From 8c2c88f90039e87b29ce32cd31b7b0361b5803d0 Mon Sep 17 00:00:00 2001 From: Peter Stone Date: Mon, 26 Jan 2026 07:01:25 -1000 Subject: Phase 1: Critical security fixes - Remove default password fallback - require DEFAULT_PASS in all environments - Fix XSS vulnerabilities in HTML generation (handlers.go:795,920) - Add security headers middleware (X-Frame-Options, CSP, HSTS, etc.) - Add rate limiting on login endpoint (5 req/15min per IP) Co-Authored-By: Claude Opus 4.5 --- internal/handlers/handlers.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'internal/handlers') diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go index a169478..635a69d 100644 --- a/internal/handlers/handlers.go +++ b/internal/handlers/handlers.go @@ -792,7 +792,9 @@ func (h *Handler) HandleGetListsOptions(w http.ResponseWriter, r *http.Request) w.Header().Set("Content-Type", "text/html") for _, list := range lists { - _, _ = fmt.Fprintf(w, ``, list.ID, list.Name) + _, _ = fmt.Fprintf(w, ``, + template.HTMLEscapeString(list.ID), + template.HTMLEscapeString(list.Name)) } } @@ -917,7 +919,9 @@ func (h *Handler) HandleGetShoppingLists(w http.ResponseWriter, r *http.Request) w.Header().Set("Content-Type", "text/html") for _, list := range lists { - _, _ = fmt.Fprintf(w, ``, list.ID, list.Name) + _, _ = fmt.Fprintf(w, ``, + template.HTMLEscapeString(list.ID), + template.HTMLEscapeString(list.Name)) } } -- cgit v1.2.3