fix: prevent XSS vulnerability in context menu labels by DrJKL · Pull Request #8887 · Comfy-Org/ComfyUI_frontend

DrJKL · 2026-02-15T08:26:39Z

Replace innerHTML with textContent when setting context menu item labels to prevent XSS attacks via malicious filenames. This fixes a security vulnerability where filenames like "" could execute arbitrary JavaScript when displayed in dropdowns.

https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

Summary

Changes

What:
Breaking:
Dependencies:

Review Focus

Screenshots (if applicable)

┆Issue is synchronized with this Notion page by Unito

Replace innerHTML with textContent when setting context menu item labels to prevent XSS attacks via malicious filenames. This fixes a security vulnerability where filenames like "<img src=x onerror=alert()>" could execute arbitrary JavaScript when displayed in dropdowns. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

coderabbitai · 2026-02-15T08:26:58Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

browser_tests/tests/nodeSearchBox.spec.ts-snapshots/added-node-no-connection-chromium-linux.png is excluded by !**/*.png

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a DOM-based HTML sanitization pipeline (DOMPurify hook, allowed tags/styles) and safer rendering in the context menu: uses textContent for plain labels, sanitizes object content before assigning innerHTML, and strips disallowed attributes/styles while preserving disabled and submenu indicators.

Changes

Cohort / File(s)	Summary
Context menu sanitization & rendering `src/lib/litegraph/src/ContextMenu.ts`	Introduces `ALLOWED_TAGS` and `ALLOWED_STYLE_PROPS`, a DOMPurify `uponSanitizeAttribute` hook, and `sanitizeMenuHTML` to filter HTML and inline styles. Replaces direct `innerHTML` for titles/labels with `textContent`; when entries are object-valued detects HTML in `value.content` and sanitizes before setting `innerHTML`. Keeps existing disabled-item and submenu handling while stripping disallowed attributes/styles.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰
I nibbled tags and chased a stray

Cleansed the menu on my way.
Text made safe, styles trimmed neat,
Now every label’s tidy and sweet. ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (19 files): ⚔️ `browser_tests/tests/nodeSearchBox.spec.ts-snapshots/added-node-no-connection-chromium-linux.png` (content) ⚔️ `package.json` (content) ⚔️ `src/components/rightSidePanel/parameters/SectionWidgets.vue` (content) ⚔️ `src/components/rightSidePanel/parameters/WidgetActions.vue` (content) ⚔️ `src/components/rightSidePanel/parameters/WidgetItem.vue` (content) ⚔️ `src/lib/litegraph/src/ContextMenu.ts` (content) ⚔️ `src/locales/ar/main.json` (content) ⚔️ `src/locales/en/main.json` (content) ⚔️ `src/locales/es/main.json` (content) ⚔️ `src/locales/fa/main.json` (content) ⚔️ `src/locales/fr/main.json` (content) ⚔️ `src/locales/ja/main.json` (content) ⚔️ `src/locales/ko/main.json` (content) ⚔️ `src/locales/pt-BR/main.json` (content) ⚔️ `src/locales/ru/main.json` (content) ⚔️ `src/locales/tr/main.json` (content) ⚔️ `src/locales/zh-TW/main.json` (content) ⚔️ `src/locales/zh/main.json` (content) ⚔️ `src/utils/widgetUtil.ts` (content) These conflicts must be resolved before merging into `main`.	Resolve conflicts locally and push changes to this branch.
Description check	❓ Inconclusive	The PR description explains the vulnerability and fix, but leaves most template sections unfilled (Summary, What, Breaking, Dependencies, Review Focus).	Complete the template sections: add a concise one-sentence summary, fill in the 'What' section detailing the DOMPurify implementation, and clarify if DOMPurify is a new dependency.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: prevent XSS vulnerability in context menu labels' directly and clearly describes the main security fix in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch claude/slack-fix-registry-rate-limit-j9Ji4

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2026-02-15T08:27:05Z

🎨 Storybook Build Status

✅ Build completed successfully!

⏰ Completed at: 02/16/2026, 08:29:09 PM UTC

🔗 Links

📊 View Workflow Run
🎨 View Storybook

🎉 Your Storybook is ready for review!

github-actions · 2026-02-15T08:27:16Z

Playwright: ✅ 518 passed, 0 failed · 4 flaky

📊 Browser Reports

chromium: View Report (✅ 506 / ❌ 0 / ⚠️ 4 / ⏭️ 8)
chromium-2x: View Report (✅ 2 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
chromium-0.5x: View Report (✅ 1 / ❌ 0 / ⚠️ 0 / ⏭️ 0)
mobile-chrome: View Report (✅ 9 / ❌ 0 / ⚠️ 0 / ⏭️ 0)

github-actions · 2026-02-15T08:29:12Z

Bundle Size Report

Summary

Raw size: 19.9 MB baseline 19.9 MB — 🔴 +1.1 kB
Gzip: 4.25 MB baseline 4.24 MB — 🔴 +585 B
Brotli: 3.29 MB baseline 3.29 MB — 🔴 +208 B
Bundles: 231 current • 231 baseline • 154 added / 154 removed

Category Glance
Data & Services 🔴 +846 B (2.16 MB) · Views & Navigation 🔴 +120 B (69 kB) · Panels & Settings 🔴 +80 B (427 kB) · User & Accounts 🔴 +40 B (16.1 kB) · App Entry Points 🔴 +12 B (21.7 kB) · Vendor & Third-Party ⚪ 0 B (8.69 MB) · + 5 more

Per-category breakdown

App Entry Points — 21.7 kB (baseline 21.7 kB) • 🔴 +12 B

Main entry bundles and manifests

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/index-rBMDYgmi.js (new)	—	21.7 kB	🔴 +21.7 kB	🔴 +7.03 kB	🔴 +6.13 kB
~~assets/index-C9xAtGi1.js~~ (removed)	21.7 kB	—	🟢 -21.7 kB	🟢 -7.02 kB	🟢 -6.12 kB

Status: 1 added / 1 removed

Graph Workspace — 886 kB (baseline 886 kB) • ⚪ 0 B

Graph editor runtime, canvas, workflow orchestration

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/GraphView-HpmsV1fp.js (new)	—	886 kB	🔴 +886 kB	🔴 +191 kB	🔴 +146 kB
~~assets/GraphView-tXoj_yNw.js~~ (removed)	886 kB	—	🟢 -886 kB	🟢 -191 kB	🟢 -146 kB

Status: 1 added / 1 removed

Views & Navigation — 69 kB (baseline 68.9 kB) • 🔴 +120 B

Top-level views, pages, and routed surfaces

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/CloudSurveyView-BOyCSqJQ.js (new)	—	15.5 kB	🔴 +15.5 kB	🔴 +3.32 kB	🔴 +2.83 kB
~~assets/CloudSurveyView-BNXpcQJY.js~~ (removed)	15.4 kB	—	🟢 -15.4 kB	🟢 -3.3 kB	🟢 -2.8 kB
assets/CloudLoginView-BOndRv-9.js (new)	—	10.1 kB	🔴 +10.1 kB	🔴 +2.95 kB	🔴 +2.58 kB
~~assets/CloudLoginView-Cp-0fpin.js~~ (removed)	10.1 kB	—	🟢 -10.1 kB	🟢 -2.94 kB	🟢 -2.58 kB
assets/UserCheckView-B2I2Bzn1.js (new)	—	8.41 kB	🔴 +8.41 kB	🔴 +2.23 kB	🔴 +1.94 kB
~~assets/UserCheckView-F-ElMAql.js~~ (removed)	8.38 kB	—	🟢 -8.38 kB	🟢 -2.21 kB	🟢 -1.92 kB
~~assets/CloudSignupView-Y7ZN5ToB.js~~ (removed)	7.46 kB	—	🟢 -7.46 kB	🟢 -2.34 kB	🟢 -2.04 kB
assets/CloudSignupView-ZQO1sFSl.js (new)	—	7.46 kB	🔴 +7.46 kB	🔴 +2.34 kB	🔴 +2.06 kB
assets/CloudLayoutView-av3mekAf.js (new)	—	6.48 kB	🔴 +6.48 kB	🔴 +2.12 kB	🔴 +1.85 kB
~~assets/CloudLayoutView-B-JK33ZA.js~~ (removed)	6.48 kB	—	🟢 -6.48 kB	🟢 -2.12 kB	🟢 -1.85 kB
~~assets/CloudForgotPasswordView-CdktePnb.js~~ (removed)	5.61 kB	—	🟢 -5.61 kB	🟢 -1.95 kB	🟢 -1.72 kB
assets/CloudForgotPasswordView-V2Ni1A-7.js (new)	—	5.61 kB	🔴 +5.61 kB	🔴 +1.95 kB	🔴 +1.73 kB
assets/CloudAuthTimeoutView-aIUnFttJ.js (new)	—	4.96 kB	🔴 +4.96 kB	🔴 +1.79 kB	🔴 +1.56 kB
~~assets/CloudAuthTimeoutView-BN9ZXSXg.js~~ (removed)	4.96 kB	—	🟢 -4.96 kB	🟢 -1.79 kB	🟢 -1.57 kB
~~assets/CloudSubscriptionRedirectView-CoHSoeXL.js~~ (removed)	4.76 kB	—	🟢 -4.76 kB	🟢 -1.8 kB	🟢 -1.59 kB
assets/CloudSubscriptionRedirectView-u2u1fhd6.js (new)	—	4.76 kB	🔴 +4.76 kB	🔴 +1.8 kB	🔴 +1.59 kB
assets/UserSelectView-CdOuf1b0.js (new)	—	4.5 kB	🔴 +4.5 kB	🔴 +1.64 kB	🔴 +1.47 kB
~~assets/UserSelectView-BSyvv22i.js~~ (removed)	4.46 kB	—	🟢 -4.46 kB	🟢 -1.62 kB	🟢 -1.45 kB
~~assets/CloudSorryContactSupportView-BQWWCDdn.js~~ (removed)	1.02 kB	—	🟢 -1.02 kB	🟢 -540 B	🟢 -472 B
assets/CloudSorryContactSupportView-C7v00oYe.js (new)	—	1.02 kB	🔴 +1.02 kB	🔴 +539 B	🔴 +471 B
~~assets/layout-D7kVvNTz.js~~ (removed)	296 B	—	🟢 -296 B	🟢 -225 B	🟢 -187 B
assets/layout-Dw2vG5GB.js (new)	—	296 B	🔴 +296 B	🔴 +224 B	🔴 +213 B

