fix: address security and accessibility issues from code review

- Fix SSRF/path traversal vulnerability in proxy.py with strict URL validation
- Fix postMessage wildcard origin (now uses specific pyplots.ai origin)
- Add origin validation for postMessage in InteractivePage
- Add URL validation in useAnalytics to prevent injection
- Add aria-label to FilterBar search for accessibility
- Remove unused SpecAccordions.tsx (dead code)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: MarkusNeusinger

api/routers/proxy.py

@@ -1,5 +1,7 @@
 """HTML proxy endpoint for interactive plots with size reporting."""
 
+from urllib.parse import urlparse
+
 import httpx
 from fastapi import APIRouter, HTTPException
 from fastapi.responses import HTMLResponse
@@ -8,32 +10,37 @@
 router = APIRouter(tags=["proxy"])
 
 # Script injected to report content size to parent window
+# Uses specific origin (pyplots.ai) for postMessage security
 SIZE_REPORTER_SCRIPT = """
 <script>
 (function() {
   function reportSize() {
-    // Find the main content element (try common patterns for different libraries)
-    var content = document.querySelector(
-      '.bk-root, .vega-embed, .plotly, .chart-container, #container, .lp-plot, svg, canvas'
-    ) || document.body.firstElementChild || document.body;
-
-    // Get actual rendered size
-    var rect = content.getBoundingClientRect();
-    var width = Math.max(rect.width, content.scrollWidth || 0, document.body.scrollWidth || 0);
-    var height = Math.max(rect.height, content.scrollHeight || 0, document.body.scrollHeight || 0);
-
-    // Add padding to account for action buttons, toolbars, and other UI elements
-    var padding = 40;
-    width += padding;
-    height += padding;
-
-    // Send to parent
-    if (width > 0 && height > 0) {
-      window.parent.postMessage({
-        type: 'pyplots-size',
-        width: Math.ceil(width),
-        height: Math.ceil(height)
-      }, '*');
+    try {
+      // Find the main content element (try common patterns for different libraries)
+      var content = document.querySelector(
+        '.bk-root, .vega-embed, .plotly, .chart-container, #container, .lp-plot, svg, canvas'
+      ) || document.body.firstElementChild || document.body;
+
+      // Get actual rendered size
+      var rect = content.getBoundingClientRect();
+      var width = Math.max(rect.width, content.scrollWidth || 0, document.body.scrollWidth || 0);
+      var height = Math.max(rect.height, content.scrollHeight || 0, document.body.scrollHeight || 0);
+
+      // Add padding to account for action buttons, toolbars, and other UI elements
+      var padding = 40;
+      width += padding;
+      height += padding;
+
+      // Send to parent with specific origin for security
+      if (width > 0 && height > 0 && window.parent !== window) {
+        window.parent.postMessage({
+          type: 'pyplots-size',
+          width: Math.ceil(width),
+          height: Math.ceil(height)
+        }, 'https://pyplots.ai');
+      }
+    } catch (e) {
+      // Silently fail if postMessage is blocked
     }
   }
 
@@ -58,6 +65,30 @@
 ALLOWED_BUCKET = "pyplots-images"
 
 
+def validate_gcs_url(url: str) -> bool:
+    """Validate that URL is from allowed GCS bucket with no path traversal."""
+    try:
+        parsed = urlparse(url)
+        # Must be HTTPS
+        if parsed.scheme != "https":
+            return False
+        # Must be exact host (no subdomains)
+        if parsed.netloc != ALLOWED_HOST:
+            return False
+        # Path must start with bucket name and not contain traversal
+        path_parts = parsed.path.strip("/").split("/")
+        if len(path_parts) < 2:
+            return False
+        if path_parts[0] != ALLOWED_BUCKET:
+            return False
+        # Check for path traversal attempts
+        if ".." in parsed.path:
+            return False
+        return True
+    except Exception:
+        return False
+
+
 @router.get("/proxy/html", response_class=HTMLResponse)
 async def proxy_html(url: str):
     """
@@ -74,12 +105,12 @@ async def proxy_html(url: str):
     Returns:
         Modified HTML with size reporting script injected
     """
-    # Security: Only allow URLs from our GCS bucket
-    if not url.startswith(f"https://{ALLOWED_HOST}/{ALLOWED_BUCKET}/"):
+    # Security: Validate URL strictly to prevent SSRF and path traversal
+    if not validate_gcs_url(url):
         raise HTTPException(status_code=400, detail=f"Only URLs from {ALLOWED_HOST}/{ALLOWED_BUCKET} are allowed")
 
-    # Fetch the HTML
-    async with httpx.AsyncClient(timeout=30.0) as client:
+    # Fetch the HTML with shorter timeout
+    async with httpx.AsyncClient(timeout=10.0) as client:
         try:
             response = await client.get(url)
             response.raise_for_status()

app/src/components/FilterBar.tsx

@@ -490,6 +490,7 @@ export function FilterBar({
             inputRef={inputRef}
             id="filter-search"
             name="filter-search"
+            aria-label={selectedCategory ? `Search ${FILTER_LABELS[selectedCategory]}` : 'Search filters'}
             placeholder={selectedCategory ? FILTER_LABELS[selectedCategory] : ''}
             value={searchQuery}
             onChange={(e) => {