@firedesktop/react-base 2.1.25 → 3.0.1

package/docs/SECURITY_AUDIT_2026-02-05.md

@@ -0,0 +1,468 @@
+# Security Audit Report
+
+## @firedesktop/react-base v2.1.25
+
+**Audit Date**: 2026-02-05
+**Scope**: Full static analysis of `src/lib/` (27 source files), `package.json`, `tsconfig.json`, `.eslintrc`, `.npmignore`
+**Method**: Manual source code review + `npm audit`
+**Findings**: 0 Critical, 2 High, 5 Medium, 5 Low, 4 Info (16 total)
+**Remediated**: 9 of 16 findings fixed, 2 accepted risk (SEC-014, SEC-015)
+
+---
+
+## Executive Summary
+
+No remote code execution or direct injection vulnerabilities were found. The codebase avoids `dangerouslySetInnerHTML`, `eval()`, `new Function()`, `innerHTML`, and `document.write()` entirely. `npm audit` reports zero known dependency vulnerabilities. All HIGH-severity issues have been remediated: XSS through Syncfusion's Toast HTML rendering (SEC-001, fixed with HTML entity escaping) and prototype pollution via `lodash.merge()` (SEC-002, fixed with `safeMerge()` and lodash removal). Three MEDIUM-severity issues were also fixed: missing HTTP response validation (SEC-004), excessive production logging (SEC-005, replaced with opt-in Logger), and unvalidated JSON dispatched to Redux (SEC-007). Four additional fixes addressed silent error swallowing (SEC-011, Logger warnings added), missing Content-Type validation (SEC-012), TypeScript strict mode (SEC-013, `strict: true` enabled), and unchecked DOM null references (SEC-016, null guards added). Two INFO findings (SEC-014 source maps, SEC-015 TypeScript source in package) were marked as accepted risk: this is an internal company package and consumers require these assets for debugging and IDE navigation. Remaining 5 open findings span credentials configuration (SEC-003), non-standard authentication headers (SEC-006), path/language input validation (SEC-008), ReDoS in URL regex (SEC-009), and `encodeURI` misuse (SEC-010).
+
+---
+
+## HIGH Severity
+
+### SEC-001 -- Potential XSS via Syncfusion Toast HTML Content Rendering -- FIXED
+
+**File**: `src/lib/components/Toaster/Toaster.tsx:26,29,33,35`
+**Category**: Cross-Site Scripting (XSS)
+**CVSS**: 7.1
+**Status**: FIXED
+
+Syncfusion's `ToastComponent.show()` renders the `content` and `title` properties as HTML by default. The `propertiesObject.content` and `propertiesObject.title` values were passed directly from consumer code without sanitization.
+
+```typescript
+// Toaster.tsx:26 (before fix)
+toastObj.current.show({
+    title: propertiesObject.title,
+    content: propertiesObject.content ?? '',
+    cssClass: 'e-toast-info',
+    icon: 'e-info toast-icons'
+});
+```
+
+If a consumer application passes user-controlled data (e.g., error messages containing user input), payloads like `<img src=x onerror=alert(1)>` would execute in the user's browser context.
+
+**Applied Fix**: Added an `escapeHtml()` function that replaces `&`, `<`, `>`, `"`, and `'` with their HTML entity equivalents. Both `title` and `content` are sanitized through this function before being passed to all `.show()` calls. This is a zero-dependency solution that neutralizes HTML injection without requiring DOMPurify.
+
+---
+
+### SEC-002 -- Prototype Pollution via `lodash.merge()` on Untrusted Server Response -- FIXED
+
+**File**: `src/lib/utils/labels/LanguageLoader.tsx:47`
+**Category**: Prototype Pollution
+**CVSS**: 7.3
+**Status**: FIXED
+
+`_.merge()` deep-merged two objects where both originate from server-fetched JSON. A compromised or MITM'd response containing `{"__proto__": {"polluted": true}}` could modify `Object.prototype` for the entire application.
