Current build.sh script uses direct string concatenation to construct public/index.html, incorporating data from Git tags and commit metadata. While the environment is managed by trusted editors, this approach is susceptible to HTML injection if malformed tags or commit messages are introduced into the build pipeline.
Adopting a more robust templating approach or ensuring proper escaping for HTML-sensitive characters would improve the long-term reliability and security of the specification's deployment process. I noticed this while reviewing the internal build tools for potential editorial improvements.
Current
build.shscript uses direct string concatenation to constructpublic/index.html, incorporating data from Git tags and commit metadata. While the environment is managed by trusted editors, this approach is susceptible to HTML injection if malformed tags or commit messages are introduced into the build pipeline.Adopting a more robust templating approach or ensuring proper escaping for HTML-sensitive characters would improve the long-term reliability and security of the specification's deployment process. I noticed this while reviewing the internal build tools for potential editorial improvements.