Fix security bugs and migrate image uploads to /api/v1/attachments

* Replace /api/v1/resources with /api/v1/attachments for image uploads * Upload attachments as JSON with base64-encoded content field * After memo creation, link each attachment via PATCH /api/v1/attachments/{id} * Rewrite markdown image URLs to use /file/attachments/{id} pattern * Fix XSS: sanitize marked.parse output with a DOM-based allowlist sanitizer * Fix SSRF: validate img.src scheme (http/https only) before fetching * Fix stack overflow: use chunked base64 encoding for large images * Update CLAUDE.md to document new attachment flow
2026-03-18 17:55:04 +01:00
parent 42d9f336b1
commit 84b3dd69f1
11 changed files with 274 additions and 119 deletions
--- a/src/manifest.json
+++ b/src/manifest.json
@@ -15,14 +15,14 @@
    "default_popup": "popup.html",
    "default_icon": {
      "16": "icons/icon16.png",
-      "32": "icons/logo.svg",
+      "32": "icons/icon32.png",
      "48": "icons/icon48.png",
      "128": "icons/icon128.png"
    }
  },
  "icons": {
    "16": "icons/icon16.png",
-    "32": "icons/logo.svg",
+    "32": "icons/icon32.png",
    "48": "icons/icon48.png",
    "128": "icons/icon128.png"
  },