+
+```typescript
+// LanguageLoader.tsx:47 (before fix)
+const merged = _.merge(allLabels, response);
+```
+
+Additionally, `lodash` was listed as a `devDependency` (package.json:31), not a runtime dependency. The compiled output still imported lodash, but the version used at runtime depended on whatever the consumer had installed.
+
+**Applied Fix**: Removed the `lodash` import entirely from `LanguageLoader.tsx` and replaced `_.merge()` with a custom `safeMerge()` function. The function performs recursive deep merge while explicitly skipping keys in `__proto__`, `constructor`, and `prototype` (via a `BLOCKED_KEYS` Set). This eliminates both the prototype pollution vector and the lodash runtime dependency from the library. The lodash dependency classification issue is now moot since lodash is no longer used in any published source file.
+
+---
+
+## MEDIUM Severity
+
+### SEC-003 -- Credentials Sent Cross-Origin via Hardcoded `credentials: 'include'`
+
+**File**: `src/lib/utils/fetch/fetchWrapper.ts:98-100`
+**Category**: Session Security
+**CVSS**: 5.3
+
+`credentials: 'include'` is hardcoded for every request and cannot be overridden by consumers. Combined with `mode: 'cors'`, cookies are sent to any URL passed to the FetchWrapper, including potential third-party origins.
+
+```typescript
+// fetchWrapper.ts:95-103
+const requestInit = {
+    body,
+    method: method,
+    mode: 'cors',
+    cache: 'no-cache',
+    credentials: 'include',
+    headers,
+    signal: abortController.signal
+} as RequestInit;
+```
+
+If a consuming application constructs a URL from user input and passes it to FetchWrapper, session cookies leak cross-origin.
+
+**Fix**: Default to `credentials: 'same-origin'`. Allow callers to override to `'include'` via a parameter when explicitly needed.
+
+---
+
+### SEC-004 -- Missing HTTP Response Status Validation in ConfigurationManager and LanguageManager -- FIXED
+
+**Files**:
+- `src/lib/utils/configuration/ConfigurationManager.ts:5-14`
+- `src/lib/utils/labels/LanguageManager.ts:3-13`
+
+**Category**: Insecure HTTP Handling
+**CVSS**: 5.3
+**Status**: FIXED
+
+Both manager functions called `fetch()` then immediately called `res.json()` without checking `res.ok` or `res.status`. Error responses (404, 500) with JSON bodies were silently treated as valid configuration/labels. Non-JSON error pages caused a parse exception caught by the silent catch block.
+
+```typescript
+// ConfigurationManager.ts:5-14 (before fix)
+const res = await fetch(fullPath, {
+    headers: { ... }
+});
+return await res.json();  // no res.ok check
+```
+
+Note: The FetchWrapper (`fetchWrapper.ts:113`) does check response status correctly. The issue was isolated to the two manager utility functions that use raw `fetch()`.
+
+**Applied Fix**: Added `if (!res.ok) throw new Error(`Configuration load failed: HTTP ${res.status}`)` in `ConfigurationManager.ts` and the equivalent `Labels load failed` check in `LanguageManager.ts`, both placed immediately after the `fetch()` call and before `res.json()`. Non-2xx responses now throw descriptive errors instead of being silently parsed.
+
+---
+
+### SEC-005 -- Excessive Console Logging in Published Library Code -- FIXED
+
+**Files**: 7 files, 25+ occurrences
+**Category**: Information Leakage
+**CVSS**: 4.3
+**Status**: FIXED
+
+The published library contained `console.log`, `console.warn`, and `console.error` calls that output internal file paths, full response payloads, and fetch URLs to the browser console in production.
