fix: address review findings — XSS, OOM, missing dep, error exposure

caiopizzol · caiopizzol · commit 28b16fb60cbc · 2026-03-10T18:05:40.000-03:00
- escHtml: escape quotes for attribute context (XSS prevention)
- /manifest: add LIMIT 100K to prevent OOM on large result sets
- classification: add missing sentencepiece dependency for xlm-roberta
- worker error handlers: return generic message instead of raw errors
diff --git a/apps/web/index.html b/apps/web/index.html
@@ -986,7 +986,7 @@ <h1>The largest classified corpus of Word documents</h1>
 
       function escHtml(s) {
         if (!s) return '';
-        return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+        return s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#39;');
       }
 
       // ---------- preview ----------
diff --git a/apps/web/worker/src/index.ts b/apps/web/worker/src/index.ts
@@ -288,7 +288,7 @@ async function handleDocuments(url: URL, env: Env, origin: string): Promise<Resp
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     console.error("handleDocuments error:", message);
-    return json({ error: message }, 500, origin);
+    return json({ error: "Internal server error" }, 500, origin);
   }
 }
 
@@ -299,11 +299,10 @@ const R2_BASE = "https://docxcorp.us/documents/";
 async function handleManifest(url: URL, env: Env, origin: string): Promise<Response> {
   try {
     const sql = neon(env.DATABASE_URL);
-    const { where, params } = buildFilters(url);
-
+    const { where, params, paramIndex } = buildFilters(url);
     const rows = await sql.query(
-      `SELECT id FROM documents WHERE ${where} ORDER BY id`,
-      params
+      `SELECT id FROM documents WHERE ${where} ORDER BY id LIMIT $${paramIndex}`,
+      [...params, 100000]
     ) as { id: string }[];
 
     const body = rows.map((r) => `${R2_BASE}${r.id}.docx`).join("\n") + "\n";
@@ -329,6 +328,6 @@ async function handleManifest(url: URL, env: Env, origin: string): Promise<Respo
   } catch (err) {
     const message = err instanceof Error ? err.message : String(err);
     console.error("handleManifest error:", message);
-    return json({ error: message }, 500, origin);
+    return json({ error: "Internal server error" }, 500, origin);
   }
 }
diff --git a/scripts/classification/pyproject.toml b/scripts/classification/pyproject.toml
@@ -15,4 +15,5 @@ dependencies = [
     "datasets>=3.0.0",
     "scikit-learn>=1.5.0",
     "accelerate>=1.0.0",
+    "sentencepiece>=0.1.99",
 ]

Original file line number	Diff line number	Diff line change
`@@ -986,7 +986,7 @@ <h1>The largest classified corpus of Word documents</h1>`
`986`	`986`
`987`	`987`	`function escHtml(s) {`
`988`	`988`	`if (!s) return '';`
`989`		`- return s.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>');`
	`989`	`+ return s.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''');`
`990`	`990`	`}`
`991`	`991`
`992`	`992`	`// ---------- preview ----------`
Original file line number	Diff line number	Diff line change
`@@ -15,4 +15,5 @@ dependencies = [`
`15`	`15`	`"datasets>=3.0.0",`
`16`	`16`	`"scikit-learn>=1.5.0",`
`17`	`17`	`"accelerate>=1.0.0",`
	`18`	`+ "sentencepiece>=0.1.99",`
`18`	`19`	`]`