Finding · pi-coding-agent

HTML export URL sanitization against stored XSS

What Changed

Implemented sanitizeMarkdownUrl() function that strips C0 control characters (0x00-0x1F, 0x7F) from URLs and uses allow-list of permitted protocols (https, http, mailto, tel, ftp) instead of blacklisting dangerous ones. Applied to both link and image renderers in HTML exports.

Operator Implication

Eliminates stored XSS vulnerability in exported HTML sessions by preventing protocol evasion techniques using control characters or unlisted schemes.

Receipt

Commit 6cb23f9 'Fix HTML export URL sanitization' uses scheme allow-list to prevent stored XSS in HTML session exports via Markdown link/image URLs

Finding metadata

Confidence: high
Actionability: test
Accessibility impact: none

Run: 2026-06-03-weekly-digest-2026-05-28_2026-06-03-frontier-v0

Finding ID: 2026-06-02-pi-coding-agent-html-export-xss

Source links

Primary links, including exact changelog lines when available.

Pi Coding Agent
commitCommit 6cb23f9 'Fix HTML export URL sanitization' uses scheme allow-list to prevent stored XSS in HTML session exports via Markdown link/image URLsgithub.com/earendil-works/pi/commit/6cb23f9