Backend/frontend hardening & consistency cleanups (#1113)

* refactor(auth): session token validation and password-change consistency * refactor(journey): entry field allow-list and public share-link consistency * refactor(mcp): align tool authorization with the REST permission checks * chore: input validation and sanitisation touch-ups (uploads, pdf, maps, backup, csp)
2026-06-24 07:41:47 +00:00 · 2026-06-06 16:37:03 +02:00
parent 070ef01328
commit 093e069ccc
41 changed files with 653 additions and 74 deletions
@@ -569,7 +569,9 @@ ${daysHtml}

  const iframe = document.createElement('iframe')
  iframe.style.cssText = 'flex:1;width:100%;border:none;'
-  iframe.sandbox = 'allow-same-origin allow-modals allow-scripts'
+  // No script runs inside the document (print is parent-initiated), so withhold
+  // allow-scripts to keep the sandbox tight.
+  iframe.sandbox = 'allow-same-origin allow-modals'
  iframe.srcdoc = html

  card.appendChild(header)