Status: 11 added / 11 removed

Panels & Settings — 427 kB (baseline 427 kB) • 🔴 +80 B

Configuration panels, inspectors, and settings screens

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/SecretsPanel-CAceo5dH.js (new)	—	21.5 kB	🔴 +21.5 kB	🔴 +5.3 kB	🔴 +4.66 kB
~~assets/SecretsPanel-Bh0cqBnb.js~~ (removed)	21.5 kB	—	🟢 -21.5 kB	🟢 -5.29 kB	🟢 -4.63 kB
~~assets/LegacyCreditsPanel-B-C26rPU.js~~ (removed)	20.7 kB	—	🟢 -20.7 kB	🟢 -5.58 kB	🟢 -4.91 kB
assets/LegacyCreditsPanel-BIOSHD5O.js (new)	—	20.7 kB	🔴 +20.7 kB	🔴 +5.58 kB	🔴 +4.91 kB
assets/SubscriptionPanel-BgZm-OL1.js (new)	—	18.7 kB	🔴 +18.7 kB	🔴 +4.73 kB	🔴 +4.17 kB
~~assets/SubscriptionPanel-PAFOiw0q.js~~ (removed)	18.7 kB	—	🟢 -18.7 kB	🟢 -4.73 kB	🟢 -4.18 kB
assets/KeybindingPanel-InQzHWaH.js (new)	—	12.4 kB	🔴 +12.4 kB	🔴 +3.59 kB	🔴 +3.19 kB
~~assets/KeybindingPanel-kjSUl5YN.js~~ (removed)	12.4 kB	—	🟢 -12.4 kB	🟢 -3.59 kB	🟢 -3.18 kB
assets/ExtensionPanel-BD0MZ_vA.js (new)	—	9.43 kB	🔴 +9.43 kB	🔴 +2.67 kB	🔴 +2.37 kB
~~assets/ExtensionPanel-BXu3rEbF.js~~ (removed)	9.43 kB	—	🟢 -9.43 kB	🟢 -2.67 kB	🟢 -2.38 kB
assets/AboutPanel-BMQBmaSl.js (new)	—	8.53 kB	🔴 +8.53 kB	🔴 +2.44 kB	🔴 +2.2 kB
~~assets/AboutPanel-CnkkyOQb.js~~ (removed)	8.49 kB	—	🟢 -8.49 kB	🟢 -2.42 kB	🟢 -2.18 kB
assets/ServerConfigPanel-COjmzYV-.js (new)	—	6.5 kB	🔴 +6.5 kB	🔴 +2.13 kB	🔴 +1.91 kB
~~assets/ServerConfigPanel-CTerCZA1.js~~ (removed)	6.5 kB	—	🟢 -6.5 kB	🟢 -2.13 kB	🟢 -1.91 kB
assets/UserPanel-BNybL2cq.js (new)	—	6.21 kB	🔴 +6.21 kB	🔴 +2.02 kB	🔴 +1.76 kB
~~assets/UserPanel-CT_4FAtt.js~~ (removed)	6.21 kB	—	🟢 -6.21 kB	🟢 -2.01 kB	🟢 -1.76 kB
assets/cloudRemoteConfig-CeeWc85n.js (new)	—	1.49 kB	🔴 +1.49 kB	🔴 +728 B	🔴 +627 B
~~assets/cloudRemoteConfig-CjG-BYXh.js~~ (removed)	1.49 kB	—	🟢 -1.49 kB	🟢 -729 B	🟢 -631 B
assets/refreshRemoteConfig-CLsrk0Ie.js (new)	—	1.14 kB	🔴 +1.14 kB	🔴 +520 B	🔴 +457 B
~~assets/refreshRemoteConfig-DLIghF57.js~~ (removed)	1.14 kB	—	🟢 -1.14 kB	🟢 -521 B	🟢 -452 B
assets/config-CPqNkkC7.js	996 B	996 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-B4dcbqqW.js	28 kB	28 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-B9H-S_7S.js	37.6 kB	37.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-BrKMI2ca.js	27.1 kB	27.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CCDmBSaS.js	29.8 kB	29.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-CjFyTs4c.js	23.3 kB	23.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-COYfq8TF.js	28.1 kB	28.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-Czm8M4DT.js	23.9 kB	23.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-D_4IUqgy.js	31.6 kB	31.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-DSKCF1uG.js	27.3 kB	27.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-t36S0PpX.js	33.3 kB	33.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/settings-ZdQ8OYkR.js	29.2 kB	29.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 10 added / 10 removed

User & Accounts — 16.1 kB (baseline 16.1 kB) • 🔴 +40 B

Authentication, profile, and account management bundles

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
~~assets/PasswordFields-Cx2Uqajt.js~~ (removed)	4.51 kB	—	🟢 -4.51 kB	🟢 -1.35 kB	🟢 -1.19 kB
assets/PasswordFields-PRmvmozX.js (new)	—	4.51 kB	🔴 +4.51 kB	🔴 +1.35 kB	🔴 +1.19 kB
assets/auth-M4O0dzkq.js (new)	—	3.4 kB	🔴 +3.4 kB	🔴 +1.18 kB	🔴 +987 B
~~assets/auth-RCIcn3JW.js~~ (removed)	3.4 kB	—	🟢 -3.4 kB	🟢 -1.18 kB	🟢 -984 B
assets/SignUpForm-C3C957m7.js (new)	—	3.01 kB	🔴 +3.01 kB	🔴 +1.23 kB	🔴 +1.09 kB
~~assets/SignUpForm-DtleuS_F.js~~ (removed)	3.01 kB	—	🟢 -3.01 kB	🟢 -1.23 kB	🟢 -1.09 kB
assets/UpdatePasswordContent-BE7vNSv-.js (new)	—	2.42 kB	🔴 +2.42 kB	🔴 +1.09 kB	🔴 +957 B
~~assets/UpdatePasswordContent-CcY7HtHP.js~~ (removed)	2.42 kB	—	🟢 -2.42 kB	🟢 -1.09 kB	🟢 -956 B
~~assets/firebaseAuthStore-9564MoZ5.js~~ (removed)	837 B	—	🟢 -837 B	🟢 -407 B	🟢 -361 B
assets/firebaseAuthStore-DGVFOR_6.js (new)	—	837 B	🔴 +837 B	🔴 +408 B	🔴 +362 B
assets/auth-DuB13RAA.js (new)	—	357 B	🔴 +357 B	🔴 +226 B	🔴 +194 B
~~assets/auth-CAi5RgMb.js~~ (removed)	317 B	—	🟢 -317 B	🟢 -208 B	🟢 -176 B
assets/WorkspaceProfilePic-DoQNteEy.js	1.57 kB	1.57 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 6 added / 6 removed

Editors & Dialogs — 785 B (baseline 785 B) • ⚪ 0 B

Modals, dialogs, drawers, and in-app editors

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/useSubscriptionDialog-DCSsNVed.js (new)	—	785 B	🔴 +785 B	🔴 +399 B	🔴 +342 B
~~assets/useSubscriptionDialog-RSgqGBh9.js~~ (removed)	785 B	—	🟢 -785 B	🟢 -397 B	🟢 -347 B

Status: 1 added / 1 removed

UI Components — 36.6 kB (baseline 36.6 kB) • ⚪ 0 B

Reusable component library chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
~~assets/useTerminalTabs-DtKuYNrp.js~~ (removed)	9.89 kB	—	🟢 -9.89 kB	🟢 -3.42 kB	🟢 -3 kB
assets/useTerminalTabs-N1GiX8i6.js (new)	—	9.89 kB	🔴 +9.89 kB	🔴 +3.42 kB	🔴 +3.01 kB
~~assets/TopbarBadge-b9GFRGXC.js~~ (removed)	7.45 kB	—	🟢 -7.45 kB	🟢 -1.82 kB	🟢 -1.61 kB
assets/TopbarBadge-DY3yZGiM.js (new)	—	7.45 kB	🔴 +7.45 kB	🔴 +1.81 kB	🔴 +1.6 kB
~~assets/ComfyQueueButton-Bn8Y-iRL.js~~ (removed)	7.17 kB	—	🟢 -7.17 kB	🟢 -2.32 kB	🟢 -2.07 kB
assets/ComfyQueueButton-DBFc_jTn.js (new)	—	7.17 kB	🔴 +7.17 kB	🔴 +2.32 kB	🔴 +2.08 kB
assets/Button-BSbVSHEC.js (new)	—	2.98 kB	🔴 +2.98 kB	🔴 +1.21 kB	🔴 +1.07 kB
~~assets/Button-Dj2HbsJy.js~~ (removed)	2.98 kB	—	🟢 -2.98 kB	🟢 -1.21 kB	🟢 -1.08 kB
~~assets/SubscribeButton-C2E701f2.js~~ (removed)	2.35 kB	—	🟢 -2.35 kB	🟢 -1.02 kB	🟢 -889 B
assets/SubscribeButton-VWxjZ3EH.js (new)	—	2.35 kB	🔴 +2.35 kB	🔴 +1.02 kB	🔴 +888 B
assets/WidgetButton-C-W7fvtO.js (new)	—	1.84 kB	🔴 +1.84 kB	🔴 +876 B	🔴 +769 B
~~assets/WidgetButton-C3gr8Ary.js~~ (removed)	1.84 kB	—	🟢 -1.84 kB	🟢 -876 B	🟢 -769 B
assets/cloudFeedbackTopbarButton-pJHCeJgR.js (new)	—	1.64 kB	🔴 +1.64 kB	🔴 +875 B	🔴 +775 B
~~assets/cloudFeedbackTopbarButton-w_lT6nh_.js~~ (removed)	1.64 kB	—	🟢 -1.64 kB	🟢 -871 B	🟢 -780 B
~~assets/CloudBadge-DuD_yvjw.js~~ (removed)	1.24 kB	—	🟢 -1.24 kB	🟢 -605 B	🟢 -524 B
assets/CloudBadge-DUOHulIZ.js (new)	—	1.24 kB	🔴 +1.24 kB	🔴 +607 B	🔴 +526 B
assets/ComfyQueueButton-Cm_rrP8Y.js (new)	—	842 B	🔴 +842 B	🔴 +414 B	🔴 +363 B
~~assets/ComfyQueueButton-D65DQADJ.js~~ (removed)	842 B	—	🟢 -842 B	🟢 -409 B	🟢 -368 B
assets/UserAvatar-BG_h7fX0.js	1.17 kB	1.17 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 9 added / 9 removed

Data & Services — 2.16 MB (baseline 2.16 MB) • 🔴 +846 B

Stores, services, APIs, and repositories

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/dialogService-CKkppKm8.js (new)	—	1.38 MB	🔴 +1.38 MB	🔴 +310 kB	🔴 +239 kB
~~assets/dialogService-LC7qZzd2.js~~ (removed)	1.38 MB	—	🟢 -1.38 MB	🟢 -310 kB	🟢 -239 kB
assets/api-BdcFxK6w.js (new)	—	647 kB	🔴 +647 kB	🔴 +146 kB	🔴 +117 kB
~~assets/api-DAzYpMDW.js~~ (removed)	646 kB	—	🟢 -646 kB	🟢 -146 kB	🟢 -116 kB
assets/load3dService-CfypEAb4.js (new)	—	91 kB	🔴 +91 kB	🔴 +19.1 kB	🔴 +16.4 kB
~~assets/load3dService-DAvhTKnO.js~~ (removed)	91 kB	—	🟢 -91 kB	🟢 -19.1 kB	🟢 -16.4 kB
assets/systemStatsStore-BQ8zrHIK.js (new)	—	12.2 kB	🔴 +12.2 kB	🔴 +4.26 kB	🔴 +3.74 kB
~~assets/systemStatsStore-Co6Amxgs.js~~ (removed)	12.2 kB	—	🟢 -12.2 kB	🟢 -4.26 kB	🟢 -3.74 kB
~~assets/releaseStore-a-zYHPS2.js~~ (removed)	7.96 kB	—	🟢 -7.96 kB	🟢 -2.22 kB	🟢 -1.96 kB
assets/releaseStore-DMZpTDd8.js (new)	—	7.96 kB	🔴 +7.96 kB	🔴 +2.22 kB	🔴 +1.96 kB
~~assets/keybindingService-BdHih8jv.js~~ (removed)	6.57 kB	—	🟢 -6.57 kB	🟢 -1.72 kB	🟢 -1.49 kB
assets/keybindingService-PMF7BP66.js (new)	—	6.57 kB	🔴 +6.57 kB	🔴 +1.72 kB	🔴 +1.49 kB
~~assets/dialogStore-BPhITqFz.js~~ (removed)	4.1 kB	—	🟢 -4.1 kB	🟢 -1.24 kB	🟢 -1.1 kB
assets/dialogStore-DqEczCra.js (new)	—	4.1 kB	🔴 +4.1 kB	🔴 +1.24 kB	🔴 +1.1 kB
~~assets/bootstrapStore-_O1LiYm5.js~~ (removed)	2.08 kB	—	🟢 -2.08 kB	🟢 -876 B	🟢 -797 B
assets/bootstrapStore-Bu9j5NAA.js (new)	—	2.08 kB	🔴 +2.08 kB	🔴 +874 B	🔴 +794 B
assets/userStore-B1rewmTk.js (new)	—	1.85 kB	🔴 +1.85 kB	🔴 +720 B	🔴 +666 B
~~assets/userStore-BuULa-NJ.js~~ (removed)	1.85 kB	—	🟢 -1.85 kB	🟢 -719 B	🟢 -669 B
~~assets/audioService-CEErKTc_.js~~ (removed)	1.73 kB	—	🟢 -1.73 kB	🟢 -845 B	🟢 -727 B
assets/audioService-CG0W9H3i.js (new)	—	1.73 kB	🔴 +1.73 kB	🔴 +849 B	🔴 +725 B
~~assets/releaseStore-B3WemQO4.js~~ (removed)	809 B	—	🟢 -809 B	🟢 -401 B	🟢 -357 B
assets/releaseStore-DLkTQ7RB.js (new)	—	809 B	🔴 +809 B	🔴 +404 B	🔴 +351 B
assets/settingStore-DJMmb2rP.js (new)	—	793 B	🔴 +793 B	🔴 +405 B	🔴 +350 B
~~assets/settingStore-DO3E1oGs.js~~ (removed)	793 B	—	🟢 -793 B	🟢 -403 B	🟢 -354 B
~~assets/workflowDraftStore-BqkeDnFq.js~~ (removed)	785 B	—	🟢 -785 B	🟢 -396 B	🟢 -349 B
assets/workflowDraftStore-CEHB5RPg.js (new)	—	785 B	🔴 +785 B	🔴 +398 B	🔴 +347 B
~~assets/dialogService-Cm6BwRfR.js~~ (removed)	774 B	—	🟢 -774 B	🟢 -388 B	🟢 -347 B
assets/dialogService-DHslvrvK.js (new)	—	774 B	🔴 +774 B	🔴 +391 B	🔴 +342 B
assets/serverConfigStore-DQj3s_QB.js	2.32 kB	2.32 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 14 added / 14 removed

