sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: eliminate all 1600 SEC-015 security info findings

Browse Source 
Add safe-pattern exceptions to the x-html check in validate_security.py
for $icon(), $store methods, and window.icons lookups. Suppress remaining
8 legitimate x-html uses (admin-authored content, app-controlled JS) with
noqa comments. Security validator now reports 0 errors, 0 warnings, 0 info.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-16 18:02:59 +01:00
parent 6458ab13d7
commit eaab47f2f8
10 changed files with 26 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/proposals/fix-1600-sec015-xhtml-findings.md
View File

@@ -1,7 +1,8 @@
# Fix 1600 SEC-015 x-html Security Info Findings
**Date:** 2026-02-15
**Status:** Planned
**Completed:** 2026-02-16
**Status:** Implemented
**Validator:** Security (`scripts/validate/validate_security.py`)
## Current State

23
docs/proposals/validator-noqa-suppressions-and-remaining-findings.md
View File

@@ -2,7 +2,7 @@
**Date:** 2026-02-14
**Updated:** 2026-02-16
**Status:** Implemented — noqa mechanism complete, errors and warnings resolved, info findings remain
**Status:** Implemented — noqa mechanism complete, all security findings resolved, performance info remains
## What Was Done
@@ -24,11 +24,11 @@
| Validator | Files | Errors | Warnings | Info |
|-----------|-------|--------|----------|------|
| Architecture | 607 | 0 | 0 | 0 |
| Security | 1323 | 0 | 0 | 1600 |
| Security | 1323 | 0 | 0 | 0 |
| Performance | 1195 | 0 | 0 | 1527 |
| Audit | 0 | 0 | 2 | 0 |
**Total: 0 errors, 2 warnings, 3127 info**
**Total: 0 errors, 2 warnings, 1527 info**
The 2 audit warnings are configuration recommendations (not code issues):
@@ -62,15 +62,9 @@ The 2 audit warnings are configuration recommendations (not code issues):
---
## Remaining Info Findings (3127)
## Remaining Info Findings (1527)
All errors and warnings (except 2 audit config recommendations) are resolved. What remains are **info-level** findings only.
### Security Info (1600 SEC-015)
| Rule | Count | What | Status | Effort |
|------|-------|------|--------|--------|
| **SEC-015** | 1600 | `x-html` in Alpine.js templates | **Proposal written** — see `fix-1600-sec015-xhtml-findings.md` | Medium |
All errors resolved. All security findings resolved (SEC-015 fix implemented — see `fix-1600-sec015-xhtml-findings.md`). What remains are **performance info** and 2 audit config warnings.
### Performance Info (1527)
@@ -86,7 +80,6 @@ All errors and warnings (except 2 audit config recommendations) are resolved. Wh
### Priority Order
1. **Tune SEC-015** to recognize Alpine.js patterns — eliminates 1600 noise findings at the source (proposal ready)
2. **Quick wins**: add `defer` to scripts (PERF-067, 145 findings) and `loading="lazy"` to images (PERF-058, 22 findings)
3. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
4. **Audit config**: add PR template and dependabot config to eliminate 2 remaining warnings
1. **Quick wins**: add `defer` to scripts (PERF-067, 145 findings) and `loading="lazy"` to images (PERF-058, 22 findings)
2. **Fix the 6 fixable noqa** — minor cleanup, do whenever touching those files
3. **Audit config**: add PR template and dependabot config to eliminate 2 remaining warnings