Release: XSS security fixes

[boomzero]

Merge dev into master for security release.

Includes XSS fixes from #910 and #911 — sanitizing user-controlled data in innerHTML assignments across post titles, board names, usernames, and changelog descriptions.

---

Summary by cubic

Sanitized user input before innerHTML to close stored XSS across threads, profiles, and changelog. Bumps version to 3.2.0 and updates Update.json with release entries for 3.1.1, 3.1.2, and 3.2.0.

• Bug Fixes
  • Escape post titles in thread list and thread view.
  • Escape board name in thread view.
  • Escape UserID and nickname on profile page.
  • Escape EditPerson in reply edit info.
  • Escape update descriptions in changelog.

^{Written for commit 9583131. Summary will update on new commits.}

[cloudflare-workers-and-pages]

Deploying xmoj-script-dev-channel with    Cloudflare Pages

Latest commit:	9583131
Status:	✅  Deploy successful!
Preview URL:	https://f7e761ef.xmoj-script-dev-channel.pages.dev

View logs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 103424b4bb

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cubic-dev-ai]

3 issues found across 3 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="XMOJ.user.js">

<violation number="1" location="XMOJ.user.js:3">
P2: Do not manually edit the userscript version header; it is managed by the UpdateVersion automation. Revert this change and let the workflow update it.</violation>
</file>

<file name="package.json">

<violation number="1" location="package.json:3">
P2: Avoid manually updating version numbers; the release automation is responsible for bumping package.json to keep it in sync with XMOJ.user.js and Update.json. Manual edits risk desynchronizing versions.</violation>
</file>

<file name="Update.json">

<violation number="1" location="Update.json:3354">
P1: Security release version 3.1.2 is marked as `Prerelease: true`, which will prevent normal users from receiving the XSS security fixes. The update system only prompts non-debug users to install stable (non-prerelease) versions. Change this to `false` to ensure the security patches are distributed to all users.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Security release version 3.1.2 is marked as Prerelease: true, which will prevent normal users from receiving the XSS security fixes. The update system only prompts non-debug users to install stable (non-prerelease) versions. Change this to false to ensure the security patches are distributed to all users.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At Update.json, line 3354:

<comment>Security release version 3.1.2 is marked as `Prerelease: true`, which will prevent normal users from receiving the XSS security fixes. The update system only prompts non-debug users to install stable (non-prerelease) versions. Change this to `false` to ensure the security patches are distributed to all users.</comment>

<file context>
@@ -3348,6 +3348,28 @@
+        },
+        "3.1.1": {
+            "UpdateDate": 1771489733913,
+            "Prerelease": true,
+            "UpdateContents": [
+                {
</file context>

Suggested change

	"Prerelease": true,
	"Prerelease": false,

[cubic-dev-ai]

P2: Do not manually edit the userscript version header; it is managed by the UpdateVersion automation. Revert this change and let the workflow update it.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At XMOJ.user.js, line 3:

<comment>Do not manually edit the userscript version header; it is managed by the UpdateVersion automation. Revert this change and let the workflow update it.</comment>

<file context>
@@ -1,6 +1,6 @@
 // ==UserScript==
 // @name         XMOJ
-// @version      3.1.0
+// @version      3.1.2
 // @description  XMOJ增强脚本
 // @author       @XMOJ-Script-dev, @langningchen and the community
</file context>

[cubic-dev-ai]

P2: Avoid manually updating version numbers; the release automation is responsible for bumping package.json to keep it in sync with XMOJ.user.js and Update.json. Manual edits risk desynchronizing versions.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 3:

<comment>Avoid manually updating version numbers; the release automation is responsible for bumping package.json to keep it in sync with XMOJ.user.js and Update.json. Manual edits risk desynchronizing versions.</comment>

<file context>
@@ -1,6 +1,6 @@
 {
   "name": "xmoj-script",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "an improvement script for xmoj.tech",
   "main": "AddonScript.js",
</file context>