Security Audit Uncovers Critical XSS Flaw Introduced by Prior Fix, Hardens CI Pipeline

A third-party security audit has exposed a critical cross-site scripting (XSS) vulnerability that was inadvertently introduced by the project's own previous security patch. The flaw, located in the `stripHtml()` sanitization function within `lib/sanitize.ts`, allowed maliciously encoded HTML entities to bypass tag-stripping defenses. The previous implementation's order of operations—stripping tags first, then decoding entities—meant that a payload like `<script>alert(1)</script>` would survive the initial sanitization and be decoded into a functional, dangerous script. The fix reverses this sequence, ensuring entities are decoded into real tags before they are removed, closing a severe self-inflicted security gap.

The audit, conducted as a follow-up to prior reviews, also identified and hardened several other medium-risk vectors. A Cross-Site Request Forgery (CSRF) check in `lib/security.ts` was found to be overly permissive, incorrectly allowing requests with a `Sec-Fetch-Site: same-site` header, which could include any subdomain. This has been tightened to only permit `same-origin` and `none`. Furthermore, the review uncovered hardcoded database credentials within multiple operational scripts in the `scripts/` directory, including `backfill-images.ts` and `seed-topics.ts`, posing a significant internal risk if these scripts were exposed or misused.

These findings underscore the cascading risks inherent in complex codebases, where a fix in one area can create a vulnerability in another. The incident highlights the critical importance of rigorous, iterative security reviews and the dangers of credential sprawl in development and CI/CD scripts. The hardening measures now enforce stricter origin policies and mandate the removal of plaintext secrets from version-controlled automation tools, aiming to prevent both external exploitation and insider threat scenarios.