076da9e726
The console label (from ?title=) was substituted into HTML via str.format with no escaping, and the iframe src was built from the raw query string — a reflected-XSS vector on the loopback console. html.escape the label, and rebuild kbd_src from only the known keys (title/app) re-encoded + escaped. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| adb-keyboard | ||
| ocr-service | ||
| terraform | ||