Security context

What an agent needs to avoid regressing past fixes and find the next vuln in this repo.

oasisprotocol/oasis-wallet-web
master @ 28d695d
13
Fixes
0
CVEs
HIGH
Peak severity
Highlights
Information Disclosure: 4 prior fixes. Scrutinize any change in this area.
src/app/pages/StakingPage/Features/ValidatorMediaInfo/index.tsx: most-fixed (3 issues). Treat as high-risk during review.
1 high-severity fix in this history; regressions here are high-impact.
Recurring patterns

The bug types that recur here, drawn from past fixes, not open vulnerabilities.

Information Disclosure: Sensitive credentials (mnemonic phrases and private keys) were vulnerable to leaking through automated browser mechanisms including local autocomplete history, spelling suggestion APIs, and cloud spellcheck services. This was mitigated by explicitly disabling spellcheck, autocorrect, and autocomplete on key input fields.
DOM-based XSS: Validator-controlled metadata links were rendered without safe protocol enforcement, allowing potential javascript: URI injection and DOM XSS. This required enforcing strict validation using the valid-url library to permit only HTTP/HTTPS protocols.
Information Disclosure: Automated translation widgets (such as Google Translate) can automatically parse and transmit plaintext mnemonics rendered on-screen to third-party translation servers, necessitating explicit suppression of translation features on security-sensitive components.