Inicio Explorar Axuda
Iniciar sesión
chiappa
/
sprint_planer_web
réplica de https://git.snix.ch/chiappa/sprint_planer_web.git
1
0
Fork 0
Ficheiros Incidencias 0
Explorar o código

Docs: mark R01-N21 fixed in 00bcf73

Eighteenth fix from doc/REVIEW_01.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
chiappa hai 2 días
pai
00bcf73ccb
achega
f3ba328cc9
Modificáronse 1 ficheiros con 21 adicións e 2 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 21 2
      doc/REVIEW_01.md

+ 21 - 2
doc/REVIEW_01.md
Ver ficheiro 

@@ -730,7 +730,24 @@ note. Do not delete entries — they're history.
 
 
 ### R01-N21 — Trusted Twig auto-escape is the only XSS guard
 
 - **Severity**: MEDIUM (audit recommendation).
 
-- **Status**: open.
 
+- **Status**: fixed-in-`00bcf73` — went with the audit's two-test
 
+  recommendation. New `tests/Http/TwigAutoescapeTest.php` (3 cases,
 
+  23 assertions). *Behaviour pin:* renders a known XSS payload
 
+  through a synthetic Twig template using the same `View` env the
 
+  controllers use and asserts `<script>` does NOT survive the
 
+  render (`&lt;script&gt;` does), so a future flip of `View`'s
 
+  `autoescape` setting from `'html'` to anything else fails loudly.
 
+  A second case pins attribute-context double-quote escaping
 
+  (`title="…"` → `&quot;`). *Static guard:* walks every `.twig`
 
+  file under `views/` and fails if any line carries
 
+  `|\s*(raw|safe)` or `{%\s*autoescape`. Verified end-to-end by
 
+  temporarily appending `{{ "x"|raw }}` to `home.twig` — the test
 
+  reported the exact `path:line` of the offence with a remediation
 
+  hint. No production code changed; the guards live entirely in
 
+  the test suite. Today's scan: 0 offences across all `.twig`
 
+  files. Tests: 305 / 814 (was 302 / 791). The audit's optional
 
+  CI grep step is subsumed by this PHPUnit case (we already run
 
+  the suite on every change), so no separate grep stanza needed.
 
 - **Where**: `src/Http/View.php` line 30 (`autoescape => 'html'`); various
 
   views.
 
 - **What**: All user-supplied strings (sprint name, task title, task
 
@@ -990,7 +1007,9 @@ A reasonable cadence (do not treat as binding):
 
     `f59f368`.
 
 19. ~~**R01-N20** (Response::redirect contract)~~ — fixed in
 
     `f1aa924`.
 
-20. The rest as time permits.
 
+20. ~~**R01-N21** (Twig autoescape pin + static |raw guard)~~ —
 
+    fixed in `00bcf73`.
 
+21. The rest as time permits.
 
 
 Each fix should ship as its own commit per SPEC.md §14, with a follow-up
 
 SPEC update if behaviour or config surface changes.