fix: allow inline scripts in CSP for singlefile build, add input size guard

bakerboy448 · bakerboy448 · commit 1315ae59a954 · 2026-02-28T11:43:40.000-06:00
vite-plugin-singlefile inlines JS into the HTML, so script-src 'self'
blocks the app from running. Added 'unsafe-inline' to script-src
(acceptable given zero innerHTML usage and no injection vectors).
Added 512 KB input size limit to prevent browser freezes from
oversized YAML input.
diff --git a/index.html b/index.html
@@ -4,7 +4,7 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="Content-Security-Policy"
-        content="default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
+        content="default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self'; base-uri 'none'">
   <title>Docker Compose Sanitizer</title>
   <style>
     :root {
diff --git a/src/main.ts b/src/main.ts
@@ -8,6 +8,8 @@ import { loadConfig, saveConfig, resetConfig, compileConfig, type SanitizerConfi
 import { copyToClipboard, openPrivateBin, openGist } from './clipboard'
 import { createShortNotice, createPiiWarning, createFullDisclaimer } from './disclaimer'
 
+const MAX_INPUT_BYTES = 512 * 1024
+
 function el<K extends keyof HTMLElementTagNameMap>(
   tag: K,
   attrs?: Record<string, string>,
@@ -270,6 +272,17 @@ function init(): void {
       return
     }
 
+    if (new Blob([raw]).size > MAX_INPUT_BYTES) {
+      errorDiv.textContent = 'Input too large. Maximum 512 KB.'
+      errorDiv.classList.remove('hidden')
+      output.classList.add('hidden')
+      piiWarning.classList.add('hidden')
+      actions.classList.add('hidden')
+      statsDiv.classList.add('hidden')
+      advisoriesDiv.replaceChildren()
+      return
+    }
+
     sanitizeBtn.disabled = true
     sanitizeBtn.textContent = 'Sanitizing...'
 
