redroid/cloud
Natalie 076da9e726 fix(security): escape reflected ?title= in adb-keyboard console (XSS)
The console label (from ?title=) was substituted into HTML via str.format with no
escaping, and the iframe src was built from the raw query string — a reflected-XSS
vector on the loopback console. html.escape the label, and rebuild kbd_src from only
the known keys (title/app) re-encoded + escaped.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-28 15:14:19 -04:00
..
adb-keyboard fix(security): escape reflected ?title= in adb-keyboard console (XSS) 2026-06-28 15:14:19 -04:00
ocr-service feat(redroid): the shared redroid Android box app 2026-06-28 15:07:59 -04:00
terraform feat(redroid): the shared redroid Android box app 2026-06-28 15:07:59 -04:00