Fix security bugs and migrate image uploads to /api/v1/attachments

* Replace /api/v1/resources with /api/v1/attachments for image uploads * Upload attachments as JSON with base64-encoded content field * After memo creation, link each attachment via PATCH /api/v1/attachments/{id} * Rewrite markdown image URLs to use /file/attachments/{id} pattern * Fix XSS: sanitize marked.parse output with a DOM-based allowlist sanitizer * Fix SSRF: validate img.src scheme (http/https only) before fetching * Fix stack overflow: use chunked base64 encoding for large images * Update CLAUDE.md to document new attachment flow
2026-03-18 17:55:04 +01:00
parent 42d9f336b1
commit 84b3dd69f1
11 changed files with 274 additions and 119 deletions
--- a/src/settings.css
+++ b/src/settings.css
@@ -3,20 +3,32 @@
 *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }

 :root {
-  --bg: #0f0f11;
-  --surface: #1a1a1f;
-  --border: #2a2a35;
+  --bg: #f9fafb;
+  --surface: #ffffff;
+  --border: #f3f4f6;
  --accent: #10b981;
  --accent-dim: #10b98130;
-  --text: #e8e8f0;
-  --text-dim: #888899;
-  --success: #4ade80;
-  --error: #f87171;
+  --text: #111827;
+  --text-dim: #4b5563;
+  --success: #10b981;
+  --error: #ef4444;
  --radius: 8px;
  --font: 'IBM Plex Sans', sans-serif;
  --mono: 'IBM Plex Mono', monospace;
 }

+@media (prefers-color-scheme: dark) {
+  :root {
+    --bg: #0f0f11;
+    --surface: #1a1a1f;
+    --border: #2a2a35;
+    --text: #e8e8f0;
+    --text-dim: #888899;
+    --success: #4ade80;
+    --error: #f87171;
+  }
+}
+
 body {
  font-family: var(--font);
  background: var(--bg);