Skip to content

Releases: LexioJ/dashlink

DashLink v1.1.0

29 Dec 10:16
@LexioJ LexioJ
v1.1.0
6cfb312
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
DashLink v1.1.0 Latest
Latest

Release v1.1.0

Security Enhancements

  • Improved security rating from C+ (69/100) to A (90+)

  • All critical and high-priority vulnerabilities resolved

  • OWASP Top 10 compliance achieved

  • Nextcloud security guidelines followed

  • CSRF protection verified (correctly implemented)

  • SecurityService: Centralized security validation and sanitization service

    • URL validation with protocol restrictions
    • Download URL validation with SSRF protection
    • Text sanitization for XSS prevention
    • Filename validation for path traversal prevention
    • Integer range validation
    • Target and group ID validation

  • RateLimitService: Distributed caching-based rate limiting

    • Configurable per-action rate limits
    • User-specific rate limiting
    • Automatic expiration handling

  • IconService: Updated to use SecurityService for all validations

    • Icon download now validates URLs before fetching
    • Icon filenames validated on retrieval
    • SVG files sanitized during upload
    • Mime-type validation added to prevent spoofing

  • LinkService: Updated to use SecurityService for input validation

    • All create/update operations validate and sanitize inputs
    • URL validation blocks dangerous protocols
    • Text inputs sanitized to prevent XSS

  • SettingsService: Updated to sanitize widget title

    • Widget title sanitized with length limit
    • HTML tags stripped, special characters encoded

  • LinkController: Enhanced with rate limiting and validation

    • Import endpoint rate-limited (5/hour)
    • File size limits enforced (1MB for imports)
    • JSON depth limits (10 levels)
    • Link count limits (100 per import)

  • Dependencies: Added enshrined/svg-sanitize (^0.19) for SVG sanitization

Icon Upload/Management:

  • Icon preview now appears immediately after selecting a file, without needing to save first
  • Delete icon button improved with perfect circular shape (proper circle instead of ellipse)
  • Delete button hover effect changed to darker red with subtle glow instead of black border

3D Card Flip Effect:

  • Fixed card flip animation to rotate the entire card including shadow as a single unit, creating a more realistic 3D effect
  • Eliminated white background flash during flip transition - now shows widget background seamlessly
  • Fixed Firefox browser issue where front content was incorrectly visible on the back during flip
Assets 3
Loading