Full deployment history for this project.
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page - Validates that `redirect` parameter from URL is strictly relative (e.g. starts with `/` and not `//`) before passing it to `router.push()`. - Defaults to `/dashboard` if validation fails to prevent attackers from redirecting users to arbitrary external domains after login. - Added journal entry to `.jules/sentinel.md` recording this vulnerability and its prevention. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix open redirect vulnerability in login - Validated user-provided `redirect` search params to ensure strict relative paths. - Appended incident details to Sentinel journal. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
⚡ Bolt: Eliminate database query waterfall in marketplace Refactors the marketplace database query to eliminate a sequential N+1 query waterfall. Instead of making an initial DB request to fetch a category ID by its slug, the query now uses Supabase's `!inner` join modifier on the category relation to filter products in a single database roundtrip. This reduces Time To First Byte (TTFB). Also journaled the performance learning in `.jules/bolt.md`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page - Fixed an Open Redirect vulnerability in `app/auth/login/page.tsx` where user-provided `redirect` params were passed directly to `router.push()`. - Validated that the path is strictly relative (starts with `/` and not `//`). - Updated Sentinel journal with the learning and prevention strategy. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix Open Redirect in login page In `app/auth/login/page.tsx`, the `redirect` query parameter was used directly in `router.push(redirect)` after successful login without validation. An attacker could craft a link with `?redirect=https://malicious-site.com` or `?redirect=//malicious-site.com`, tricking a user into logging in and then redirecting them to a malicious site. This commit adds validation to ensure the redirect parameter starts with `/` and does not start with `//` (protocol-relative absolute URL). If validation fails, it falls back to the default `/dashboard` route. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🎨 Palette: Add ARIA labels to icon-only buttons and inputs Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in JSON-LD script tags Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [HIGH] Fix XSS vulnerability in JSON-LD script tags Replaces `<` with `\u003c` when injecting stringified JSON into `<script>` tags using `dangerouslySetInnerHTML`. This prevents Cross-Site Scripting (XSS) by ensuring attackers cannot break out of the script tag using payload strings like `</script><script>alert(1)</script>`, regardless of the JSON context. This fix is applied to `app/layout.tsx`, `app/marketplace/[id]/page.tsx`, and `app/page.tsx`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix Cross-Site Scripting (XSS) in JSON-LD structured data This commit fixes a critical XSS vulnerability where user-controlled input in `productJsonLd`, `marketplaceJsonLd`, `organizationJsonLd`, and `websiteJsonLd` could be used to inject arbitrary JavaScript via unescaped `<script>` tags when serialized with `JSON.stringify` inside `dangerouslySetInnerHTML`. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
🛡️ Sentinel: [CRITICAL] Fix XSS vulnerability in JSON-LD script injection Replaced `dangerouslySetInnerHTML={{ __html: JSON.stringify(...) }}` with `dangerouslySetInnerHTML={{ __html: JSON.stringify(...).replace(/</g, '\u003c') }}` in `app/page.tsx`, `app/layout.tsx`, and `app/marketplace/[id]/page.tsx` to prevent Cross-Site Scripting (XSS) vulnerabilities where malicious product titles or descriptions could escape the `<script>` tag. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #3 from mbarbine/sentinel-fix-idor-create-product-13283831811111064119
🛡️ Sentinel: [CRITICAL] Fix Authorization Bypass in createProduct 🚨 Severity: CRITICAL 💡 Vulnerability: The `createProduct` server action trusted the client-provided `seller_id` from the form data, leading to an Insecure Direct Object Reference (IDOR) / authorization bypass vulnerability. 🎯 Impact: A malicious user could create product listings on behalf of any other user by simply modifying the form payload. 🔧 Fix: Updated the action to fetch the authenticated user session securely via `supabase.auth.getUser()`, reject unauthenticated requests, and assign the `seller_id` correctly using `user.id`. ✅ Verification: Ran `npm run build` and verified the logic locally. Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Merge pull request #2 from mbarbine/copilot/update-nextjs-version Bump Next.js 16.0.0 → 16.1.6 to resolve CVE-2025-66478
Update Next.js from 16.0.0 to 16.1.6 to fix CVE-2025-66478 Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>
Initial plan
Merge pull request #1 from mbarbine/copilot/enhance-sitemap-i18n-json-ld Add sitemap, robots, llms.txt, JSON-LD, i18n, and SEO enhancements for Platphorm News network hosting
Add sitemap, robots, llms.txt, JSON-LD, i18n, and SEO enhancements Co-authored-by: mbarbine <3211492+mbarbine@users.noreply.github.com>