webui

Sabo/webui

Fork 0

Commit Graph

Author	SHA1	Message	Date
Hermes Agent	c3251ea97d	fix(tests): auto-derive unique port+state-dir per worktree (fixes parallel pytest)	2026-04-14 19:04:48 +00:00
Nathan Esquenazi	71dd691ed0	fix: harden bot_name — crash guard, XSS escape, sanitization, tests - Move `import html` to module top (was inside function body) - Fix IndexError crash in /login when bot_name is empty string; use `or 'Hermes'` fallback instead of .get() default which doesn't guard against stored empty string - Add server-side sanitization in POST /api/settings: strip + default empty/whitespace bot_name to 'Hermes' before persisting - Escape _bn initial char in ui.js innerHTML (esc() consistency) - Add maxlength=64 to #settingsBotName input field - Add tests/test_sprint27.py: 9 tests covering API round-trip, empty/whitespace defaults, login page rendering, and XSS escaping	2026-04-06 15:06:16 +00:00

Author

SHA1

Message

Date

Hermes Agent

c3251ea97d

fix(tests): auto-derive unique port+state-dir per worktree (fixes parallel pytest)

2026-04-14 19:04:48 +00:00

Nathan Esquenazi

71dd691ed0

fix: harden bot_name — crash guard, XSS escape, sanitization, tests

- Move `import html` to module top (was inside function body)
- Fix IndexError crash in /login when bot_name is empty string;
  use `or 'Hermes'` fallback instead of .get() default which
  doesn't guard against stored empty string
- Add server-side sanitization in POST /api/settings: strip + default
  empty/whitespace bot_name to 'Hermes' before persisting
- Escape _bn initial char in ui.js innerHTML (esc() consistency)
- Add maxlength=64 to #settingsBotName input field
- Add tests/test_sprint27.py: 9 tests covering API round-trip,
  empty/whitespace defaults, login page rendering, and XSS escaping

2026-04-06 15:06:16 +00:00

2 Commits