Bitter Frontier
Founding member access recorded.
Checkout cancelled.

Finding · pi-coding-agent

HTML export URL sanitization against stored XSS

What Changed

Implemented sanitizeMarkdownUrl() function that strips C0 control characters (0x00-0x1F, 0x7F) from URLs and uses allow-list of permitted protocols (https, http, mailto, tel, ftp) instead of blacklisting dangerous ones. Applied to both link and image renderers in HTML exports.

Operator Implication

Eliminates stored XSS vulnerability in exported HTML sessions by preventing protocol evasion techniques using control characters or unlisted schemes.

Receipt

Finding metadata

Confidence
high
Actionability
test
Accessibility impact
none

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-pi-coding-agent-html-export-xss

Source links

Primary links, including exact changelog lines when available.

  1. Pi Coding Agent
    commitCommit 6cb23f9 'Fix HTML export URL sanitization' uses scheme allow-list to prevent stored XSS in HTML session exports via Markdown link/image URLsgithub.com/earendil-works/pi/commit/6cb23f9

Versioned source: run artifact