fix(kon): security audit fixes — CSP, XSS, unwraps, key rename

Security fixes from code audit:
- CSP re-enabled in tauri.conf.json with strict directives
  (was null — critical vulnerability)
- XSS fix in viewer highlightText(): HTML entities escaped before
  inserting <mark> tags via {@html}
- Removed 3 unwrap() calls in rule_based.rs British English conversion
  — replaced with safe let-else guards
- Removed unwrap() on main window lookup in lib.rs setup — now uses
  if-let for graceful handling
- Wrapped JSON.parse in DictationPage transcription-result listener
  with try/catch

Rebrand cleanup:
- Renamed all localStorage keys from ramble_* to kon_* across
  7 files (stores, viewer, float, history)

12 tests passing, clippy clean.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
jake
2026-03-16 22:51:47 +00:00
parent 904d5fdb95
commit c463293935
9 changed files with 52 additions and 35 deletions

View File

@@ -34,15 +34,17 @@ pub fn run() {
}
// Close-to-tray: hide window instead of exiting
let main_window = app.get_webview_window("main").unwrap();
let win = main_window.clone();
main_window.on_window_event(move |event| {
if let tauri::WindowEvent::CloseRequested { api, .. } = event
{
api.prevent_close();
let _ = win.hide();
}
});
if let Some(main_window) = app.get_webview_window("main") {
let win = main_window.clone();
main_window.on_window_event(move |event| {
if let tauri::WindowEvent::CloseRequested { api, .. } =
event
{
api.prevent_close();
let _ = win.hide();
}
});
}
Ok(())
})

View File

@@ -23,7 +23,7 @@
}
],
"security": {
"csp": null
"csp": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' asset: https://asset.localhost; connect-src ipc: http://ipc.localhost asset: https://asset.localhost http://localhost:* ws://localhost:*; media-src 'self' asset: https://asset.localhost"
}
},
"bundle": {