Full deployment history for this project.
Merge pull request #42 from mbarbine/copilot/consolidate-pull-requests Consolidate all open PR heads into a single merge candidate branch for `main`
Merge remote-tracking branch 'origin/palette-active-nav-links-4020450770784389131' into copilot/consolidate-pull-requests Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Add active state highlighting to navigation links
fix: Prevent XSS in JSON-LD rendering Escapes the `<` character when outputting JSON-LD via `dangerouslySetInnerHTML` to prevent potential Cross-Site Scripting (XSS) via injected `</script>` tags.
feat: add active navigation states to header Implement active navigation link states in the Header component using `usePathname`. Uses exact path matching for root routes and prefix matching for sub-routes. Applies semantic `aria-current="page"` and CSS visual distinctions.
Fix XSS vulnerability in JSON-LD rendering Replaced `<` with `\u003c` in all occurrences of `JSON.stringify` used within `dangerouslySetInnerHTML` for `<script>` tags to prevent Cross-Site Scripting (XSS).
🎨 Palette: Add active navigation state highlighting Added visual and semantic active state indicators to both desktop and mobile navigation links in the header. What: Implemented exact path matching for root routes and prefix matching for sub-routes to accurately determine the active page. Applied visual CSS changes (text colors) and semantic `aria-current="page"` attributes to the active navigation links. Why: Previously, users lacked visual cues indicating their current location within the site hierarchy from the main navigation. This change improves orientation and wayfinding. Before/After: Links now visibly highlight (e.g., matching the primary color or foreground color) when their corresponding route or sub-route is active. Accessibility: Added the `aria-current="page"` attribute, ensuring screen readers announce the active state of navigation links to visually impaired users.
🛡️ Sentinel: [HIGH] Fix XSS Vulnerability in JSON-LD Rendering Fixes a Cross-Site Scripting (XSS) vulnerability in `components/json-ld.tsx` where `JSON.stringify` output was passed directly to `dangerouslySetInnerHTML`. Attackers could potentially inject a closing `</script>` tag followed by malicious JavaScript if any of the dynamic data (like product names or descriptions) contained un-sanitized user input. Escaped the `<` character to `\u003c` in the stringified JSON outputs, preserving valid JSON syntax while preventing HTML parser exploitation.
🎨 Palette: Add active navigation state indication Adds active visual styling and aria-current="page" to header navigation links for better accessibility and UX.
🎨 Palette: Add active navigation state highlighting
Fix XSS vulnerability in JSON-LD serialization
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in JSON-LD - Replaced `dangerouslySetInnerHTML={{ __html: JSON.stringify(...) }}` with `dangerouslySetInnerHTML={{ __html: JSON.stringify(...).replace(/</g, '\\u003c') }}` in 4 places inside `components/json-ld.tsx`. - Prevents potential Cross-Site Scripting (XSS) via breaking out of `<script>` tags.
Fix XSS vulnerability in JSON-LD rendering Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
⚡ Bolt: Cache unique categories derivation Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Fix XSS vulnerability in JSON-LD injection In components/json-ld.tsx, the `JSON.stringify` output used with `dangerouslySetInnerHTML` inside `<script>` tags was unescaped. This allows potential XSS if user input contains the string `</script>`. Added `.replace(/</g, '\\u003c')` to escape angle brackets properly to neutralize this vulnerability. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add active state to navigation links This commit improves the UX and accessibility of the main navigation by introducing an active state for the current page link. It adds an `isLinkActive` helper function to `components/header.tsx` that performs exact path matching for the root route (e.g., `/[lang]`) and prefix matching for sub-routes (e.g., `/[lang]/shop`). Active links are now visually distinguished using Tailwind text classes and semantically marked with the `aria-current="page"` attribute for screen readers. This pattern is documented in the `.Jules/palette.md` journal. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
fix: prevent XSS in JSON-LD rendering Safely serialize JSON in components/json-ld.tsx by replacing `<` with `\u003c` before passing it to `dangerouslySetInnerHTML`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
feat(ux): add active state visual highlighting and aria-current to navigation Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix XSS Vulnerability in JSON-LD Scripts Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add active navigation state and aria-current - Added visual active states for desktop and mobile global navigation using `usePathname`. - Added `aria-current="page"` to active links to improve screen reader context. - Logged the learning in `.Jules/palette.md`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add active navigation state and aria-current - Added visual active states for desktop and mobile global navigation using `usePathname`. - Added `aria-current="page"` to active links to improve screen reader context. - Logged the learning in `.Jules/palette.md`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Fix XSS vulnerability in JSON-LD injection Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix XSS Vulnerability in JSON-LD Rendering Properly escape `<` characters in `JSON.stringify` output when passed to `dangerouslySetInnerHTML` in `components/json-ld.tsx`. This prevents potential XSS via script injection within script tags. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: Fix XSS Vulnerability in JSON-LD Rendering Escaped the HTML output of `JSON.stringify()` within `<script type="application/ld+json">` elements in `components/json-ld.tsx` to prevent XSS script breakout attempts. Replaced `<` with `\u003c` in `dangerouslySetInnerHTML` injections across the four JSON-LD generation functions (`SiteJsonLd`, `BreadcrumbJsonLd`, `ProductJsonLd`, and `ItemListJsonLd`). Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Fix XSS vulnerabilities in JSON-LD scripts Escaped HTML `<` characters to `\\u003c` in components/json-ld.tsx to prevent arbitrary script injection via `dangerouslySetInnerHTML`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Cross-Site Scripting (XSS) in JSON-LD output Escaped HTML tags from JSON-LD strings parsed by dangerouslySetInnerHTML by converting '<' to '\\u003c'. This prevents user-supplied data from prematurely terminating the script tag, mitigating XSS risks. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: Add security headers Added standard security headers to Next.js configuration to provide baseline protection against XSS, clickjacking, and other common web vulnerabilities. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix timing attack vulnerability in administrative endpoint - Fixed a timing attack vulnerability in `/api/etsy/sync/route.ts` where the `ADMIN_SECRET` was compared using a standard equality operator. - Implemented a secure, constant-time comparison using `crypto.timingSafeEqual` and SHA-256 hashes to prevent length and byte-by-byte timing leakage. - Added a new entry to the Sentinel journal detailing the vulnerability and its prevention. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
perf: cache categories derived from static JSON Optimizes `getCategories()` by using a lazy-initialized module-level variable to cache the result. Since the categories are derived from static JSON data that never changes at runtime, this prevents expensive set allocation, string mapping, and sorting operations on every function call (O(1) instead of O(n log n)). Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #10 from mbarbine/palette-ux-shop-filters-402054651375332491 🎨 Palette: Improve accessibility of shop filters and product count
Merge pull request #8 from mbarbine/sentinel-fix-etsy-sync-auth-740332298146167863 🛡️ Sentinel: [CRITICAL] Add authentication to admin endpoint
Merge pull request #7 from mbarbine/feature/discovery-and-mcp-enhancements-6420565710255127848 Enhance discovery, LLMs, and MCP files. Build dynamic route handlers.
Merge pull request #5 from mbarbine/palette-product-card-focus-12295807286972002220 🎨 Palette: Add keyboard focus-within support to Product Card
Merge pull request #4 from mbarbine/palette-ux-header-focus-12015092376518312195 🎨 Palette: Add keyboard focus states to header buttons
Merge pull request #3 from mbarbine/v0/mbarbine-5b9f150e Launch official REFLUX merch store and update band history
Merge pull request #2 from mbarbine/etsy-storefront-build Launch REFLUX Official Merch Store with i18n and Spotify integration