Utilities & Hooks — 237 kB (baseline 237 kB) • ⚪ 0 B

Helpers, composables, and utility bundles

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/useConflictDetection-D1hJ_pkV.js (new)	—	178 kB	🔴 +178 kB	🔴 +39.4 kB	🔴 +32.8 kB
~~assets/useConflictDetection-wqLS-1SD.js~~ (removed)	178 kB	—	🟢 -178 kB	🟢 -39.4 kB	🟢 -32.8 kB
~~assets/useLoad3d-BlGaXMc6.js~~ (removed)	14.6 kB	—	🟢 -14.6 kB	🟢 -3.63 kB	🟢 -3.21 kB
assets/useLoad3d-DU8qjHkw.js (new)	—	14.6 kB	🔴 +14.6 kB	🔴 +3.63 kB	🔴 +3.21 kB
~~assets/useLoad3dViewer-5L8ZVhBw.js~~ (removed)	14.1 kB	—	🟢 -14.1 kB	🟢 -3.15 kB	🟢 -2.79 kB
assets/useLoad3dViewer-B7THVODk.js (new)	—	14.1 kB	🔴 +14.1 kB	🔴 +3.15 kB	🔴 +2.8 kB
assets/colorUtil-CZQOOTdR.js (new)	—	7 kB	🔴 +7 kB	🔴 +2.15 kB	🔴 +1.9 kB
~~assets/colorUtil-Dyra1oIg.js~~ (removed)	7 kB	—	🟢 -7 kB	🟢 -2.14 kB	🟢 -1.9 kB
~~assets/useFeatureFlags-CAl60but.js~~ (removed)	3.32 kB	—	🟢 -3.32 kB	🟢 -1.04 kB	🟢 -900 B
assets/useFeatureFlags-YfCgQjWZ.js (new)	—	3.32 kB	🔴 +3.32 kB	🔴 +1.04 kB	🔴 +898 B
assets/useWorkspaceUI-BLTiArI_.js (new)	—	3 kB	🔴 +3 kB	🔴 +822 B	🔴 +699 B
~~assets/useWorkspaceUI-CmiySVzm.js~~ (removed)	3 kB	—	🟢 -3 kB	🟢 -823 B	🟢 -702 B
assets/useSubscriptionCredits-Cz8yecMj.js (new)	—	2.75 kB	🔴 +2.75 kB	🔴 +1.04 kB	🔴 +899 B
~~assets/useSubscriptionCredits-DbTH-Amy.js~~ (removed)	2.75 kB	—	🟢 -2.75 kB	🟢 -1.04 kB	🟢 -896 B
~~assets/subscriptionCheckoutUtil-D15064nJ.js~~ (removed)	2.53 kB	—	🟢 -2.53 kB	🟢 -1.06 kB	🟢 -961 B
assets/subscriptionCheckoutUtil-D6bCnfBG.js (new)	—	2.53 kB	🔴 +2.53 kB	🔴 +1.06 kB	🔴 +955 B
assets/useExternalLink-GS6EmjDk.js (new)	—	1.66 kB	🔴 +1.66 kB	🔴 +774 B	🔴 +681 B
~~assets/useExternalLink-XIa_dRDW.js~~ (removed)	1.66 kB	—	🟢 -1.66 kB	🟢 -772 B	🟢 -682 B
assets/useCopyToClipboard-BVtTC2zJ.js (new)	—	1.57 kB	🔴 +1.57 kB	🔴 +669 B	🔴 +559 B
~~assets/useCopyToClipboard-sqlVj2Q_.js~~ (removed)	1.57 kB	—	🟢 -1.57 kB	🟢 -669 B	🟢 -564 B
assets/markdownRendererUtil-Dct6u2-O.js (new)	—	1.56 kB	🔴 +1.56 kB	🔴 +811 B	🔴 +697 B
~~assets/markdownRendererUtil-DKmelI5u.js~~ (removed)	1.56 kB	—	🟢 -1.56 kB	🟢 -811 B	🟢 -695 B
assets/useErrorHandling-fmMv0mDZ.js (new)	—	1.47 kB	🔴 +1.47 kB	🔴 +612 B	🔴 +516 B
~~assets/useErrorHandling-qnYr0FY7.js~~ (removed)	1.47 kB	—	🟢 -1.47 kB	🟢 -613 B	🟢 -515 B
~~assets/useWorkspaceSwitch-B8Bur_sg.js~~ (removed)	1.25 kB	—	🟢 -1.25 kB	🟢 -545 B	🟢 -475 B
assets/useWorkspaceSwitch-DDSGuBz6.js (new)	—	1.25 kB	🔴 +1.25 kB	🔴 +545 B	🔴 +480 B
~~assets/useLoad3d-CBgcG4yq.js~~ (removed)	908 B	—	🟢 -908 B	🟢 -442 B	🟢 -394 B
assets/useLoad3d-CC7PLi3P.js (new)	—	908 B	🔴 +908 B	🔴 +446 B	🔴 +395 B
assets/useLoad3dViewer-DMbyC7lE.js (new)	—	887 B	🔴 +887 B	🔴 +429 B	🔴 +381 B
~~assets/useLoad3dViewer-DvIV5dwI.js~~ (removed)	887 B	—	🟢 -887 B	🟢 -429 B	🟢 -386 B
assets/audioUtils-DhgFlFWv.js (new)	—	858 B	🔴 +858 B	🔴 +501 B	🔴 +404 B
~~assets/audioUtils-pk4LWZFV.js~~ (removed)	858 B	—	🟢 -858 B	🟢 -503 B	🟢 -405 B
assets/useCurrentUser-A5ADIwB9.js (new)	—	771 B	🔴 +771 B	🔴 +393 B	🔴 +342 B
~~assets/useCurrentUser-D6F5pRGP.js~~ (removed)	771 B	—	🟢 -771 B	🟢 -390 B	🟢 -344 B
~~assets/envUtil-BHmbpOtd.js~~ (removed)	466 B	—	🟢 -466 B	🟢 -294 B	🟢 -250 B
assets/envUtil-C9Y4v_FL.js (new)	—	466 B	🔴 +466 B	🔴 +295 B	🔴 +251 B
assets/_plugin-vue_export-helper-BYZQdlgo.js (new)	—	315 B	🔴 +315 B	🔴 +232 B	🔴 +201 B
~~assets/_plugin-vue_export-helper-CY4XIWDa.js~~ (removed)	315 B	—	🟢 -315 B	🟢 -232 B	🟢 -201 B
assets/SkeletonUtils-CsnHjXS0.js	133 B	133 B	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 19 added / 19 removed

Vendor & Third-Party — 8.69 MB (baseline 8.69 MB) • ⚪ 0 B

External libraries and shared vendor chunks

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/vendor-other-DIFkoP9Z.js (new)	—	1.52 MB	🔴 +1.52 MB	🔴 +318 kB	🔴 +253 kB
~~assets/vendor-other-nQKlOIkS.js~~ (removed)	1.52 MB	—	🟢 -1.52 MB	🟢 -318 kB	🟢 -253 kB
~~assets/vendor-tiptap-Bi_34iZD.js~~ (removed)	625 kB	—	🟢 -625 kB	🟢 -146 kB	🟢 -119 kB
assets/vendor-tiptap-DN5cees9.js (new)	—	625 kB	🔴 +625 kB	🔴 +146 kB	🔴 +119 kB
~~assets/vendor-reka-ui-B82zTENX.js~~ (removed)	255 kB	—	🟢 -255 kB	🟢 -51.4 kB	🟢 -42.5 kB
assets/vendor-reka-ui-DAi_xVZa.js (new)	—	255 kB	🔴 +255 kB	🔴 +51.4 kB	🔴 +42.5 kB
~~assets/vendor-yjs-CBmk8HiD.js~~ (removed)	143 kB	—	🟢 -143 kB	🟢 -29.5 kB	🟢 -25.8 kB
assets/vendor-yjs-CP_4YO8u.js (new)	—	143 kB	🔴 +143 kB	🔴 +29.5 kB	🔴 +25.8 kB
~~assets/vendor-i18n-BxsQv-KC.js~~ (removed)	131 kB	—	🟢 -131 kB	🟢 -27.4 kB	🟢 -23.6 kB
assets/vendor-i18n-cR3vmlFu.js (new)	—	131 kB	🔴 +131 kB	🔴 +27.4 kB	🔴 +23.5 kB
assets/vendor-markdown-oliHT-H5.js (new)	—	102 kB	🔴 +102 kB	🔴 +24.8 kB	🔴 +22 kB
~~assets/vendor-markdown-uorjc_FY.js~~ (removed)	102 kB	—	🟢 -102 kB	🟢 -24.8 kB	🟢 -22 kB
assets/vendor-axios-C4mPrLmU.js	70.3 kB	70.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-chart-l-KY-tZQ.js	399 kB	399 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-firebase-BvMr43CG.js	836 kB	836 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-primevue-DbhsokLF.js	1.73 MB	1.73 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-sentry-SQwstEKc.js	182 kB	182 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-three-ueviNA60.js	1.8 MB	1.8 MB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-vue-core-BjA-tjXK.js	311 kB	311 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-vueuse-DcEOrMQz.js	112 kB	112 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-xterm-DO-SJi0U.js	374 kB	374 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/vendor-zod-DcCUUPIi.js	109 kB	109 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 6 added / 6 removed

