release: v1.6.1 link sanitization and backlog updates

2026-04-27 16:25:35 -07:00
parent d9eba53926
commit 28aa40c42a
5 changed files with 60 additions and 13 deletions
--- a/templates/index.html
+++ b/templates/index.html
@@ -970,7 +970,13 @@ async function sendSearch() {
                    if (data.raw_results) {
                        let rawHtml = '<details class="raw-results"><summary>🔍 View raw search results (' + data.raw_results.length + ')</summary><ul>';
                        data.raw_results.forEach(r => { 
-                            rawHtml += `<li><a href="${escapeHtml(r.url)}" target="_blank" rel="noopener">${escapeHtml(r.title)}</a>`;
+                            const safeUrl = sanitizeUrl(r.url || '');
+                            rawHtml += '<li>';
+                            if (safeUrl) {
+                                rawHtml += `<a href="${escapeHtml(safeUrl)}" target="_blank" rel="noopener">${escapeHtml(r.title)}</a>`;
+                            } else {
+                                rawHtml += `<span>${escapeHtml(r.title)}</span>`;
+                            }
                            if (r.content) rawHtml += `<small>${escapeHtml(r.content)}</small>`;
                            rawHtml += '</li>'; 
                        });
@@ -1102,6 +1108,17 @@ function renderMarkdown(text) {
    return h;
 }

+function sanitizeUrl(url) {
+    if (!url) return '';
+    try {
+        const parsed = new URL(url, window.location.origin);
+        if (parsed.protocol === 'http:' || parsed.protocol === 'https:') return parsed.href;
+    } catch (e) {
+        return '';
+    }
+    return '';
+}
+
 function addCopyButtons(msgDiv) {
    msgDiv.querySelectorAll('pre').forEach(pre => {
        if (pre.querySelector('.copy-btn')) return;