Fix XSS vulnerability and improve error handling in manifest-import component#414
Merged
cubap merged 2 commits intoiiif-import-directfrom Feb 2, 2026
Merged
Fix XSS vulnerability and improve error handling in manifest-import component#414cubap merged 2 commits intoiiif-import-directfrom
cubap merged 2 commits intoiiif-import-directfrom
Conversation
Merged
Co-authored-by: cubap <1119165+cubap@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add IIIF import interface for direct project creation
Fix XSS vulnerability and improve error handling in manifest-import component
Feb 2, 2026
cubap
added a commit
that referenced
this pull request
Feb 2, 2026
* Add manifest import component and interface Introduce a new Manifest Import feature: adds a web component (components/manifest-import/index.js) that imports multiple IIIF manifests into TPEN, handles authentication, creates projects sequentially, and renders progress/results. Includes docs and support pages (IMPLEMENTATION.md, README.md, QUICKSTART.md), an examples page and interface (interfaces/manifest-import/index.html, examples.html, INDEX.md), and interface metadata (manifest.yml). Uses TPEN Services POST /project/import?createFrom=URL and integrates with TPEN auth/token handling. * Update index.js * Update components/manifest-import/index.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update components/manifest-import/index.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update components/manifest-import/index.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * [WIP] Update to address feedback on IIIF import PR (#407) * Initial plan * Fix URL format in INDEX.md to match permalink Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * Fix URL examples to use correct /import-manifest permalink (#408) * Initial plan * Fix URL examples to use /import-manifest path Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * [WIP] Address feedback on IIIF import direct pull request (#409) * Initial plan * Replace custom #escapeHtml with shared utility from /js/utils.js Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * [WIP] Address feedback from review on IIIF import (#410) * Initial plan * Fix /?manifest= to /import-manifest?manifest= across all documentation Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * [WIP] WIP Address feedback on IIIF import direct pull request (#411) * Initial plan * Add main element wrapper for improved accessibility Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * Fix XSS vulnerability and improve error handling in manifest-import component (#414) * Initial plan * Fix security and code quality issues in manifest-import component Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com> * last touches on pr Add component lifecycle and concurrency improvements for manifest import: introduce a CleanupRegistry to manage event handlers and call cleanup.run() on disconnect; attach TPEN authentication and wait for tpen-authenticated events, render a need-auth state when not authorized, and guard initialization with a #hasInitialized flag to avoid double-init. Rework #createProjects to perform imports with a worker pool and a concurrency limit (5) while preserving result order and collecting per-manifest errors. Also enhance loader markup with ARIA attributes for better accessibility. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: cubap <1119165+cubap@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses critical security vulnerability and code quality issues in the manifest-import component identified in static review.
Changes
error.messageanderror.manifestUrlbefore rendering to prevent XSS attacks from malicious query parameters or API responsesgetUserFromTokenimportdisconnectedCallback()for proper component cleanupExample
Before:
After:
CodeQL: 0 alerts
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.