- Path traversal: confine avatar file serving to avatar_dir (defaults to
config file directory); validate on both read and write
- UDP owner injection: server-configured owner now takes precedence over
UDP-supplied value, matching the documented intent
- Open redirect: reject non-relative next= values after login
- Stored XSS: enable Jinja2 autoescape on all template environments;
add escHtml() helper in live.html and apply to all innerHTML sinks
sourced from network data (host names, addrs, states, log messages)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Andreas Wrede
ddd857173b