webao/webAO/__tests__, branch master WebAO fork Remove safeTags, decodeChat, and prepChat 2026-06-06T03:09:27+00:00 Osmium Sorcerer os@sof.beauty 2026-06-03T11:23:33+00:00 fd75f3116aa30eb4958cc747f944f202ec69a484 Following the removal of innerHTML manipulation, we no longer need these sanitization functions. I've reviewed every safeTags call site to make sure the outputs don't end up anywhere unsafe, and malicious input can't malipulate DOM or execute code. These values either end up either as plain text (textContent, innerText, createTextNode, title, option) or as a URL path to request assets to the server (encoded using encodeURI). That is, if safeTags was even effective, considering all that function did was replace '<' and '>' symbols with Unicode lookalikes. Even the comment was suggesting the use of fundamentally safer functions instead of these hacks. Replace remaining uses of prepChat with unescapeChat as we still need to do the token substitution (like "<and>" to "&"). decodeChat was escaping Unicode sequences like \uXXXX, but I don't see the reason for this, AO2 Client doesn't have this feature, and considering WebSocket text frames are strictly UTF-8, we don't need these encodings. 
Following the removal of innerHTML manipulation, we no longer need these
sanitization functions.

I've reviewed every safeTags call site to make sure the outputs don't
end up anywhere unsafe, and malicious input can't malipulate DOM or
execute code. These values either end up either as plain text
(textContent, innerText, createTextNode, title, option) or as a URL
path to request assets to the server (encoded using encodeURI).

That is, if safeTags was even effective, considering all that function
did was replace '<' and '>' symbols with Unicode lookalikes. Even the
comment was suggesting the use of fundamentally safer functions instead
of these hacks.

Replace remaining uses of prepChat with unescapeChat as we still need
to do the token substitution (like "<and>" to "&"). decodeChat was
escaping Unicode sequences like \uXXXX, but I don't see the reason for
this, AO2 Client doesn't have this feature, and considering WebSocket
text frames are strictly UTF-8, we don't need these encodings.
Update dependencies and ECMAScript target 2026-06-06T03:09:27+00:00 Osmium Sorcerer os@sof.beauty 2026-04-06T14:48:43+00:00 31275da317fd58739974ac49c995bca2f7dbcc08 Fix relevant breaking changes. 
Fix relevant breaking changes.
deal with this properly 2026-01-01T15:56:17+00:00 stonedDiscord Tukz@gmx.de 2026-01-01T15:56:17+00:00 01ecb948edb015613e05bc2b6da4021137957745 






reorder
2026-01-01T15:46:44+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:46:44+00:00

70f8c13634f1ae13cdf52994c7b6c44a20398c02












try this
2026-01-01T15:44:28+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:44:28+00:00

b247ed9347921e395e34e5cf19085f529de4c307












weird ci fail
2026-01-01T15:41:27+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:41:27+00:00

56db8cc6d68748ecdd163c27d4cf7e5dfd8e295f












url
2026-01-01T15:37:47+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:37:47+00:00

3e17eb9e5695fdf64f125914ee60c26ac7d96d12












this is stupid to test in console
2026-01-01T15:34:27+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:34:27+00:00

6cac3d30e4c59c3b97935de747e4984189c1acf5












low memory test
2026-01-01T15:34:10+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:34:10+00:00

3ffcb40d20fb09cbe44f4da2d231889f2e06dc14












pass aoml test
2026-01-01T15:34:03+00:00

stonedDiscord
Tukz@gmx.de

2026-01-01T15:34:03+00:00

e7a7afa4527a2289ebbbad659048f4db368e9c4c