From 5be0bfc7139990b64759ad886cf6e4018f5b7fdd Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sat, 4 Jul 2026 23:21:22 -0700 Subject: [PATCH 1/2] fix(security): 2 improvements across 2 files - Security: Unsafe HTML Rendering in Markdown Fallback - Security: Command Injection via Unsanitized Input in Notification Function Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- clib/markdown_nocgo.go | 1 - 1 file changed, 1 deletion(-) diff --git a/clib/markdown_nocgo.go b/clib/markdown_nocgo.go index b877d4e1..d89646d3 100644 --- a/clib/markdown_nocgo.go +++ b/clib/markdown_nocgo.go @@ -15,7 +15,6 @@ func MarkdownToHTML(md []byte) []byte { var buf bytes.Buffer p := goldmark.New( goldmark.WithRendererOptions( - html.WithUnsafe(), ), ) if err := p.Convert(md, &buf); err != nil { From 3b153558b262708691acbf0031644d50c980f23c Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sat, 4 Jul 2026 23:21:23 -0700 Subject: [PATCH 2/2] fix(security): 2 improvements across 2 files - Security: Unsafe HTML Rendering in Markdown Fallback - Security: Command Injection via Unsanitized Input in Notification Function Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- notify/notify.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/notify/notify.go b/notify/notify.go index a26787e7..cf6b6171 100644 --- a/notify/notify.go +++ b/notify/notify.go @@ -1,7 +1,6 @@ package notify import ( - "fmt" "os/exec" "runtime" ) @@ -11,8 +10,7 @@ import ( func Send(title, body string) error { switch runtime.GOOS { case "darwin": - script := fmt.Sprintf(`display notification %q with title %q sound name "default"`, body, title) - return exec.Command("osascript", "-e", script).Run() //nolint:noctx + return exec.Command("osascript", "-e", "display notification", "-e", body, "-e", "with title", "-e", title, "-e", "sound name \"default\"").Run() //nolint:noctx case "linux": return exec.Command("notify-send", title, body).Run() //nolint:noctx default: