mai
/
posimai-atlas
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(security): add SRI to d3 CDN, fix XSS via innerHTML in detail panel, noreferrer 

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
posimai 2026-04-17 18:42:14 +09:00
parent 2cbc8819eb
commit 0523dc9d79
1 changed files with 14 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
index.html
View File

@ -1249,7 +1249,7 @@
<div class="metric-stat-val" id="metric-sessions"></div> <div class="metric-stat-val" id="metric-sessions"></div>
</div> </div>
</div> </div>
<a class="metric-open-btn" id="metric-open-link" href="#" target="_blank" rel="noopener"> <a class="metric-open-btn" id="metric-open-link" href="#" target="_blank" rel="noopener noreferrer">
<i data-lucide="external-link" style="width:12px;height:12px;stroke-width:1.75"></i> <i data-lucide="external-link" style="width:12px;height:12px;stroke-width:1.75"></i>
posimai-dev を開く posimai-dev を開く
</a> </a>
@ -1480,7 +1480,7 @@
<div id="toast" role="status" aria-live="polite"></div> <div id="toast" role="status" aria-live="polite"></div>
<script src="https://posimai-ui.vercel.app/v1/base.js" defer></script> <script src="https://posimai-ui.vercel.app/v1/base.js" defer></script>
<script src="https://cdn.jsdelivr.net/npm/d3@7.9.0/dist/d3.min.js"></script> <script src="https://cdn.jsdelivr.net/npm/d3@7.9.0/dist/d3.min.js" integrity="sha384-CjloA8y00+1SDAUkjs099PVfnY2KmDC2BZnws9kh8D/lX1s46w6EPhpXdqMfjK6i" crossorigin="anonymous"></script>
<script> <script>
// ── Constants ────────────────────────────────────────────────── // ── Constants ──────────────────────────────────────────────────
const STORAGE_KEY = 'posimai-atlas-data'; const STORAGE_KEY = 'posimai-atlas-data';
@ -1870,7 +1870,18 @@ function showDetail(id, simNodes, simEdges) {
const urlEl = document.getElementById('dp-url'); const urlEl = document.getElementById('dp-url');
if (node.url) { if (node.url) {
urlEl.innerHTML = `<a href="${node.url}" target="_blank" rel="noopener"><i data-lucide="external-link" style="width:12px;height:12px;stroke-width:1.75"></i>${node.url}</a>`; const a = document.createElement('a');
a.href = node.url;
a.target = '_blank';
a.rel = 'noopener noreferrer';
const icon = document.createElement('i');
icon.dataset.lucide = 'external-link';
icon.style.cssText = 'width:12px;height:12px;stroke-width:1.75';
a.appendChild(icon);
a.appendChild(document.createTextNode(node.url));
urlEl.innerHTML = '';
urlEl.appendChild(a);
if (window.lucide) window.lucide.createIcons({ nodes: [urlEl] });
} else { } else {
urlEl.innerHTML = ''; urlEl.innerHTML = '';
} }