larvit/plainpages
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Comment/README cleanup (todo §4); tighten the kratos/keto client module-headers (drop forward-refs + caller-listings, keep rationale), retarget the stale safeUrl() ref in plugin-contract.md to §5/§7

Browse Source
This commit is contained in:
Lilleman auf Larv
2026-06-18 11:52:49 +02:00
parent caadaf5da3
commit d1fbf8fa1f
5 changed files with 13 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/plugin-contract.md
View File

@@ -158,7 +158,8 @@ safety of the data it renders**:
item, a breadcrumb, `brand.logo` — is emitted as-is inside the attribute: a `javascript:` or
`data:` URL from upstream/user data becomes live XSS. When a URL comes from data you don't
control, restrict it to a relative (`/`, `?`, `#`) or `http(s):` URL before handing it to a
partial. (A shared `safeUrl()` helper lands with the data-driven plugins in §4.)
partial. (A shared `safeUrl()` helper will land with the first plugin that renders untrusted
URL data, §5/§7.)
## RequestContext