kanban

dataforge/kanban

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	aab4f12fc4	fix(0128): XSS scheme allowlist + drop dead fileID review findings: - MessageBody: only http(s) and relative paths allowed for links; data:image/* allowed for inline images. Rejects javascript:, data:text/html, vbscript: which would execute via <a href>. Unsafe matches fall back to plain text. - files.go: remove unused fileID var generated then discarded.	2026-05-27 11:04:20 +02:00
egutierrez	2401eb5abc	feat(backend): card file attachments (issue 0128) - migration 014_card_files: tabla con soft-delete + index activo - handlers POST/GET/DELETE en backend/files.go - routes /api/cards/{id}/files, /api/files/{id} - limite 10MB, storage en uploads/<card_id>/<random>__<safe>	2026-05-27 10:51:52 +02:00

Author

SHA1

Message

Date

egutierrez

aab4f12fc4

fix(0128): XSS scheme allowlist + drop dead fileID

review findings:
- MessageBody: only http(s) and relative paths allowed for links;
  data:image/* allowed for inline images. Rejects javascript:,
  data:text/html, vbscript: which would execute via <a href>.
  Unsafe matches fall back to plain text.
- files.go: remove unused fileID var generated then discarded.

2026-05-27 11:04:20 +02:00

egutierrez

2401eb5abc

feat(backend): card file attachments (issue 0128)

- migration 014_card_files: tabla con soft-delete + index activo
- handlers POST/GET/DELETE en backend/files.go
- routes /api/cards/{id}/files, /api/files/{id}
- limite 10MB, storage en uploads/<card_id>/<random>__<safe>

2026-05-27 10:51:52 +02:00

2 Commits