-
erio authored
1. (Critical) Filter admin-only menu items from public API responses - both GetPublicSettings handler and GetPublicSettingsForInjection now exclude visibility=admin items, preventing unauthorized access to admin menu URLs. 2. (Medium) Validate JSON array structure in sanitizeCustomMenuItemsJSON - use json.Unmarshal into []json.RawMessage instead of json.Valid to reject non-array JSON values that would cause frontend runtime errors. 3. (Medium) Decouple router from business JSON parsing - move origin extraction logic from router.go to SettingService.GetFrameSrcOrigins, eliminating direct JSON parsing of custom_menu_items in the routing layer. 4. (Low) Restrict custom menu item ID charset to [a-zA-Z0-9_-] via regex validation, preventing route-breaking characters like / ? # or spaces. 5. (Low) Handle crypto/rand error in generateMenuItemID - return error instead of silently ignoring, preventing potential duplicate IDs. Co-Authored-By:Claude Opus 4.6 <noreply@anthropic.com>
e97c3766
