mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-30 06:41:51 +00:00
5744b17579
Two small defensive-hardening changes: - web/src/components/Markdown.tsx: render links only for http(s)/mailto schemes; other schemes (javascript:, data:, vbscript:) are dropped to plain text so a crafted link in rendered content can't execute on click. - gateway/platforms/wecom_callback.py: parse the untrusted, pre-auth WeCom callback request body with defusedxml instead of xml.etree, blocking entity-expansion / billion-laughs (and XXE) on the parse path. defusedxml is already a dependency (uv.lock); response-building XML in wecom_crypto.py is unchanged (it is not parsed from untrusted input). Verified: dashboard typechecks and builds; defusedxml blocks an entity-expansion payload while valid WeCom envelopes still parse. |
||
|---|---|---|
| .. | ||
| ui | ||
| AutoField.tsx | ||
| Backdrop.tsx | ||
| BottomPickSheet.tsx | ||
| ChatSidebar.tsx | ||
| DeleteConfirmDialog.tsx | ||
| LanguageSwitcher.tsx | ||
| Markdown.tsx | ||
| ModelInfoCard.tsx | ||
| ModelPickerDialog.tsx | ||
| NouiTypography.tsx | ||
| OAuthLoginModal.tsx | ||
| OAuthProvidersCard.tsx | ||
| PlatformsCard.tsx | ||
| SidebarFooter.tsx | ||
| SidebarStatusStrip.tsx | ||
| SlashPopover.tsx | ||
| ThemeSwitcher.tsx | ||
| Toast.tsx | ||
| ToolCall.tsx | ||