js · @mariozechner/pi-coding-agentHeads-up
@mariozechner/pi-coding-agent: HTML export XSS fix via URL sanitization
Pi HTML exports now strip C0 control characters from Markdown link and image URLs and apply an allow-list to block unsafe URL schemes, preventing potential XSS.
What changed
Pi HTML exports now strip C0 control characters from Markdown link and image URLs and apply an allow-list to block unsafe URL schemes, preventing potential XSS.
Who it affects
Users of @mariozechner/pi-coding-agent (all versions up to 0.73.1) and @earendil-works/pi-coding-agent versions 0.74.0 to 0.78.0 who export sessions as HTML.
What to do today
Upgrade @earendil-works/pi-coding-agent to version 0.78.1 or later. If using the old @mariozechner scope, migrate to the new package and upgrade. Regenerate any shared HTML exports that may contain untrusted content.
The trail
Collected→
Audited→
Written→
Published