ulsklyc/oikos v0.7.1

v0.7.1 - XSS hardening & zoom accessibility

on GitHub

Security

• Fix stored XSS across all pages - extract shared esc() utility (public/utils/html.js) and apply HTML escaping to all user-controlled data in innerHTML templates (titles, names, locations, descriptions, colors, notes content, autocomplete suggestions)
• Remove user-scalable=no and maximum-scale=1 from viewport meta tag - restores pinch-to-zoom accessibility (WCAG 1.4.4)

Changed

• Deduplicate 8 identical escHtml() functions (tasks, shopping, calendar, notes, meals, contacts, budget, settings) into single shared esc() import from utils/html.js
• Shared esc() also escapes single quotes (' to ') for safer attribute contexts

Full Changelog: v0.7.0...v0.7.1