Other — 7.34 MB (baseline 7.34 MB) • ⚪ 0 B

Bundles that do not match a named category

File	Before	After	Δ Raw	Δ Gzip	Δ Brotli
assets/i18n-BhEpSOAP.js (new)	—	497 kB	🔴 +497 kB	🔴 +95.3 kB	🔴 +74.3 kB
~~assets/i18n-DHoF2N6l.js~~ (removed)	497 kB	—	🟢 -497 kB	🟢 -95.3 kB	🟢 -74.2 kB
~~assets/core--JWypz_V.js~~ (removed)	72.5 kB	—	🟢 -72.5 kB	🟢 -18.7 kB	🟢 -16 kB
assets/core-KLRfl2R7.js (new)	—	72.5 kB	🔴 +72.5 kB	🔴 +18.7 kB	🔴 +16 kB
~~assets/groupNode-BeX45aRB.js~~ (removed)	72.1 kB	—	🟢 -72.1 kB	🟢 -17.7 kB	🟢 -15.6 kB
assets/groupNode-BkXu7Klq.js (new)	—	72.1 kB	🔴 +72.1 kB	🔴 +17.7 kB	🔴 +15.6 kB
~~assets/WidgetSelect-DbQHBEkt.js~~ (removed)	57.8 kB	—	🟢 -57.8 kB	🟢 -12.3 kB	🟢 -10.6 kB
assets/WidgetSelect-Dy-IgwmB.js (new)	—	57.8 kB	🔴 +57.8 kB	🔴 +12.3 kB	🔴 +10.6 kB
~~assets/SubscriptionRequiredDialogContentWorkspace-CeD_qnIW.js~~ (removed)	45.9 kB	—	🟢 -45.9 kB	🟢 -8.58 kB	🟢 -7.42 kB
assets/SubscriptionRequiredDialogContentWorkspace-DdfFhOh1.js (new)	—	45.9 kB	🔴 +45.9 kB	🔴 +8.58 kB	🔴 +7.42 kB
assets/Load3DControls-BH1fOPJ8.js (new)	—	30.9 kB	🔴 +30.9 kB	🔴 +5.34 kB	🔴 +4.65 kB
~~assets/Load3DControls-D5LGYi3O.js~~ (removed)	30.9 kB	—	🟢 -30.9 kB	🟢 -5.34 kB	🟢 -4.65 kB
~~assets/WorkspacePanelContent-BRJZNeJO.js~~ (removed)	29.3 kB	—	🟢 -29.3 kB	🟢 -6.12 kB	🟢 -5.38 kB
assets/WorkspacePanelContent-CugIyJ5s.js (new)	—	29.3 kB	🔴 +29.3 kB	🔴 +6.13 kB	🔴 +5.39 kB
assets/SubscriptionRequiredDialogContent-BZlft-m_.js (new)	—	26.2 kB	🔴 +26.2 kB	🔴 +6.59 kB	🔴 +5.8 kB
~~assets/SubscriptionRequiredDialogContent-DDokz5sE.js~~ (removed)	26.2 kB	—	🟢 -26.2 kB	🟢 -6.59 kB	🟢 -5.8 kB
~~assets/Load3dViewerContent-BE8mO5sx.js~~ (removed)	23.1 kB	—	🟢 -23.1 kB	🟢 -5.2 kB	🟢 -4.5 kB
assets/Load3dViewerContent-CrscdvwE.js (new)	—	23.1 kB	🔴 +23.1 kB	🔴 +5.19 kB	🔴 +4.5 kB
~~assets/WidgetImageCrop-BQPx9_ii.js~~ (removed)	22.4 kB	—	🟢 -22.4 kB	🟢 -5.53 kB	🟢 -4.87 kB
assets/WidgetImageCrop-yy3tmJ_6.js (new)	—	22.4 kB	🔴 +22.4 kB	🔴 +5.53 kB	🔴 +4.86 kB
~~assets/SubscriptionPanelContentWorkspace-B02sAmst.js~~ (removed)	21.6 kB	—	🟢 -21.6 kB	🟢 -5.02 kB	🟢 -4.42 kB
assets/SubscriptionPanelContentWorkspace-B08WWpcB.js (new)	—	21.6 kB	🔴 +21.6 kB	🔴 +5.02 kB	🔴 +4.43 kB
~~assets/CurrentUserPopoverWorkspace-17YxBYmD.js~~ (removed)	19.9 kB	—	🟢 -19.9 kB	🟢 -4.88 kB	🟢 -4.36 kB
assets/CurrentUserPopoverWorkspace-DEXhF6fq.js (new)	—	19.9 kB	🔴 +19.9 kB	🔴 +4.89 kB	🔴 +4.35 kB
~~assets/SignInContent-B6ErpijM.js~~ (removed)	19 kB	—	🟢 -19 kB	🟢 -4.81 kB	🟢 -4.2 kB
assets/SignInContent-BmiGhAD-.js (new)	—	19 kB	🔴 +19 kB	🔴 +4.81 kB	🔴 +4.2 kB
assets/WidgetRecordAudio-C6MUclY4.js (new)	—	17.4 kB	🔴 +17.4 kB	🔴 +4.97 kB	🔴 +4.44 kB
~~assets/WidgetRecordAudio-qhs9KOhY.js~~ (removed)	17.4 kB	—	🟢 -17.4 kB	🟢 -4.96 kB	🟢 -4.44 kB
~~assets/MissingModelsWarning-BIw9OiQ4.js~~ (removed)	17.2 kB	—	🟢 -17.2 kB	🟢 -4.7 kB	🟢 -4.16 kB
assets/MissingModelsWarning-BO-QQr3P.js (new)	—	17.2 kB	🔴 +17.2 kB	🔴 +4.7 kB	🔴 +4.17 kB
~~assets/Load3D-C_WbJEGr.js~~ (removed)	16.2 kB	—	🟢 -16.2 kB	🟢 -4.04 kB	🟢 -3.53 kB
assets/Load3D-C-FhNDS1.js (new)	—	16.2 kB	🔴 +16.2 kB	🔴 +4.04 kB	🔴 +3.52 kB
~~assets/WidgetInputNumber-CFJAfl8n.js~~ (removed)	15.8 kB	—	🟢 -15.8 kB	🟢 -4.26 kB	🟢 -3.8 kB
assets/WidgetInputNumber-XfO2mPWa.js (new)	—	15.8 kB	🔴 +15.8 kB	🔴 +4.26 kB	🔴 +3.8 kB
~~assets/load3d-Ba9-N5je.js~~ (removed)	14.8 kB	—	🟢 -14.8 kB	🟢 -4.21 kB	🟢 -3.64 kB
assets/load3d-BrK9_Oa0.js (new)	—	14.8 kB	🔴 +14.8 kB	🔴 +4.21 kB	🔴 +3.64 kB
~~assets/LazyImage-C3fGI-zy.js~~ (removed)	12.3 kB	—	🟢 -12.3 kB	🟢 -3.79 kB	🟢 -3.33 kB
assets/LazyImage-DSlFyohh.js (new)	—	12.3 kB	🔴 +12.3 kB	🔴 +3.79 kB	🔴 +3.34 kB
assets/AudioPreviewPlayer-D3rYGQap.js (new)	—	10.9 kB	🔴 +10.9 kB	🔴 +3.22 kB	🔴 +2.87 kB
~~assets/AudioPreviewPlayer-DPIJUkwU.js~~ (removed)	10.9 kB	—	🟢 -10.9 kB	🟢 -3.22 kB	🟢 -2.88 kB
assets/NodeConflictDialogContent-C1L-HohK.js (new)	—	10.5 kB	🔴 +10.5 kB	🔴 +2.36 kB	🔴 +2.09 kB
~~assets/NodeConflictDialogContent-DDuAxTkj.js~~ (removed)	10.5 kB	—	🟢 -10.5 kB	🟢 -2.36 kB	🟢 -2.08 kB
~~assets/changeTracker-CGwGyLTG.js~~ (removed)	9.38 kB	—	🟢 -9.38 kB	🟢 -2.89 kB	🟢 -2.55 kB
assets/changeTracker-CXb-GWnP.js (new)	—	9.38 kB	🔴 +9.38 kB	🔴 +2.89 kB	🔴 +2.55 kB
~~assets/nodeTemplates--ZNJrzfY.js~~ (removed)	9.35 kB	—	🟢 -9.35 kB	🟢 -3.27 kB	🟢 -2.88 kB
assets/nodeTemplates-Cz9pKPz1.js (new)	—	9.35 kB	🔴 +9.35 kB	🔴 +3.28 kB	🔴 +2.88 kB
~~assets/SelectValue-BgcUCvTv.js~~ (removed)	8.94 kB	—	🟢 -8.94 kB	🟢 -2.27 kB	🟢 -2.01 kB
assets/SelectValue-BLaUzhId.js (new)	—	8.94 kB	🔴 +8.94 kB	🔴 +2.27 kB	🔴 +2.01 kB
assets/InviteMemberDialogContent-ChZalpvF.js (new)	—	7.44 kB	🔴 +7.44 kB	🔴 +2.31 kB	🔴 +2.02 kB
~~assets/InviteMemberDialogContent-JmraJ8Ih.js~~ (removed)	7.44 kB	—	🟢 -7.44 kB	🟢 -2.31 kB	🟢 -2.01 kB
assets/WidgetWithControl-1N5gVhzZ.js (new)	—	7.08 kB	🔴 +7.08 kB	🔴 +2.65 kB	🔴 +2.36 kB
~~assets/WidgetWithControl-CeDcH_8g.js~~ (removed)	7.08 kB	—	🟢 -7.08 kB	🟢 -2.65 kB	🟢 -2.36 kB
assets/MissingNodesFooter-CcKslp4r.js (new)	—	6.75 kB	🔴 +6.75 kB	🔴 +2.3 kB	🔴 +2.08 kB
~~assets/MissingNodesFooter-CEqElrCt.js~~ (removed)	6.75 kB	—	🟢 -6.75 kB	🟢 -2.3 kB	🟢 -2.06 kB
assets/Load3DConfiguration-CZdFjUHM.js (new)	—	6.27 kB	🔴 +6.27 kB	🔴 +1.91 kB	🔴 +1.68 kB
~~assets/Load3DConfiguration-D_MADRpH.js~~ (removed)	6.27 kB	—	🟢 -6.27 kB	🟢 -1.92 kB	🟢 -1.68 kB
assets/MissingNodesContent-9ue_NP0_.js (new)	—	6.18 kB	🔴 +6.18 kB	🔴 +2.1 kB	🔴 +1.87 kB
~~assets/MissingNodesContent-Cl_n60jv.js~~ (removed)	6.18 kB	—	🟢 -6.18 kB	🟢 -2.1 kB	🟢 -1.87 kB
assets/CreateWorkspaceDialogContent-BHjVs7KU.js (new)	—	5.58 kB	🔴 +5.58 kB	🔴 +2.01 kB	🔴 +1.74 kB
~~assets/CreateWorkspaceDialogContent-Bl95dFUh.js~~ (removed)	5.58 kB	—	🟢 -5.58 kB	🟢 -2.01 kB	🟢 -1.75 kB
assets/EditWorkspaceDialogContent-CDuuEHtC.js (new)	—	5.38 kB	🔴 +5.38 kB	🔴 +1.96 kB	🔴 +1.71 kB
~~assets/EditWorkspaceDialogContent-D9Le0MDY.js~~ (removed)	5.38 kB	—	🟢 -5.38 kB	🟢 -1.96 kB	🟢 -1.71 kB
assets/ValueControlPopover--Sk9oarL.js (new)	—	4.97 kB	🔴 +4.97 kB	🔴 +1.79 kB	🔴 +1.59 kB
~~assets/ValueControlPopover-CT_GjYRU.js~~ (removed)	4.97 kB	—	🟢 -4.97 kB	🟢 -1.79 kB	🟢 -1.59 kB
