Skip to content

Commit 1eafe55

Browse files
author
jovanSAPFIONEER
committed
fix: CodeQL #108 — bad HTML filter regexp closing tag
security.ts: </script\s*> → </script\b[^>]*> to match all browser-accepted closing tag variants (e.g. </script foo=bar>, </script\t\n>). Bump to v4.15.3. All 2,357 tests pass.
1 parent d373bd3 commit 1eafe55

11 files changed

Lines changed: 16 additions & 11 deletions

.github/copilot-instructions.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
## Project Overview
44

5-
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.2). 2,357 tests across 25 suites.
5+
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination (v4.15.3). 2,357 tests across 25 suites.
66

77
## Architecture
88

CHANGELOG.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,11 @@ All notable changes to Network-AI will be documented in this file.
55
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
66
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
77

8+
## [4.15.3] - 2026-04-04
9+
10+
### Fixed
11+
- **CodeQL #108 — Bad HTML filtering regexp** (`security.ts`): Changed `<\/script\s*>` to `<\/script\b[^>]*>` to match all browser-accepted closing tag variants including `</script\t\n bar>` and `</script foo="bar">`.
12+
813
## [4.15.2] - 2026-04-04
914

1015
### Fixed

CLAUDE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ This file is read automatically by Claude Code when working in this repository.
44

55
## Project Overview
66

7-
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
7+
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.3.
88

99
## Build & Test Commands
1010

CODEX.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ This file is read automatically by OpenAI Codex CLI when working in this reposit
44

55
## Project Overview
66

7-
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.2.
7+
Network-AI is a TypeScript/Node.js multi-agent orchestrator — shared state, guardrails, budgets, and cross-framework coordination. Version 4.15.3.
88

99
## Build & Test Commands
1010

INTEGRATION_GUIDE.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -477,4 +477,4 @@ Run these before declaring the integration production-ready:
477477

478478
---
479479

480-
*Network-AI v4.15.2 · MIT License · https://github.com/Jovancoding/Network-AI*
480+
*Network-AI v4.15.3 · MIT License · https://github.com/Jovancoding/Network-AI*

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
[![Website](https://img.shields.io/badge/website-network--ai.org-4b9df2?style=flat&logo=web&logoColor=white)](https://network-ai.org/)
66
[![CI](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/ci.yml)
77
[![CodeQL](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml/badge.svg)](https://github.com/Jovancoding/Network-AI/actions/workflows/codeql.yml)
8-
[![Release](https://img.shields.io/badge/release-v4.15.2-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
8+
[![Release](https://img.shields.io/badge/release-v4.15.3-blue.svg)](https://github.com/Jovancoding/Network-AI/releases)
99
[![npm](https://img.shields.io/npm/dw/network-ai.svg?label=npm%20downloads)](https://www.npmjs.com/package/network-ai)
1010
[![Tests](https://img.shields.io/badge/tests-2357%20passing-brightgreen.svg)](#testing)
1111
[![Adapters](https://img.shields.io/badge/frameworks-17%20supported-blueviolet.svg)](#adapter-system)

openapi.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ info:
66
blackboard coordination, parallel agent spawning, and permission gating
77
via AuthGuardian. Requires the companion MCP server:
88
`npm install -g network-ai && npx network-ai-server --port 3001`
9-
version: 4.15.2
9+
version: 4.15.3
1010
license:
1111
name: MIT
1212
url: https://github.com/Jovancoding/Network-AI/blob/main/LICENSE

package-lock.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "network-ai",
3-
"version": "4.15.2",
3+
"version": "4.15.3",
44
"description": "AI agent orchestration framework for TypeScript/Node.js - 17 adapters (LangChain, AutoGen, CrewAI, OpenAI Assistants, LlamaIndex, Semantic Kernel, Haystack, DSPy, Agno, MCP, OpenClaw, A2A, Codex, MiniMax, NemoClaw, APS + streaming variants). Built-in CLI, security, swarm intelligence, real-time streaming, and agentic workflow patterns.",
55
"homepage": "https://network-ai.org",
66
"main": "dist/index.js",

security.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,7 @@ export class InputSanitizer {
201201
// Dangerous patterns that could indicate injection attempts
202202
private static DANGEROUS_PATTERNS = [
203203
/\$\{.*\}/g, // Template injection
204-
/<script\b[^>]*>[\s\S]*?<\/script\s*>/gi, // XSS (handles </script > variants)
204+
/<script\b[^>]*>[\s\S]*?<\/script\b[^>]*>/gi, // XSS (handles </script foo="bar"> etc.)
205205
/javascript:/gi, // JavaScript protocol
206206
/on\w+\s*=/gi, // Event handlers
207207
/\.\.\//g, // Path traversal

0 commit comments

Comments
 (0)