Files

claude_code 81823fce1e feat(html-embed): sandbox the embed block; split trusted trackers into an admin field

Convert the htmlEmbed node from same-origin raw-HTML execution to a sandboxed
iframe (sandbox="allow-scripts allow-popups allow-forms", no allow-same-origin,
srcdoc) with postMessage auto-resize (validated by event.source) and an optional
manual height attr. The block now runs in an opaque origin and cannot reach the
viewer's cookies/session/API, so it is safe for any member.

Because the block is now harmless, remove the entire admin/role gating apparatus:
drop htmlEmbedAllowed/canAuthorHtmlEmbed/stripDisallowedHtmlEmbedNodes/
collectHtmlEmbedSources and every role-based strip on the write paths (collab
REST/MCP + socket, page create/duplicate, import x2, transclusion unsync), along
with the now-unused WorkspaceRepo/UserRepo injections and the PageService.create
callerRole param. Keep one strip: prepareContentForShare still removes htmlEmbed
on the anonymous public-share read path when the workspace master toggle is OFF.

The workspace settings.htmlEmbed toggle is now a plain feature switch (gates the
slash-menu and share rendering); when ON the block is available to all members.

Add settings.trackerHead: an admin-only raw HTML/JS analytics snippet injected
verbatim into the <head> of public share pages only (ShareSeoController), for
trackers that genuinely need same-origin. Admin-gated via the existing CASL
Manage/Settings ability; never injected into the authenticated app shell.

Closes security-review findings #1, #2, #4, #5, #10 (and #3 as a security issue).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-21 02:48:41 +03:00

public

feat(html-embed): sandbox the embed block; split trusted trackers into an admin field

2026-06-21 02:48:41 +03:00

src

feat(html-embed): sandbox the embed block; split trusted trackers into an admin field

2026-06-21 02:48:41 +03:00

.dockerignore

fixes

2024-06-07 17:29:34 +01:00

.gitignore

switch to nx monorepo

2024-01-09 18:58:26 +01:00

eslint.config.mjs

chore: fix linting (#544 )

2024-12-09 14:51:31 +00:00

index.html

feat(brand): roll out Gitmost logo, favicon and app name

2026-06-18 00:12:26 +03:00

package.json

0.93.0

2026-06-20 19:57:37 +03:00

postcss.config.js

switch to nx monorepo

2024-01-09 18:58:26 +01:00

README.md

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

tsconfig.node.json

switch to nx monorepo

2024-01-09 18:58:26 +01:00

vite.config.ts

feat(client): show git-describe version next to the brand logo

2026-06-18 04:51:21 +03:00

vitest.config.ts

feat(tree): replace sidebar tree (react-aborist) with custom tree implementation (#2199 )

2026-05-13 23:01:04 +01:00

README.md

React + TypeScript + Vite

This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.

Currently, two official plugins are available:

@vitejs/plugin-react uses Babel for Fast Refresh
@vitejs/plugin-react-swc uses SWC for Fast Refresh

Expanding the ESLint configuration

If you are developing a production application, we recommend updating the configuration to enable type aware lint rules:

Configure the top-level parserOptions property like this:

   parserOptions: {
    ecmaVersion: 'latest',
    sourceType: 'module',
    project: ['./tsconfig.json', './tsconfig.node.json'],
    tsconfigRootDir: __dirname,
   },

Replace plugin:@typescript-eslint/recommended to plugin:@typescript-eslint/recommended-type-checked or plugin:@typescript-eslint/strict-type-checked
Optionally add plugin:@typescript-eslint/stylistic-type-checked
Install eslint-plugin-react and add plugin:react/recommended & plugin:react/jsx-runtime to the extends list