~~assets/Preview3d-CZNG_qtH.js~~ (removed)	4.86 kB	—	🟢 -4.86 kB	🟢 -1.58 kB	🟢 -1.39 kB
assets/Preview3d-xS1EWWFk.js (new)	—	4.86 kB	🔴 +4.86 kB	🔴 +1.59 kB	🔴 +1.39 kB
~~assets/CancelSubscriptionDialogContent-lPWQsPiC.js~~ (removed)	4.85 kB	—	🟢 -4.85 kB	🟢 -1.8 kB	🟢 -1.57 kB
assets/CancelSubscriptionDialogContent-u3bGrGFh.js (new)	—	4.85 kB	🔴 +4.85 kB	🔴 +1.8 kB	🔴 +1.57 kB
assets/AnimationControls-CGPD_cLU.js (new)	—	4.61 kB	🔴 +4.61 kB	🔴 +1.6 kB	🔴 +1.41 kB
~~assets/AnimationControls-DYo7IBac.js~~ (removed)	4.61 kB	—	🟢 -4.61 kB	🟢 -1.6 kB	🟢 -1.41 kB
~~assets/DeleteWorkspaceDialogContent-Cy6M8HJV.js~~ (removed)	4.29 kB	—	🟢 -4.29 kB	🟢 -1.65 kB	🟢 -1.44 kB
assets/DeleteWorkspaceDialogContent-MYS8UCEY.js (new)	—	4.29 kB	🔴 +4.29 kB	🔴 +1.65 kB	🔴 +1.43 kB
assets/LeaveWorkspaceDialogContent-B6RzeP-P.js (new)	—	4.12 kB	🔴 +4.12 kB	🔴 +1.6 kB	🔴 +1.38 kB
~~assets/LeaveWorkspaceDialogContent-DPtJDe0r.js~~ (removed)	4.12 kB	—	🟢 -4.12 kB	🟢 -1.59 kB	🟢 -1.38 kB
assets/RemoveMemberDialogContent-CGDlUk2t.js (new)	—	4.1 kB	🔴 +4.1 kB	🔴 +1.55 kB	🔴 +1.34 kB
~~assets/RemoveMemberDialogContent-DEJ_vAix.js~~ (removed)	4.1 kB	—	🟢 -4.1 kB	🟢 -1.54 kB	🟢 -1.35 kB
assets/RevokeInviteDialogContent-BHfWQ_fn.js (new)	—	4.01 kB	🔴 +4.01 kB	🔴 +1.56 kB	🔴 +1.37 kB
~~assets/RevokeInviteDialogContent-BNxLgM1w.js~~ (removed)	4.01 kB	—	🟢 -4.01 kB	🟢 -1.56 kB	🟢 -1.37 kB
~~assets/InviteMemberUpsellDialogContent-BnZFW65j.js~~ (removed)	3.88 kB	—	🟢 -3.88 kB	🟢 -1.42 kB	🟢 -1.24 kB
assets/InviteMemberUpsellDialogContent-D0e_C8LM.js (new)	—	3.88 kB	🔴 +3.88 kB	🔴 +1.42 kB	🔴 +1.25 kB
assets/WidgetGalleria-7qXE9PZk.js (new)	—	3.61 kB	🔴 +3.61 kB	🔴 +1.39 kB	🔴 +1.25 kB
~~assets/WidgetGalleria-CtviJvlD.js~~ (removed)	3.61 kB	—	🟢 -3.61 kB	🟢 -1.39 kB	🟢 -1.25 kB
assets/Slider-BhcBhVMn.js (new)	—	3.52 kB	🔴 +3.52 kB	🔴 +1.36 kB	🔴 +1.2 kB
~~assets/Slider-DEgXPw2z.js~~ (removed)	3.52 kB	—	🟢 -3.52 kB	🟢 -1.36 kB	🟢 -1.19 kB
assets/saveMesh-CW91OVdI.js (new)	—	3.43 kB	🔴 +3.43 kB	🔴 +1.48 kB	🔴 +1.32 kB
~~assets/saveMesh-DocXKcu8.js~~ (removed)	3.43 kB	—	🟢 -3.43 kB	🟢 -1.48 kB	🟢 -1.32 kB
~~assets/WidgetTextarea-COoicNcT.js~~ (removed)	3.18 kB	—	🟢 -3.18 kB	🟢 -1.31 kB	🟢 -1.16 kB
assets/WidgetTextarea-DurObIpO.js (new)	—	3.18 kB	🔴 +3.18 kB	🔴 +1.31 kB	🔴 +1.17 kB
~~assets/cloudSessionCookie-Bw1hxqKg.js~~ (removed)	3.15 kB	—	🟢 -3.15 kB	🟢 -1.1 kB	🟢 -980 B
assets/cloudSessionCookie-kd2pLGKF.js (new)	—	3.15 kB	🔴 +3.15 kB	🔴 +1.1 kB	🔴 +968 B
assets/GlobalToast-BZYdIJug.js (new)	—	2.91 kB	🔴 +2.91 kB	🔴 +1.21 kB	🔴 +1.03 kB
~~assets/GlobalToast-GbmfBFYE.js~~ (removed)	2.91 kB	—	🟢 -2.91 kB	🟢 -1.21 kB	🟢 -1.06 kB
~~assets/WidgetColorPicker-cmyWkRPc.js~~ (removed)	2.9 kB	—	🟢 -2.9 kB	🟢 -1.23 kB	🟢 -1.11 kB
assets/WidgetColorPicker-DfUBpgxw.js (new)	—	2.9 kB	🔴 +2.9 kB	🔴 +1.23 kB	🔴 +1.11 kB
~~assets/WidgetMarkdown-CHVDGUH1.js~~ (removed)	2.88 kB	—	🟢 -2.88 kB	🟢 -1.22 kB	🟢 -1.09 kB
assets/WidgetMarkdown-wIs8y1Ja.js (new)	—	2.88 kB	🔴 +2.88 kB	🔴 +1.22 kB	🔴 +1.06 kB
~~assets/ApiNodesSignInContent-CccuIBft.js~~ (removed)	2.69 kB	—	🟢 -2.69 kB	🟢 -1.05 kB	🟢 -924 B
assets/ApiNodesSignInContent-CKaYlwws.js (new)	—	2.69 kB	🔴 +2.69 kB	🔴 +1.05 kB	🔴 +922 B
~~assets/WidgetToggleSwitch-Cu6q7UIj.js~~ (removed)	2.5 kB	—	🟢 -2.5 kB	🟢 -1.09 kB	🟢 -973 B
assets/WidgetToggleSwitch-D4M7QPIz.js (new)	—	2.5 kB	🔴 +2.5 kB	🔴 +1.09 kB	🔴 +971 B
assets/NodeConflictFooter-BmfFpvqg.js (new)	—	2.37 kB	🔴 +2.37 kB	🔴 +1.03 kB	🔴 +910 B
~~assets/NodeConflictFooter-Djcl6-P3.js~~ (removed)	2.37 kB	—	🟢 -2.37 kB	🟢 -1.03 kB	🟢 -911 B
~~assets/SubscribeToRun-BtaRNIJ-.js~~ (removed)	2.2 kB	—	🟢 -2.2 kB	🟢 -1.01 kB	🟢 -878 B
assets/SubscribeToRun-CAuI7oF8.js (new)	—	2.2 kB	🔴 +2.2 kB	🔴 +1.01 kB	🔴 +895 B
assets/WidgetLayoutField-CvLvf7SF.js (new)	—	1.95 kB	🔴 +1.95 kB	🔴 +880 B	🔴 +763 B
~~assets/WidgetLayoutField-dK2Gv6kY.js~~ (removed)	1.95 kB	—	🟢 -1.95 kB	🟢 -880 B	🟢 -764 B
assets/ImportFailedNodeFooter-Cav8eJMa.js (new)	—	1.88 kB	🔴 +1.88 kB	🔴 +866 B	🔴 +757 B
~~assets/ImportFailedNodeFooter-CpamN1et.js~~ (removed)	1.88 kB	—	🟢 -1.88 kB	🟢 -866 B	🟢 -760 B
assets/WidgetInputText-BQ_QzI-O.js (new)	—	1.86 kB	🔴 +1.86 kB	🔴 +876 B	🔴 +790 B
~~assets/WidgetInputText-CEacYTkx.js~~ (removed)	1.86 kB	—	🟢 -1.86 kB	🟢 -876 B	🟢 -794 B
assets/BaseViewTemplate-BQXZlAql.js (new)	—	1.78 kB	🔴 +1.78 kB	🔴 +928 B	🔴 +806 B
~~assets/BaseViewTemplate-CMsq0eVx.js~~ (removed)	1.78 kB	—	🟢 -1.78 kB	🟢 -926 B	🟢 -807 B
~~assets/CloudRunButtonWrapper-B5c1nAMG.js~~ (removed)	1.72 kB	—	🟢 -1.72 kB	🟢 -804 B	🟢 -728 B
assets/CloudRunButtonWrapper-DpjDc4rc.js (new)	—	1.72 kB	🔴 +1.72 kB	🔴 +802 B	🔴 +726 B
~~assets/signInSchema-B4Upt30J.js~~ (removed)	1.53 kB	—	🟢 -1.53 kB	🟢 -564 B	🟢 -517 B
assets/signInSchema-CLUPsjIs.js (new)	—	1.53 kB	🔴 +1.53 kB	🔴 +562 B	🔴 +516 B
~~assets/cloudBadges-C8UE6N5v.js~~ (removed)	1.42 kB	—	🟢 -1.42 kB	🟢 -727 B	🟢 -635 B
assets/cloudBadges-TZYVodOQ.js (new)	—	1.42 kB	🔴 +1.42 kB	🔴 +727 B	🔴 +621 B
~~assets/cloudSubscription-DY7ghgtx.js~~ (removed)	1.38 kB	—	🟢 -1.38 kB	🟢 -678 B	🟢 -589 B
assets/cloudSubscription-F91AYPEG.js (new)	—	1.38 kB	🔴 +1.38 kB	🔴 +680 B	🔴 +584 B
~~assets/Load3D-6SDkEHoB.js~~ (removed)	1.12 kB	—	🟢 -1.12 kB	🟢 -517 B	🟢 -459 B
assets/Load3D-DYIKSaRN.js (new)	—	1.12 kB	🔴 +1.12 kB	🔴 +520 B	🔴 +459 B
assets/NodeConflictHeader-DgbhznVf.js (new)	—	1.09 kB	🔴 +1.09 kB	🔴 +567 B	🔴 +476 B
~~assets/NodeConflictHeader-rQhN1ngl.js~~ (removed)	1.09 kB	—	🟢 -1.09 kB	🟢 -568 B	🟢 -477 B
~~assets/ImportFailedNodeHeader-BSevqbSb.js~~ (removed)	1.08 kB	—	🟢 -1.08 kB	🟢 -553 B	🟢 -471 B
assets/ImportFailedNodeHeader-C52A0tqP.js (new)	—	1.08 kB	🔴 +1.08 kB	🔴 +554 B	🔴 +472 B
assets/nightlyBadges-ClLsvwG_.js (new)	—	1.05 kB	🔴 +1.05 kB	🔴 +553 B	🔴 +489 B
~~assets/nightlyBadges-iW5d7UsR.js~~ (removed)	1.05 kB	—	🟢 -1.05 kB	🟢 -552 B	🟢 -491 B
~~assets/Load3dViewerContent-BsMV9a9E.js~~ (removed)	1.04 kB	—	🟢 -1.04 kB	🟢 -486 B	🟢 -433 B
assets/Load3dViewerContent-Dpx40zgh.js (new)	—	1.04 kB	🔴 +1.04 kB	🔴 +488 B	🔴 +428 B
