Security hardening: XSS, decompression bombs, and input validation

[Copilot]

Security audit identified several medium/low severity issues across the JS browser app and Python CLI. All pending items from Task 12 are resolved.

XSS — docs/app.js

setInfo() and setSourceFromCanvas() both injected user-controlled values (file names) via innerHTML. Replaced with safe DOM API calls so filenames are always plain text.

// Before — XSS vector
$('info-panel').innerHTML = parts.map(p => `<span>${p}</span>`).join('');

// After — safe
for (const p of parts) {
  const span = document.createElement('span');
  span.textContent = p;
  panel.appendChild(span);
}

Encoding consistency — docs/app.js

encodeIndices() had a sorted.length > 100 guard on the bitmap path that never existed in the Python encoder, causing the two implementations to disagree on encoding choice for small index sets. Guard removed.

Python decompression bomb — switching_compress.py

decompress() called zlib.decompress() unbounded. Added _safe_decompress() using decompressobj.decompress(data, max_length) capped at 256 MB (matching the JS-side limit already in place), aborting if unconsumed_tail is non-empty.

def _safe_decompress(data: bytes) -> bytes:
    dobj = zlib.decompressobj()
    result = dobj.decompress(data, _MAX_DECOMP_SIZE + 1)
    if dobj.unconsumed_tail or len(result) > _MAX_DECOMP_SIZE:
        raise ValueError("Decompressed payload exceeds limit — possible decompression bomb")
    return result

Python input validation & types — switching_compress.py

• compress() now raises ValueError early for layers < 1, dct_ratio ∉ (0, 1], max_iter < 1
• target_psnr typed as Optional[float] instead of float = None; return types added to compress() and decompress()

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.