Skip to content

Tags: LexioJ/dashlink

Tags

v1.1.0

Toggle v1.1.0's commit message 
Release v1.1.0

- **SecurityService**: Centralized security validation and sanitization service
  - URL validation with protocol restrictions
  - Download URL validation with SSRF protection
  - Text sanitization for XSS prevention
  - Filename validation for path traversal prevention
  - Integer range validation
  - Target and group ID validation
- **RateLimitService**: Distributed caching-based rate limiting
  - Configurable per-action rate limits
  - User-specific rate limiting
  - Automatic expiration handling

- **IconService**: Updated to use SecurityService for all validations
  - Icon download now validates URLs before fetching
  - Icon filenames validated on retrieval
  - SVG files sanitized during upload
  - Mime-type validation added to prevent spoofing
- **LinkService**: Updated to use SecurityService for input validation
  - All create/update operations validate and sanitize inputs
  - URL validation blocks dangerous protocols
  - Text inputs sanitized to prevent XSS
- **SettingsService**: Updated to sanitize widget title
  - Widget title sanitized with length limit
  - HTML tags stripped, special characters encoded
- **LinkController**: Enhanced with rate limiting and validation
  - Import endpoint rate-limited (5/hour)
  - File size limits enforced (1MB for imports)
  - JSON depth limits (10 levels)
  - Link count limits (100 per import)
- **Dependencies**: Added enshrined/svg-sanitize (^0.19) for SVG sanitization

**Icon Upload/Management:**
- Icon preview now appears immediately after selecting a file, without needing to save first
- Delete icon button improved with perfect circular shape (proper circle instead of ellipse)
- Delete button hover effect changed to darker red with subtle glow instead of black border

**3D Card Flip Effect:**
- Fixed card flip animation to rotate the entire card including shadow as a single unit, creating a more realistic 3D effect
- Eliminated white background flash during flip transition - now shows widget background seamlessly
- Fixed Firefox browser issue where front content was incorrectly visible on the back during flip

- Improved security rating from C+ (69/100) to A (90+)
- All critical and high-priority vulnerabilities resolved
- OWASP Top 10 compliance achieved
- Nextcloud security guidelines followed
- CSRF protection verified (correctly implemented)