d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-06-07 05:45:39 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
3de9c319221fab0cff8f8355cc3d382741bdcc51
claudecodeui/src/components
History
Haile d9e9df183f fix: plugin svg icon sanitization (#817) 
* fix(security)(components): unsanitized svg content injected via `dangerouslys

The plugin icon renderer fetches SVG text from `/api/plugins/.../assets/...` and injects it directly into the DOM using `dangerouslySetInnerHTML` after only checking that the payload starts with `<svg`. This does not remove malicious attributes/elements (e.g., event handlers, scriptable SVG payloads), enabling DOM-based XSS if a plugin asset is malicious or compromised.

Affected files: PluginIcon.tsx

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>

* fix: sanitize plugin svg icons

---------

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
Co-authored-by: tuanaiseo <tuanaiseo@gmail.com>
Co-authored-by: Simos Mikelatos <simosmik@gmail.com>
2026-06-02 13:24:38 +02:00
..
app
Fix/websocket streaming issues (#748)
2026-05-08 22:51:03 +03:00
auth
feat: add branding, community links, GitHub star badge, and About settings tab
2026-04-10 13:06:16 +00:00
chat
fix(chat): prevent double send on mobile by removing redundant submit handlers (#719)
2026-05-30 15:50:45 +03:00
code-editor
Create command palette and add new features for search and actions (#728)
2026-04-30 14:48:48 +03:00
command-palette
feat: add opencode support (#762)
2026-05-28 10:50:41 +02:00
file-tree
Refactor provider/session architecture to be DB-driven, modular, and sessionId-first across backend and frontend (#715)
2026-04-30 08:19:26 +02:00
git-panel
Refactor provider/session architecture to be DB-driven, modular, and sessionId-first across backend and frontend (#715)
2026-04-30 08:19:26 +02:00
llm-logo-provider
feat: add opencode support (#762)
2026-05-28 10:50:41 +02:00
main-content
Fix/websocket streaming issues (#748)
2026-05-08 22:51:03 +03:00
mcp
feat: add opencode support (#762)
2026-05-28 10:50:41 +02:00
onboarding/view
feat: add opencode support (#762)
2026-05-28 10:50:41 +02:00
plugins/view
fix: plugin svg icon sanitization (#817)
2026-06-02 13:24:38 +02:00
prd-editor
Refactor provider/session architecture to be DB-driven, modular, and sessionId-first across backend and frontend (#715)
2026-04-30 08:19:26 +02:00
project-creation-wizard
Refactor provider/session architecture to be DB-driven, modular, and sessionId-first across backend and frontend (#715)
2026-04-30 08:19:26 +02:00
provider-auth
fix: refresh Claude auth status after login flow (#617)
2026-05-31 14:17:27 +03:00
quick-settings-panel
refactor: remove unused whispher transcribe logic (#637)
2026-04-10 15:34:34 +02:00
settings
fix: refresh Claude auth status after login flow (#617)
2026-05-31 14:17:27 +03:00
shell
sidebar
fix(sidebar): keep session rename input visible while editing (#781)
2026-05-29 18:04:35 +03:00
standalone-shell/view
task-master
Refactor provider/session architecture to be DB-driven, modular, and sessionId-first across backend and frontend (#715)
2026-04-30 08:19:26 +02:00
version-upgrade/view
fix(version-upgrade-modal): implement reload countdown and update UI messages (#655)
2026-04-14 23:02:20 +02:00