+
+Key examples:
+```typescript
+// ConfigurationManager.ts:27 -- logged full configuration response object (before fix)
+console.log(`Loaded Configuration for this Site in this path: ${fullPath}`, response);
+
+// LanguageLoader.tsx:37 -- logged full label data (before fix)
+console.log(`Loaded Base Language Labels...`, allLabels);
+
+// fetchWrapper.ts:122 -- logged URL and full error object (before fix)
+console.warn(`Error on fetch url: ${url}`, error);
+```
+
+**Affected files**: `ConfigurationLoader.tsx` (3), `ConfigurationReturner.tsx` (3), `ConfigurationManager.ts` (4), `LanguageLoader.tsx` (7), `LanguageReturner.tsx` (3), `LanguageManager.ts` (4), `fetchWrapper.ts` (1).
+
+**Applied Fix**: Created a centralized `Logger` utility (`src/lib/utils/Logger.ts`) that is disabled by default and produces zero console output unless explicitly enabled by the consumer via `Logger.enableDebug(true)`. Replaced all 25 `console.log/warn/error` calls across all 7 affected files with `Logger.debug/warn/error`. All messages are prefixed with `[react-base]` for easy filtering. The Logger is exported at the top level so consumers can opt in during development. See [LOGGER.md](LOGGER.md) for the full API reference.
+
+---
+
+### SEC-006 -- Custom SessionToken Header Bypasses Browser Security Mechanisms
+
+**File**: `src/lib/utils/fetch/fetchWrapper.ts:70-73`
+**Category**: Authentication
+**CVSS**: 5.0
+
+The authentication token is sent via a custom `SessionToken` header instead of the standard `Authorization: Bearer` scheme. The code contains a comment acknowledging this deviation.
+
+```typescript
+// fetchWrapper.ts:70-73
+if (token)
+    headers.append('SessionToken', token);
+// This should be the right way, but here we use SessionToken
+// headers.append('Authorization', 'Bearer ' + token);
+```
+
+The standard `Authorization` header is automatically stripped by browsers on cross-origin redirects (per Fetch spec). Custom headers like `SessionToken` are not, meaning tokens can leak if a request is redirected to a different origin. Security tools (WAFs, proxies, audit logs) also do not recognize custom headers as authentication credentials.
+
+**Fix**: Migrate to `Authorization: Bearer <token>`. If the backend requires `SessionToken`, document the security implications and ensure the backend does not issue cross-origin redirects.
+
+---
+
+### SEC-007 -- Unvalidated JSON Responses Dispatched to Redux Store -- FIXED
+
+**Files**:
+- `src/lib/utils/configuration/ConfigurationLoader.tsx:26`
+- `src/lib/utils/configuration/ConfigurationManager.ts:28`
+- `src/lib/utils/labels/LanguageLoader.tsx:47-48`
+- `src/lib/utils/labels/LanguageManager.ts:27`
+
+**Category**: Insecure Deserialization
+**CVSS**: 4.3
+**Status**: FIXED
+
+JSON responses from configuration and label endpoints were parsed and dispatched directly to the Redux store without schema validation. A compromised server or MITM attack could inject arbitrary data structures into application state.
+
+```typescript
+// ConfigurationLoader.tsx:26 (before fix)
+dispatch(updateAppState('configuration', response));
+
+// LanguageLoader.tsx:47-48 (before fix)
+const merged = _.merge(allLabels, response);
+dispatch(updateAppState('labels', merged));
+```
+
+**Applied Fix**: Added plain object validation in `ConfigurationManager.ts` and `LanguageManager.ts` immediately after `res.json()`. The check rejects `null`, `undefined`, primitives, and arrays -- only plain objects (`typeof data === 'object' && !Array.isArray(data)`) are accepted and returned. Invalid responses throw a descriptive error (e.g., `Configuration response is not a valid JSON object`). This prevents non-object payloads from reaching the Redux store.
+
+---
+
+## LOW Severity
+
+### SEC-008 -- No Input Validation on Path and Language Parameters
+
+**Files**:
+- `src/lib/utils/labels/LanguageLoader.tsx:20-26`
+- `src/lib/utils/labels/LanguageReturner.tsx:18`
+- `src/lib/utils/configuration/ConfigurationLoader.tsx:16-18`
+- `src/lib/utils/configuration/ConfigurationReturner.tsx:17`
+
+**Category**: Path Traversal / Input Validation
+**CVSS**: 3.5
+
+The `language` and `path` props are interpolated directly into fetch URLs without validation.
