perplexity/Timmy-time-dashboard
Archived
1
0
Fork 0
forked from Rockachopa/Timmy-time-dashboard
Code Issues Pull Requests 1 Activity
This repository has been archived on 2026-03-24. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
main
Timmy-time-dashboard/tests/security/test_security_fixes_xss.py
Alexander Whitestone 9d78eb31d1 ruff (#169) 
* polish: streamline nav, extract inline styles, improve tablet UX

- Restructure desktop nav from 8+ flat links + overflow dropdown into
  5 grouped dropdowns (Core, Agents, Intel, System, More) matching
  the mobile menu structure to reduce decision fatigue
- Extract all inline styles from mission_control.html and base.html
  notification elements into mission-control.css with semantic classes
- Replace JS-built innerHTML with secure DOM construction in
  notification loader and chat history
- Add CONNECTING state to connection indicator (amber) instead of
  showing OFFLINE before WebSocket connects
- Add tablet breakpoint (1024px) with larger touch targets for
  Apple Pencil / stylus use and safe-area padding for iPad toolbar
- Add active-link highlighting in desktop dropdown menus
- Rename "Mission Control" page title to "System Overview" to
  disambiguate from the chat home page
- Add "Home — Timmy Time" page title to index.html

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

* fix(security): move auth-gate credentials to environment variables

Hardcoded username, password, and HMAC secret in auth-gate.py replaced
with os.environ lookups. Startup now refuses to run if any variable is
unset. Added AUTH_GATE_SECRET/USER/PASS to .env.example.

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

* refactor(tooling): migrate from black+isort+bandit to ruff

Replace three separate linting/formatting tools with a single ruff
invocation. Updates tox.ini (lint, format, pre-push, pre-commit envs),
.pre-commit-config.yaml, and CI workflow. Fixes all ruff errors
including unused imports, missing raise-from, and undefined names.
Ruff config maps existing bandit skips to equivalent S-rules.

https://claude.ai/code/session_015uPUoKyYa8M2UAcyk5Gt6h

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-03-11 12:23:35 -04:00

76 lines
2.4 KiB
Python
Raw Permalink Blame History

from fastapi.templating import Jinja2Templates
def test_agent_chat_msg_xss_prevention():
"""Verify XSS prevention in agent_chat_msg.html."""
templates = Jinja2Templates(directory="src/dashboard/templates")
payload = "<script>alert('xss')</script>"
class MockAgent:
def __init__(self):
self.name = "TestAgent"
self.id = "test-agent"
response = templates.get_template("partials/agent_chat_msg.html").render(
{
"message": payload,
"response": payload,
"error": payload,
"agent": MockAgent(),
"timestamp": "12:00:00",
}
)
# Check that payload is escaped
assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
assert payload not in response
def test_agent_panel_xss_prevention():
"""Verify XSS prevention in agent_panel.html."""
templates = Jinja2Templates(directory="src/dashboard/templates")
payload = "<script>alert('xss')</script>"
class MockAgent:
def __init__(self):
self.name = payload
self.id = "test-agent"
self.status = "idle"
self.capabilities = payload
class MockTask:
def __init__(self):
self.id = "task-1"
self.status = type("obj", (object,), {"value": "completed"})
self.created_at = "2026-02-26T12:00:00"
self.description = payload
self.result = payload
response = templates.get_template("partials/agent_panel.html").render(
{"agent": MockAgent(), "tasks": [MockTask()]}
)
assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
assert payload not in response
def test_swarm_sidebar_xss_prevention():
"""Verify XSS prevention in swarm_agents_sidebar.html."""
templates = Jinja2Templates(directory="src/dashboard/templates")
payload = "<script>alert('xss')</script>"
class MockAgent:
def __init__(self):
self.name = payload
self.id = "test-agent"
self.status = "idle"
self.capabilities = payload
self.last_seen = "2026-02-26T12:00:00"
response = templates.get_template("partials/swarm_agents_sidebar.html").render(
{"agents": [MockAgent()]}
)
assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
assert payload not in response
Reference in New Issue View Git Blame Copy Permalink