From 5aca0038b6a239bc1ac9efdb4c0962738afe9e08 Mon Sep 17 00:00:00 2001 From: Rene Luria Date: Wed, 8 Jul 2026 14:11:26 +0200 Subject: [PATCH] chore: missing doc --- .../plans/2026-07-08-xss-sink-csp.md | 262 ++++++++++++++++++ 1 file changed, 262 insertions(+) create mode 100644 docs/superpowers/plans/2026-07-08-xss-sink-csp.md diff --git a/docs/superpowers/plans/2026-07-08-xss-sink-csp.md b/docs/superpowers/plans/2026-07-08-xss-sink-csp.md new file mode 100644 index 0000000..9012a02 --- /dev/null +++ b/docs/superpowers/plans/2026-07-08-xss-sink-csp.md @@ -0,0 +1,262 @@ +# XSS Sink Remediation + CSP Implementation Plan + +> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. + +**Goal:** Eliminate the `innerHTML` XSS sink in `utils.showAlert` and add a nonce-based Content-Security-Policy header to the frontend route. + +**Architecture:** Frontend `showAlert` is rewritten to build alert DOM via `document.createElement` / `textContent` (no `innerHTML`). Backend `read_root()` generates a per-request nonce, injects it into the inline `