mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-05-10 01:02:00 +02:00
f7119b9ed6
- Add CORS origin allowlist (api/_cors.js) replacing Access-Control-Allow-Origin: * - Add isDisallowedOrigin guard to all API endpoints (acled, cloudflare-outages, finnhub, fred-data, hackernews, wingbits) - Gut debug-env endpoint to return 404 - Tighten sanitizeUrl() with escapeAttr output and strict relative URL validation - Add sanitizeUrl() adoption in CountryIntelModal, InsightsPanel, PredictionPanel, RegulationPanel, TechEventsPanel - Comprehensive escapeHtml() hardening in MapPopup (cables, flights, vessels, clusters) - Bound HackerNews concurrent fetches (MAX_CONCURRENCY=10), validate story type and limit params - Add wingbits cache eviction (MAX_LOCAL_CACHE_ENTRIES=2000, sweep on TTL + LRU) - Fix arxiv http→https, og-story parseInt safety with Number.isFinite + clamping