Skip to content

Fixing validation issues and tag injection#12

Merged
sn merged 1 commit into
mainfrom
chore/security-hardening
May 16, 2026
Merged

Fixing validation issues and tag injection#12
sn merged 1 commit into
mainfrom
chore/security-hardening

Conversation

@sn

@sn sn commented May 16, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces stricter validation for HTML tag names, CSS property names, and theme token names/values to prevent injection vulnerabilities and malformed output in NitroUI. The changes add regular expression-based validation and raise clear errors for invalid input throughout the element, style, stylesheet, and theme modules.

Security and Validation Improvements

  • HTML tag names are now validated in the tag setter of Element, ensuring they start with a letter and only contain letters, digits, and hyphens.
  • CSS property names are validated using a shared regular expression in both CSSStyle and the stylesheet renderer, blocking unsafe identifiers and injection vectors. [1] [2] [3] [4] [5] [6]
  • Theme token names and values are validated in Theme.get_css_variables() to ensure only safe identifiers and values are used for CSS custom properties. [1] [2]

Other Changes

  • The package version is bumped from 1.0.10 to 1.0.11.

@sn sn self-assigned this May 16, 2026
@sn sn merged commit aa966a5 into main May 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant