github Makin-Things/weather-radar-card v3.6.0-alpha3
3.6.0-alpha3
on GitHub

pre-release7 hours ago

Same-day fix-and-improvement release for the 3.6 alpha track. Two NWS-layer improvements landed via PR #138.

Security

  • Escape three popup href interpolations in the NWS, wildfire, and lightning popup builders. Only the NWS one had a known attack surface — props.uri is server-controlled, and the existing scheme check blocks javascript: URIs but does NOT block HTML attribute breakouts via " or >. If NWS ever returns a uri containing those characters, a malicious one could close the href attribute and inject script. Wildfire (linkSlug is slugify-derived, output restricted to [a-z0-9-]) and lightning (url is built from clamped numeric inputs) were safe by construction; defensive escape future-proofs against refactors that break the safe-by-construction guarantee. No known live exploit at any of the three sites — the fix closes the theoretical gap.

Changed

  • NWS alert paint order is now lexicographic over (severity, urgency, certainty) — replaces the prior single-key severity-ascending sort. Severity dominates (matching the alerts_min_severity filter), urgency breaks severity ties, certainty breaks urgency ties.

    Worked example — within typical Warnings: 

    Tornado Warning Observed         (Extreme,  Immediate, Observed)  ← top
Tornado Warning Radar-Indicated  (Extreme,  Immediate, Likely)
Severe T-storm Warning Observed  (Severe,   Immediate, Observed)
Severe T-storm Warning Likely    (Severe,   Immediate, Likely)
Flash Flood Warning              (Severe,   Expected,  Likely)
Wind Advisory Observed           (Moderate, Expected,  Observed)
Frost Advisory                   (Minor,    Future,    Likely)    ← bottom

    Past urgency sits below Unknown ("already happened — least actionable"). Observed certainty is the top of its axis. CAP-standard fields, no event-name regex.

Tests

316 → 329 unit tests (+13). New coverage:

  • 8 cases for the three-axis lex sort: severity primary, urgency secondary tiebreak, certainty tertiary tiebreak, severity-dominates-other-axes, Past < Unknown urgency, all-defaults vs missing-properties equivalence, plus a realistic mixed-alerts paint-order pin.
  • 5 cases for buildPopupHtml URL escaping: attribute-breakout chars escaped, javascript: scheme triggers fallback, normal uri unchanged, < > & in uri escaped, null/undefined uri falls back to the alerts index.

Coming in 3.6.0-beta1

The two open @genericJE PRs (#132 — DWD coverage-mask pulse fix; #133 — wind overlay barbs/arrows/streamlines) are pending review feedback. They'll land in 3.6.0-beta1, after which 3.6.0 stable will consolidate alpha1 + alpha2 + alpha3 + beta1.

Full notes: CHANGELOG.md

Check out latest releases or
releases around Makin-Things/weather-radar-card v3.6.0-alpha3

Don't miss a new weather-radar-card release

NewReleases is sending notifications on new releases.

Get notifications