+
+```typescript
+// LanguageLoader.tsx:20-26
+const fileName = `${language}.json`;
+let fullPath = `./labels/${fileName}?${avoidCache}`;
+if (path)
+    fullPath = `./${path}/${fileName}?${avoidCache}`;
+
+// ConfigurationLoader.tsx:16-18
+let fullPath = '/configuration/config.json';
+if (path)
+    fullPath = path;  // completely replaces default, no validation
+```
+
+If consumer code passes user-controlled values (e.g., from URL query parameters), `../../` sequences or absolute URLs could force the app to fetch arbitrary JSON.
+
+**Fix**: Validate `language` against an allowlist of supported locale codes. Validate `path` to reject `..`, absolute URLs, and protocol prefixes.
+
+---
+
+### SEC-009 -- ReDoS Risk in URL Validation Regex
+
+**File**: `src/lib/utils/UrlUtils.ts:3-8`
+**Category**: Denial of Service (ReDoS)
+**CVSS**: 3.7
+
+The URL validation regex contains nested quantifiers in the domain section.
+
+```typescript
+// UrlUtils.ts:3-8
+var pattern = new RegExp('^(https?:\\/\\/)?' +
+    '((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|' +  // nested quantifier
+    '((\\d{1,3}\\.){3}\\d{1,3}))' +
+    '(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*' +
+    '(\\?[;&a-z\\d%_.~+=-]*)?' +
+    '(\\#[-a-z\\d_]*)?$', 'i');
+```
+
+The pattern `([a-z\d-]*[a-z\d])*` in the domain section creates ambiguity: both `[a-z\d-]*` and `[a-z\d]` match the same characters (minus hyphen), allowing exponential partitioning on crafted non-matching input. The `.` delimiter between domain labels limits but does not eliminate the attack. The path section is safe due to `/` delimiters.
+
+**Fix**: Replace with the `URL` constructor: `try { new URL(value); return true; } catch { return false; }`.
+
+---
+
+### SEC-010 -- `encodeURI` Applied to Full URL Instead of Components
+
+**File**: `src/lib/utils/fetch/fetchWrapper.ts:110`
+**Category**: URL Injection
+**CVSS**: 3.1
+
+```typescript
+// fetchWrapper.ts:110
+return await fetch(encodeURI(url), requestInit)
+```
+
+`encodeURI()` does not encode `#`, `?`, `&`, `=`, `/`. User-controlled path segments embedded in the URL could inject query parameters or fragment identifiers.
+
+**Fix**: Remove `encodeURI()` from the full URL. Ensure callers encode individual path segments and query values with `encodeURIComponent()`, or provide a URL builder utility.
+
+---
+
+### SEC-011 -- Silent Error Swallowing in Utility Functions -- FIXED
+
+**Files**:
+- `src/lib/utils/CurrencyUtiles.ts:19,38` -- empty `catch (err) { }`
+- `src/lib/utils/DateUtils.ts:20,66,77,100,121` -- empty `catch (err) { }`
+- `src/lib/utils/configuration/ConfigurationManager.ts:16-18`
+- `src/lib/utils/labels/LanguageManager.ts:15-17`
+
+**Category**: Error Handling
+**CVSS**: 2.5
+**Status**: FIXED
+
+Empty catch blocks silently discarded exceptions. In CurrencyUtiles and DateUtils, 7 catch blocks returned empty strings or undefined without any indication of failure. In the managers, errors during fetch were logged but the actual error object was discarded. In LanguageManager, the `getLabel` catch was completely silent.