assets/SubscriptionPanelContentWorkspace-BJdyPr_h.js (new)	—	979 B	🔴 +979 B	🔴 +455 B	🔴 +393 B
~~assets/SubscriptionPanelContentWorkspace-coOpOBfq.js~~ (removed)	979 B	—	🟢 -979 B	🟢 -453 B	🟢 -394 B
~~assets/ComfyOrgHeader-D3eZno-u.js~~ (removed)	910 B	—	🟢 -910 B	🟢 -496 B	🟢 -424 B
assets/ComfyOrgHeader-Gbby8E71.js (new)	—	910 B	🔴 +910 B	🔴 +498 B	🔴 +424 B
~~assets/changeTracker-B-cQdu2T.js~~ (removed)	806 B	—	🟢 -806 B	🟢 -401 B	🟢 -352 B
assets/changeTracker-CmKaLs2_.js (new)	—	806 B	🔴 +806 B	🔴 +405 B	🔴 +350 B
~~assets/WidgetLegacy-DrnzdOuj.js~~ (removed)	794 B	—	🟢 -794 B	🟢 -403 B	🟢 -350 B
assets/WidgetLegacy-sVGq0ruf.js (new)	—	794 B	🔴 +794 B	🔴 +405 B	🔴 +347 B
assets/graphHasMissingNodes-CrLOn6AD.js (new)	—	761 B	🔴 +761 B	🔴 +372 B	🔴 +316 B
~~assets/graphHasMissingNodes-DREFky_o.js~~ (removed)	761 B	—	🟢 -761 B	🟢 -372 B	🟢 -322 B
~~assets/widget-BhHc6T04.js~~ (removed)	445 B	—	🟢 -445 B	🟢 -308 B	🟢 -252 B
assets/widget-DTUjK0ZE.js (new)	—	445 B	🔴 +445 B	🔴 +307 B	🔴 +249 B
~~assets/widgetTypes-Cp8f93Pk.js~~ (removed)	393 B	—	🟢 -393 B	🟢 -259 B	🟢 -214 B
assets/widgetTypes-DhbPR9pT.js (new)	—	393 B	🔴 +393 B	🔴 +259 B	🔴 +215 B
assets/WidgetInputNumber-BU45jcFg.js (new)	—	392 B	🔴 +392 B	🔴 +232 B	🔴 +220 B
~~assets/WidgetInputNumber-PtXsqz9l.js~~ (removed)	392 B	—	🟢 -392 B	🟢 -232 B	🟢 -198 B
~~assets/src-CSZuPqXn.js~~ (removed)	251 B	—	🟢 -251 B	🟢 -211 B	🟢 -185 B
assets/src-D5pbLGY2.js (new)	—	251 B	🔴 +251 B	🔴 +215 B	🔴 +190 B
~~assets/telemetry-Db2yG1o2.js~~ (removed)	226 B	—	🟢 -226 B	🟢 -184 B	🟢 -153 B
assets/telemetry-zZf2dHJ2.js (new)	—	226 B	🔴 +226 B	🔴 +185 B	🔴 +152 B
assets/i18n-CTtHAC3Q.js (new)	—	199 B	🔴 +199 B	🔴 +161 B	🔴 +138 B
~~assets/i18n-nDV1QqK9.js~~ (removed)	199 B	—	🟢 -199 B	🟢 -159 B	🟢 -138 B
assets/auto-Bt3L7FBS.js	1.7 kB	1.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/comfy-logo-single-CzGozBag.js	198 B	198 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-B-pgsvFR.js	16.3 kB	16.3 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-BVMMhDLS.js	16.6 kB	16.6 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-CF_CtN5R.js	14.9 kB	14.9 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-Cgae_Kmu.js	17.2 kB	17.2 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-D3k2h7MU.js	15.5 kB	15.5 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-D6S8WS13.js	15.8 kB	15.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-OSpDi1he.js	18.4 kB	18.4 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-r2j_2QLb.js	15.7 kB	15.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-xCwqbbnl.js	15.8 kB	15.8 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-z76J85Ox.js	14.7 kB	14.7 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/commands-ZBYN9Ax-.js	17.1 kB	17.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/constants-C75NYR8_.js	579 B	579 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/ImportFailedNodeContent-Cbt6jZyc.js	2.48 kB	2.48 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BBXjgHHJ.js	168 kB	168 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BSGI6X8n.js	142 kB	142 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BwbuHOeJ.js	188 kB	188 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-BxbexJ_X.js	134 kB	134 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CEa_DitW.js	155 kB	155 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CfPoug-D.js	119 kB	119 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-CoZyXKuL.js	139 kB	139 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DFiYtvBS.js	162 kB	162 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DpjpFJ7n.js	118 kB	118 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-DxYYQN6q.js	137 kB	137 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/main-jNX02YKC.js	135 kB	135 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/Media3DTop--6APVhDO.js	1.82 kB	1.82 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaAudioTop-D379ygrS.js	1.43 kB	1.43 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaImageTop-BvzP3-4M.js	1.75 kB	1.75 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MediaVideoTop-BEu1PWK1.js	2.23 kB	2.23 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/MissingNodesHeader-JfpleXg9.js	1.09 kB	1.09 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-AB7CPb5Z.js	371 kB	371 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-B0nnzBKi.js	341 kB	341 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-B4dyiuYa.js	417 kB	417 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-CD2Wfp1K.js	375 kB	375 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-Cq7Zu3pU.js	371 kB	371 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-CsjIs0Oo.js	338 kB	338 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-Dg5aovqV.js	364 kB	364 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-H67grW1L.js	386 kB	386 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-NGc5lgvJ.js	368 kB	368 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-UkCFzPva.js	456 kB	456 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/nodeDefs-yIrLktj4.js	418 kB	418 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/OBJLoader2WorkerModule-DTMpvldF.js	109 kB	109 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/previousFullPath-CnDV7A3d.js	665 B	665 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/rolldown-runtime-DLICfi3-.js	1.97 kB	1.97 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/types-DT3N7am7.js	204 B	204 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetBoundingBox-DMPeCuhp.js	3.91 kB	3.91 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetBoundingBox-F8leYtSX.js	131 B	131 B	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetChart-BDCRAbXS.js	2.21 kB	2.21 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/WidgetImageCompare-CeaLzXAr.js	3.1 kB	3.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B
assets/widgetPropFilter-C9FcIgiN.js	1.1 kB	1.1 kB	⚪ 0 B	⚪ 0 B	⚪ 0 B

