mirror of
https://github.com/ChuckBuilds/LEDMatrix.git
synced 2026-05-14 09:33:32 +00:00
b7295129b5
pages_v3.py: plugin_id is taken directly from the URL path and was interpolated into a returned HTML fragment without escaping. A crafted URL like /partials/plugin-config/<script>alert(1)</script> would inject arbitrary HTML into any page that loads this HTMX partial. Fix: wrap with html.escape() from the stdlib. march-madness/requirements.txt: Pillow>=9.1.0 is vulnerable to CVE-2023-50447 (arbitrary code execution via the environment parameter). Bump minimum to >=10.2.0 which contains the fix. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>