security: encrypt NaCl keypair at rest with AES-GCM and harden PoW captcha signature with HMAC-SHA256

2026-02-08 14:15:23 +01:00
parent ce2b8657bb
commit 2f02df4910
6 changed files with 151 additions and 45 deletions
--- a/js/components/pages/page-listing.js
+++ b/js/components/pages/page-listing.js
@@ -635,11 +635,7 @@ class PageListing extends HTMLElement {

    formatDescription(text) {
        if (!text) return ''
-        return text
-            .replace(/&/g, '&amp;')
-            .replace(/</g, '&lt;')
-            .replace(/>/g, '&gt;')
-            .replace(/\n/g, '<br>')
+        return escapeHTML(text).replace(/\n/g, '<br>')
    }
 }

--- a/js/components/pow-captcha.js
+++ b/js/components/pow-captcha.js
@@ -53,7 +53,7 @@ export class PowCaptcha extends HTMLElement {
    this.render()

    try {
-      const { challenge, difficulty, timestamp, signature } = await generateChallenge()
+      const { challenge, difficulty, timestamp, signature, source } = await generateChallenge()

      const result = await solveChallenge(challenge, difficulty)

@@ -62,7 +62,8 @@ export class PowCaptcha extends HTMLElement {
        difficulty,
        nonce: result.nonce,
        signature,
-        timestamp
+        timestamp,
+        source
      }

      const verification = await verifySolution(solution)
--- a/js/components/search-box.js
+++ b/js/components/search-box.js
@@ -207,7 +207,7 @@ class SearchBox extends HTMLElement {
            
            badges.push(/* html */`
                <button type="button" class="filter-badge" data-filter="category">
-                    <span class="filter-badge-text">${categoryLabel}</span>
+                    <span class="filter-badge-text">${escapeHTML(categoryLabel)}</span>
                    <svg class="filter-badge-close" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
                        <line x1="18" y1="6" x2="6" y2="18"></line>
                        <line x1="6" y1="6" x2="18" y2="18"></line>