Status: 76 added / 76 removed

snomiao · 2026-02-15T10:03:20Z

While this fix solves bug but not support html input anymore, Maybe a markdown render is better?

As they sanitize all the input by default, and support safe htmls.

the markdown solution can be solved future PRs, I still recommend to merge this PR first, to reduce vulnerability

github-actions · 2026-02-15T19:46:17Z

Updating Playwright Expectations

The previous XSS fix replaced innerHTML with textContent, which broke the color picker submenu that uses HTML spans for color swatches. Use a sanitizer that allows only safe tags and style properties. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

coderabbitai

🧹 Nitpick comments (1)

src/lib/litegraph/src/ContextMenu.ts (1)

8-62: Use DOMPurify for sanitizing context menu HTML.

Custom HTML sanitizers are error-prone and vulnerable to bypass attacks (mutation XSS, namespace attacks, DOM clobbering). DOMPurify is available in the project ("dompurify": "^3.2.5") and already used throughout the codebase. Per coding guidelines: "Sanitize HTML with DOMPurify".

Replace the custom sanitizeMenuHTML, sanitizeNode, and sanitizeStyle functions with DOMPurify configuration:

♻️ Proposed refactor using DOMPurify

+import DOMPurify from 'dompurify'
+
 import type {
   ContextMenuDivElement,
   IContextMenuOptions,
   IContextMenuValue
 } from './interfaces'
 import { LiteGraph } from './litegraph'

-const ALLOWED_TAGS = new Set(['span', 'b', 'i', 'em', 'strong'])
-const ALLOWED_STYLE_PROPS = new Set([
-  'display',
-  'color',
-  'background-color',
-  'padding-left',
-  'border-left'
-])
-
-function sanitizeMenuHTML(html: string): string {
-  const doc = new DOMParser().parseFromString(html, 'text/html')
-  sanitizeNode(doc.body)
-  return doc.body.innerHTML
-}
-
-function sanitizeNode(node: Node): void {
-  const toRemove: Node[] = []
-  for (const child of node.childNodes) {
-    if (child.nodeType === Node.ELEMENT_NODE) {
-      const el = child as Element
-      if (!ALLOWED_TAGS.has(el.tagName.toLowerCase())) {
-        toRemove.push(child)
-        continue
-      }
-      // Strip all attributes except safe style properties
-      const attrs = [...el.attributes]
-      for (const attr of attrs) {
-        if (attr.name === 'style') {
-          el.setAttribute('style', sanitizeStyle(attr.value))
-        } else {
-          el.removeAttribute(attr.name)
-        }
-      }
-      sanitizeNode(child)
-    } else if (child.nodeType === Node.TEXT_NODE) {
-      // Text nodes are always safe
-    } else {
-      toRemove.push(child)
-    }
-  }
-  for (const child of toRemove) node.removeChild(child)
-}
-
-function sanitizeStyle(style: string): string {
-  return style
-    .split(';')
-    .map((s) => s.trim())
-    .filter((s) => {
-      const colonIdx = s.indexOf(':')
-      if (colonIdx === -1) return false
-      const prop = s.slice(0, colonIdx).trim().toLowerCase()
-      return ALLOWED_STYLE_PROPS.has(prop)
-    })
-    .join('; ')
-}
+function sanitizeMenuHTML(html: string): string {
+  return DOMPurify.sanitize(html, {
+    ALLOWED_TAGS: ['span', 'b', 'i', 'em', 'strong'],
+    ALLOWED_ATTR: ['style']
+  })
+}

The previous fix checked if content !== text, but since the content is passed as the name parameter, they're always equal. Use a regex to detect HTML tags instead. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

coderabbitai

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@src/lib/litegraph/src/ContextMenu.ts`:
- Around line 8-62: Replace the custom sanitizer (sanitizeMenuHTML,
sanitizeNode, sanitizeStyle and the ALLOWED_TAGS / ALLOWED_STYLE_PROPS logic)
with DOMPurify: import DOMPurify, call DOMPurify.sanitize(html, {ALLOWED_TAGS:
[...], ALLOWED_ATTR: ['style'], FORBID_TAGS: [], WHOLE_DOCUMENT: false,
ALLOWED_URI_REGEXP: /./}) and configure its hooks/options to only allow the same
tag list and the allowed style properties (map ALLOWED_STYLE_PROPS into a style
sanitizer hook or use DOMPurify's hooks to filter style declarations), then
update usages to call the new sanitize function; remove the old functions and
sets so the module relies solely on DOMPurify for HTML sanitization.

src/lib/litegraph/src/ContextMenu.ts

Replace custom sanitizer with DOMPurify library for more robust and well-tested HTML sanitization. Uses DOMPurify's hooks to filter style properties to the allowed set. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

Replace innerHTML with textContent when setting context menu item labels to prevent XSS attacks via malicious filenames. This fixes a security vulnerability where filenames like "<img src=x onerror=alert()>" could execute arbitrary JavaScript when displayed in dropdowns. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu ## Summary  ## Changes - **What**:  - **Breaking**:  - **Dependencies**:  ## Review Focus    ## Screenshots (if applicable)  ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8887-fix-prevent-XSS-vulnerability-in-context-menu-labels-3086d73d365081ccbe3cdb35cd7e5cb1) by [Unito](https://www.unito.io) --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>

comfy-pr-bot · 2026-02-16T23:31:36Z

@DrJKL Successfully backported to #8922

comfy-pr-bot · 2026-02-16T23:31:40Z

@DrJKL Successfully backported to #8923

comfy-pr-bot · 2026-02-16T23:31:44Z

@DrJKL Successfully backported to #8924

comfy-pr-bot · 2026-02-16T23:31:47Z

@DrJKL Successfully backported to #8925

…labels (#8925) Backport of #8887 to `cloud/1.39` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8925-backport-cloud-1-39-fix-prevent-XSS-vulnerability-in-context-menu-labels-3096d73d3650813bae82c37f3349dfbd) by [Unito](https://www.unito.io) Co-authored-by: Alexander Brown <drjkl@comfy.org> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>

…abels (#8924) Backport of #8887 to `core/1.39` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8924-backport-core-1-39-fix-prevent-XSS-vulnerability-in-context-menu-labels-3096d73d365081a59774ca63128b6b20) by [Unito](https://www.unito.io) Co-authored-by: Alexander Brown <drjkl@comfy.org> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>

…abels (#8922) Backport of #8887 to `core/1.38` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8922-backport-core-1-38-fix-prevent-XSS-vulnerability-in-context-menu-labels-3096d73d3650811a9448fc9b2344a88b) by [Unito](https://www.unito.io) Co-authored-by: Alexander Brown <drjkl@comfy.org> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>

…labels (#8923) Backport of #8887 to `cloud/1.38` Automatically created by backport workflow. ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-8923-backport-cloud-1-38-fix-prevent-XSS-vulnerability-in-context-menu-labels-3096d73d365081baa2dce3b6c8027736) by [Unito](https://www.unito.io) Co-authored-by: Alexander Brown <drjkl@comfy.org> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: github-actions <github-actions@github.com>

DrJKL requested a review from a team as a code owner February 15, 2026 08:26

dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Feb 15, 2026

DrJKL assigned snomiao and christian-byrne Feb 15, 2026

DrJKL added needs-backport Fix/change that needs to be cherry-picked to the current feature freeze branch core/1.38 Backport PRs for core 1.38 cloud/1.38 Backport PRs for cloud 1.38 core/1.39 Backport PRs for core 1.39 cloud/1.39 Backport PRs for cloud 1.39 labels Feb 15, 2026

AustinMroz previously approved these changes Feb 15, 2026

View reviewed changes

christian-byrne previously approved these changes Feb 15, 2026

View reviewed changes

christian-byrne assigned DrJKL and unassigned snomiao and christian-byrne Feb 15, 2026

snomiao previously approved these changes Feb 15, 2026

View reviewed changes

DrJKL added the New Browser Test Expectations New browser test screenshot should be set by github action label Feb 15, 2026

[automated] Update test expectations

b7b3138

comfy-pr-bot dismissed stale reviews from snomiao, christian-byrne, and AustinMroz via b7b3138 February 15, 2026 19:51

github-actions bot removed the New Browser Test Expectations New browser test screenshot should be set by github action label Feb 15, 2026

dosubot bot removed the size:XS This PR changes 0-9 lines, ignoring generated files. label Feb 15, 2026

coderabbitai bot reviewed Feb 15, 2026

View reviewed changes

fix: correctly detect HTML content in context menu items

1e70ea2

The previous fix checked if content !== text, but since the content is passed as the name parameter, they're always equal. Use a regex to detect HTML tags instead. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

coderabbitai bot reviewed Feb 15, 2026

View reviewed changes

src/lib/litegraph/src/ContextMenu.ts Outdated Show resolved Hide resolved

refactor: use DOMPurify for context menu HTML sanitization

91eed27

Replace custom sanitizer with DOMPurify library for more robust and well-tested HTML sanitization. Uses DOMPurify's hooks to filter style properties to the allowed set. https://claude.ai/code/session_01LALt1HEgGvpWD7hhqcp2Gu

DrJKL added the New Browser Test Expectations New browser test screenshot should be set by github action label Feb 16, 2026

[automated] Update test expectations

ca13f1c

github-actions bot removed the New Browser Test Expectations New browser test screenshot should be set by github action label Feb 16, 2026

Merge branch 'main' into claude/slack-fix-registry-rate-limit-j9Ji4

91e384c

DrJKL requested review from AustinMroz, christian-byrne and snomiao February 16, 2026 20:27

DrJKL merged commit 2ee0a13 into main Feb 16, 2026
28 checks passed

DrJKL deleted the claude/slack-fix-registry-rate-limit-j9Ji4 branch February 16, 2026 23:31

This was referenced Feb 16, 2026

[backport core/1.38] fix: prevent XSS vulnerability in context menu labels #8922

Merged

[backport cloud/1.38] fix: prevent XSS vulnerability in context menu labels #8923

Merged

comfy-pr-bot mentioned this pull request Feb 16, 2026

[backport core/1.39] fix: prevent XSS vulnerability in context menu labels #8924

Merged

comfy-pr-bot mentioned this pull request Feb 16, 2026

[backport cloud/1.39] fix: prevent XSS vulnerability in context menu labels #8925

Merged

github-actions bot removed the needs-backport Fix/change that needs to be cherry-picked to the current feature freeze branch label Feb 16, 2026

Conversation

DrJKL commented Feb 15, 2026 • edited by sync-by-unito bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Review Focus

Screenshots (if applicable)

Uh oh!

coderabbitai bot commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Walkthrough

Changes

Estimated code review effort

Poem

❌ Failed checks (2 warnings, 1 inconclusive)

Uh oh!

github-actions bot commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🎨 Storybook Build Status

🔗 Links

Uh oh!

github-actions bot commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Bundle Size Report

Uh oh!

snomiao commented Feb 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 15, 2026

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

comfy-pr-bot commented Feb 16, 2026

Uh oh!

comfy-pr-bot commented Feb 16, 2026

Uh oh!

comfy-pr-bot commented Feb 16, 2026

Uh oh!

comfy-pr-bot commented Feb 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

DrJKL commented Feb 15, 2026 •

edited by sync-by-unito bot

Loading

coderabbitai bot commented Feb 15, 2026 •

edited

Loading

github-actions bot commented Feb 15, 2026 •

edited

Loading

github-actions bot commented Feb 15, 2026 •

edited

Loading

github-actions bot commented Feb 15, 2026 •

edited

Loading

snomiao commented Feb 15, 2026 •

edited

Loading