hermes-agent

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-05-30 06:41:51 +00:00

History

TheOnlyMika 5744b17579 harden: restrict markdown link schemes; parse untrusted XML with defusedxml Two small defensive-hardening changes: - web/src/components/Markdown.tsx: render links only for http(s)/mailto schemes; other schemes (javascript:, data:, vbscript:) are dropped to plain text so a crafted link in rendered content can't execute on click. - gateway/platforms/wecom_callback.py: parse the untrusted, pre-auth WeCom callback request body with defusedxml instead of xml.etree, blocking entity-expansion / billion-laughs (and XXE) on the parse path. defusedxml is already a dependency (uv.lock); response-building XML in wecom_crypto.py is unchanged (it is not parsed from untrusted input). Verified: dashboard typechecks and builds; defusedxml blocks an entity-expansion payload while valid WeCom envelopes still parse.		2026-05-25 23:30:43 -07:00
..
components	harden: restrict markdown link schemes; parse untrusted XML with defusedxml	2026-05-25 23:30:43 -07:00
contexts	feat(web): mobile dashboard UX polish (#28127 )	2026-05-18 15:20:31 -04:00
hooks	feat(web): mobile dashboard UX polish (#28127 )	2026-05-18 15:20:31 -04:00
i18n	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
lib	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
pages	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
plugins	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
themes	feat(web): mobile dashboard UX polish (#28127 )	2026-05-18 15:20:31 -04:00
App.tsx	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
index.css	refactor(web): dashboard typography & contrast pass	2026-05-22 19:50:32 -07:00
main.tsx	fix(dashboard): remove country flags from language picker (#29997 )	2026-05-21 13:10:52 -07:00