mirror of
https://github.com/actualbudget/actual.git
synced 2026-03-22 00:13:45 -05:00
8237da8e7b
Remove ~210 lines of overly thorough font validation (MIME type allowlists, base64 encoding checks, format hint validation, @font-face property allowlists, font-family name regex) and replace with a single function that enforces the actual security goal: rejecting non-data: URIs to prevent external resource loading. Size limits for DoS prevention are preserved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>