Files
claudecodeui/src
Haileyesus 6d5ed6fdd8 fix(code-editor): harden media preview against SVG XSS and improve a11y
Withhold the open-in-new-tab action for SVG previews. The link is a
top-level navigation to a blob URL, which inherits the app's origin, so
a user-controlled SVG containing <script> would execute as same-origin
script. Inline <img> rendering is unaffected and stays available.

Also give the icon-only header actions (open-in-new-tab, fullscreen
toggle, close) explicit aria-labels and mark their decorative SVG icons
aria-hidden, so screen readers announce each action instead of relying
on title alone.
2026-06-29 15:16:13 +03:00
..
2026-06-26 16:06:40 +02:00
2026-06-01 22:45:57 +02:00