Security: Add CSP headers, DOMPurify, and contact form API

- Add Content-Security-Policy header to oldSiteProject
- Add DOMPurify for XSS protection in oldSiteProject
- Add rel="noopener noreferrer" to external links in talkingWithUnity
- Update contact form to use VPS API with mailto fallback
- Add contact.unityailab.com to CSP connect-src

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: hackall360

apps/oldSiteProject/index.html

@@ -3,6 +3,7 @@
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://image.pollinations.ai https://*.gravatar.com https://avatars.githubusercontent.com; connect-src 'self' https://text.pollinations.ai https://image.pollinations.ai https://users.unityailab.com https://api.github.com; frame-ancestors 'none';">
   <title>Legacy Unity Chat - Unity AI Lab</title>
 
   <!-- Bootstrap CSS -->
@@ -445,6 +446,9 @@ <h3 class="modal-title">Voice Chat</h3>
   <!-- Bootstrap JS -->
   <script src="../../vendor/bootstrap/bootstrap.bundle.min.js"></script>
 
+  <!-- DOMPurify for XSS Protection -->
+  <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.6/dist/purify.min.js"></script>
+
   <!-- Prism JS for code highlighting -->
   <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/prism.min.js" defer></script>
   <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.29.0/components/prism-javascript.min.js" defer></script>

apps/talkingWithUnity/index.html

@@ -190,8 +190,8 @@ <h1 id="landing-title">Let's make sure every light is green</h1>
                     your helmet is on straight. When a light glows amber, read the friendly tip, fix it, then press "Check again."
                 </p>
                 <div class="landing-links">
-                    <a class="landing-link" href="https://unityailab.online" target="_blank" rel="noopener">Back to Unity AI Lab home</a>
-                    <a class="landing-link" href="https://github.com/Unity-Lab-AI/Talking-with-Unity.git" target="_blank" rel="noopener">View the project on GitHub</a>
+                    <a class="landing-link" href="https://unityailab.online" target="_blank" rel="noopener noreferrer">Back to Unity AI Lab home</a>
+                    <a class="landing-link" href="https://github.com/Unity-Lab-AI/Talking-with-Unity.git" target="_blank" rel="noopener noreferrer">View the project on GitHub</a>
                 </div>
             </div>
 

contact/index.html

@@ -3,7 +3,7 @@
 <head>
     <!-- Meta Tags for Cross-Browser Compatibility -->
     <meta charset="UTF-8">
-    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://image.pollinations.ai https://*.gravatar.com https://avatars.githubusercontent.com; connect-src 'self' https://text.pollinations.ai https://image.pollinations.ai https://users.unityailab.com https://api.github.com; frame-ancestors 'none';">
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://unpkg.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://unpkg.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: blob: https://image.pollinations.ai https://*.gravatar.com https://avatars.githubusercontent.com; connect-src 'self' https://text.pollinations.ai https://image.pollinations.ai https://users.unityailab.com https://contact.unityailab.com https://api.github.com; frame-ancestors 'none';">
     <meta http-equiv="X-UA-Compatible" content="IE=edge">
     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, user-scalable=yes, viewport-fit=cover">
 
@@ -463,32 +463,66 @@ <h6 class="footer-title">Connect</h6>
 
     <!-- Contact Form Handler -->
     <script>
-        document.getElementById('mainContactForm').addEventListener('submit', function(e) {
+        document.getElementById('mainContactForm').addEventListener('submit', async function(e) {
             e.preventDefault();
 
-            const name = document.getElementById('contactName').value;
-            const email = document.getElementById('contactEmail').value;
-            const type = document.getElementById('contactType').value;
-            const service = document.getElementById('contactService').value;
-            const source = document.getElementById('contactSource').value;
-            const urgency = document.getElementById('contactUrgency').value;
-            const subject = document.getElementById('contactSubject').value;
-            const message = document.getElementById('contactMessage').value;
-
-            // Build mailto URL
-            const recipient = 'unityailabcontact@gmail.com';
-            const mailtoSubject = `[${type}] ${subject}`;
-
-            let mailtoBody = `Name: ${name}\nEmail: ${email}\nType of Inquiry: ${type}\n`;
-            if (service && service !== 'Not Applicable') {
-                mailtoBody += `Service of Interest: ${service}\n`;
-            }
-            mailtoBody += `How they heard about us: ${source}\nPriority Level: ${urgency}\n\nMessage:\n${message}`;
-
-            const mailtoURL = `mailto:${recipient}?subject=${encodeURIComponent(mailtoSubject)}&body=${encodeURIComponent(mailtoBody)}`;
+            const submitBtn = document.querySelector('#mainContactForm button[type="submit"]');
+            const originalBtnText = submitBtn.textContent;
+
+            // Disable button and show loading state
+            submitBtn.disabled = true;
+            submitBtn.textContent = 'Sending...';
+
+            const formData = {
+                name: document.getElementById('contactName').value,
+                email: document.getElementById('contactEmail').value,
+                type: document.getElementById('contactType').value,
+                service: document.getElementById('contactService').value,
+                source: document.getElementById('contactSource').value,
+                urgency: document.getElementById('contactUrgency').value,
+                subject: document.getElementById('contactSubject').value,
+                message: document.getElementById('contactMessage').value
+            };
+
+            try {
+                const response = await fetch('https://contact.unityailab.com/api/contact', {
+                    method: 'POST',
+                    headers: {
+                        'Content-Type': 'application/json'
+                    },
+                    body: JSON.stringify(formData)
+                });
+
+                const result = await response.json();
+
+                if (response.ok && result.success) {
+                    // Success - show message and reset form
+                    alert('Thank you! Your message has been sent successfully. We\'ll get back to you soon.');
+                    document.getElementById('mainContactForm').reset();
+                } else {
+                    // API error
+                    alert(result.error || 'Failed to send message. Please try again.');
+                }
+            } catch (error) {
+                console.error('Contact form error:', error);
+                // Network error - fall back to mailto
+                const recipient = 'unityailabcontact@gmail.com';
+                const mailtoSubject = `[${formData.type}] ${formData.subject}`;
+                let mailtoBody = `Name: ${formData.name}\nEmail: ${formData.email}\nType of Inquiry: ${formData.type}\n`;
+                if (formData.service && formData.service !== 'Not Applicable') {
+                    mailtoBody += `Service of Interest: ${formData.service}\n`;
+                }
+                mailtoBody += `How they heard about us: ${formData.source}\nPriority Level: ${formData.urgency}\n\nMessage:\n${formData.message}`;
+                const mailtoURL = `mailto:${recipient}?subject=${encodeURIComponent(mailtoSubject)}&body=${encodeURIComponent(mailtoBody)}`;
 
-            // Open mailto link
-            window.location.href = mailtoURL;
+                if (confirm('Could not connect to server. Would you like to send via email instead?')) {
+                    window.location.href = mailtoURL;
+                }
+            } finally {
+                // Re-enable button
+                submitBtn.disabled = false;
+                submitBtn.textContent = originalBtnText;
+            }
         });
     </script>