonly filters children; the root node itself is never type-checked (apps/server/src/common/helpers/prosemirror/html-embed.util.ts~L33-41). Not exploitable in practice (the document root is alwaysdoc), but a defensive root-type check would make the helper total.html-embed-view.tsx:71). Correct by design, but it is the sole client-side safeguard for share viewers and deserves an explicit note/test.