netadmin/GDPRScanner
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
GDPRScanner/static/js
History
StyxX65 c39d68ca19 Document XSS escaping + secret-encryption hardening 
- CHANGELOG: add Unreleased ### Security section covering the stored XSS
  in the results grid, the reflected XSS in /api/thumb, and the Claude API
  key now being encrypted at rest.
- CLAUDE.md / static/js/CLAUDE.md: add the esc() / _html_esc escaping rule
  for scan-derived strings and the onclick-JSON " pattern.
- CLAUDE.md / routes/CLAUDE.md: note that secret config fields use the
  machine-keyed Fernet and must be read via a decrypting accessor
  (get_claude_api_key()), never config.json directly.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 11:15:39 +02:00
..
auth.js
feat: scan history browser, user-scoped viewer tokens, export fixes, email fixes (v1.6.20)
2026-04-18 13:57:54 +02:00
CLAUDE.md
Document XSS escaping + secret-encryption hardening
2026-06-10 11:15:39 +02:00
connector.js
Added SFTP to sources
2026-04-25 08:48:54 +02:00
history.js
Built-in file redaction for local files
2026-05-27 14:49:06 +02:00
log.js
Initial commit
2026-04-11 04:38:11 +02:00
profiles.js
Two bugs in the abort mechanism: 1. POST /api/scan/stop only set state._scan_abort (M365/file abort event) but never touched state._google_scan_abort. Now sets both. 2. _check_abort() inside _run_google_scan imported gdpr_scanner._scan_abort (= state._scan_abort, the M365 event) instead of using the module-level _scan_abort alias (= state._google_scan_abort). This meant the dedicated /api/google/scan/cancel endpoint — which correctly sets _google_scan_abort — was silently ignored by the scan loop. Fixed to use the module-level alias consistently. Also aligned the end-of-scan checkpoint-clear check.
2026-05-28 10:20:22 +02:00
results.js
Harden XSS escaping and encrypt Claude API key at rest
2026-06-10 11:06:36 +02:00
scan.js
### Fixed - **Cards not shown after browser refresh** — when the browser reconnected to the SSE stream after a completed scan, the scan_phase events in the replay buffer temporarily set S._m365ScanRunning = true (all running flags start at false after a page reload). The watchdog's loadHistorySession call fired in this window and bailed on the stale flag; once scan_done cleared the flag, _initialStatusChecked was already true so loadHistorySession was never retried. Fixed by having the sse_replay_done handler retry loadHistorySession(null) when no scan is running and S._historyRefScanId is still null after replay.
2026-06-08 14:28:24 +02:00
scheduler.js
v1.6.28 — Scheduled report-only jobs, compliance audit log, and documentation update
2026-05-28 11:08:52 +02:00
sources.js
Added NER/AI integration
2026-05-28 11:50:10 +02:00
state.js
feat: interface PIN, bulk disposition tagging, Google Drive delta scan, OCR memory fixes
2026-04-18 18:46:45 +02:00
ui.js
Initial commit
2026-04-11 04:38:11 +02:00
users.js
Fixed two bugs: selected cards staying visible after preview opens, and stale history results showing when a new scan starts.
2026-04-29 15:18:58 +02:00
viewer.js
Date-range scoping for viewer tokens
2026-05-28 10:34:55 +02:00