diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 6c61284..edf0698 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -22,3 +22,4 @@ **Vulnerability:** Defense in Depth (CSP Missing) **Learning:** Even when inputs are properly escaped, statically generated HTML that displays file/directory structures should implement a Content Security Policy (CSP) to provide an extra layer of defense against potential XSS bypasses. **Prevention:** Include a strict CSP meta tag (e.g., `default-src 'none'; style-src 'unsafe-inline';`) in auto-generated HTML headers when external scripts or resources are not required. +## 2024-06-29 - [html4tree] Strict CSP Nonce Implementation\n**Vulnerability:** Weak Content Security Policy (CSP)\n**Learning:** The previous CSP allowed `style-src 'unsafe-inline'`, which is generally discouraged as it can weaken defense-in-depth against XSS attacks. The html4tree output relied on `style="..."` attributes.\n**Prevention:** A secure random `nonce` is now generated per execution using `java.security.SecureRandom` and applied to the ` """ @@ -159,7 +175,7 @@ fun process_dir(curr_dir: File){ - + ${curr_dir.getName().escapeHtml()} ${css} @@ -168,7 +184,7 @@ fun process_dir(curr_dir: File){

${curr_dir.getName().escapeHtml()}