fix: harden bot_name — crash guard, XSS escape, sanitization, tests

- Move `import html` to module top (was inside function body) - Fix IndexError crash in /login when bot_name is empty string; use `or 'Hermes'` fallback instead of .get() default which doesn't guard against stored empty string - Add server-side sanitization in POST /api/settings: strip + default empty/whitespace bot_name to 'Hermes' before persisting - Escape _bn initial char in ui.js innerHTML (esc() consistency) - Add maxlength=64 to #settingsBotName input field - Add tests/test_sprint27.py: 9 tests covering API round-trip, empty/whitespace defaults, login page rendering, and XSS escaping
2026-04-06 15:06:16 +00:00
parent 9f3b2e113e
commit 71dd691ed0
4 changed files with 142 additions and 4 deletions
--- a/static/index.html
+++ b/static/index.html
@@ -375,7 +375,7 @@
      <div class="settings-field">
        <label for="settingsBotName">Assistant Name</label>
        <div style="font-size:11px;color:var(--muted);margin-bottom:6px">Display name for the assistant throughout the UI. Defaults to Hermes.</div>
-        <input type="text" id="settingsBotName" placeholder="Hermes" style="width:100%;padding:8px;background:var(--code-bg);color:var(--text);border:1px solid var(--border2);border-radius:6px;font-size:13px">
+        <input type="text" id="settingsBotName" placeholder="Hermes" maxlength="64" style="width:100%;padding:8px;background:var(--code-bg);color:var(--text);border:1px solid var(--border2);border-radius:6px;font-size:13px">
      </div>
      <div class="settings-field" style="border-top:1px solid var(--border);padding-top:12px;margin-top:8px">
        <label for="settingsPassword">Access Password</label>