Daniel Maksymilian Syrnicki
e8ed224eea
Slice 2 of the on-box UI uplevel. The resource-manager API already returned the icon filename in each manifest summary, but the /apps page never rendered it — and there was no endpoint to fetch the file either. This inlines the SVG content directly into the JSON response (one round-trip, Doherty Threshold) and injects it into each app card's new icon slot on the left. _read_icon_svg defends against the obvious SVG-XSS vectors (script tags, on* handlers, javascript: URLs) and rejects anything over 16 KB. The trust model stays what it was — bundled apps are built into the ISO, the install API has no auth — but the filter keeps accidents from becoming exploits if an icon gets swapped upstream. /apps now shows a generic folder fallback for any app without a parseable icon.svg; slice 3 ships the real fileshare artwork. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| api.py | ||
| cli.py | ||
| dockerops.py | ||
| installer.py | ||
| manifest.py | ||
| paths.py | ||
| reconciler.py | ||
| scanner.py | ||