+
+```typescript
+// CurrencyUtiles.ts:19 (before fix)
+} catch (err) { }
+return '';
+
+// DateUtils.ts:66 (before fix)
+} catch (err) { }
+return '';
+```
+
+**Applied Fix**: Added `Logger.warn` calls with descriptive messages and the error object to all 7 empty catch blocks in `CurrencyUtiles.ts` (2) and `DateUtils.ts` (5). Each log identifies the function that failed (e.g., `DateUtils: dateToString failed`). In `ConfigurationManager.ts` and `LanguageManager.ts`, updated existing Logger calls to include the `err` object as a second argument. Added a `Logger.warn` call to `LanguageManager.getLabel`'s previously silent catch. All errors are now visible when debug logging is enabled via `Logger.enableDebug(true)`.
+
+---
+
+### SEC-012 -- No Content-Type Validation on Fetch Responses -- FIXED
+
+**File**: `src/lib/utils/fetch/fetchWrapper.ts:116`
+**Category**: Response Validation
+**CVSS**: 2.5
+**Status**: FIXED
+
+Response `Content-Type` was not validated before calling `.json()` or `.blob()`. If the server returned an HTML error page with status 200, the `.json()` call threw a generic `SyntaxError` parse error.
+
+```typescript
+// fetchWrapper.ts:116 (before fix)
+return isBlobInReturn ? response.blob() : response.json();
+```
+
+**Applied Fix**: Split the ternary into separate branches. For JSON responses, the `Content-Type` header is now checked for `application/json` before calling `.json()`. If the header is missing or does not match, a descriptive `Error` is thrown (`Expected JSON response but received Content-Type: ...`). Blob responses are unaffected since `.blob()` accepts any content type.
+
+---
+
+## INFO
+
+### SEC-013 -- TypeScript Strict Mode Disabled -- FIXED
+
+**File**: `tsconfig.json:25`
+**CVSS**: N/A
+**Status**: FIXED
+
+`"strict": false` disabled `strictNullChecks`, `noImplicitAny`, `strictFunctionTypes`, and related safety checks. Combined with 32+ explicit `any` annotations across the codebase (e.g., `state: any`, `response: any`, `error: any`, `params?: Blob | any`), this weakened the type system's ability to catch null dereferences and type confusion bugs at compile time.
+
+**Applied Fix**: Changed `"strict": false` to `"strict": true` in `tsconfig.json`, enabling `strictNullChecks`, `noImplicitAny`, `strictFunctionTypes`, `strictBindCallApply`, `strictPropertyInitialization`, `noImplicitThis`, `alwaysStrict`, and `useUnknownInCatchVariables`. Fixed 4 compilation errors: typed empty array literals in `AppPagination.tsx` (`number[]`) and `FileUtils.ts` (`Uint8Array[]`), guarded optional `url` parameter in `UrlUtils.ts`, and changed `body` variable type to `BodyInit | undefined` in `fetchWrapper.ts`. The 32+ existing explicit `any` annotations compile without error under `noImplicitAny` since they are already explicitly typed. Replacing those with proper types is recommended as a future improvement but is not a compilation blocker.
+
+---
+
+### SEC-014 -- Source Maps Included in Published npm Package -- ACCEPTED RISK
+
+**File**: `tsconfig.json:24`
+**CVSS**: N/A
+**Status**: Accepted Risk
+
+`"sourceMap": true` generates `.js.map` files in `dist/`. The `.npmignore` does not exclude map files, so they are published. Despite `"removeComments": true`, source maps allow reconstruction of the original TypeScript source, exposing internal structure and variable names.
+
+**Decision**: Accepted as intentional. This is an internal company package (`@firedesktop/react-base`) consumed by company developers. Source maps are required by consumers to debug through the library code in browser DevTools during development. The information exposure risk is negligible for an internal package with no untrusted consumers.
+
+---
+
+### SEC-015 -- TypeScript Source Code Included in Published npm Package -- ACCEPTED RISK
+
+**File**: `.npmignore`, `package.json`
+**CVSS**: N/A
+**Status**: Accepted Risk
+
+The `.npmignore` excludes specific demo files but does not exclude the `src/lib/` directory. There is no `"files"` field in `package.json` to whitelist published content. The original TypeScript source is published alongside compiled output.
+
+```
+# .npmignore -- only excludes demo files:
+/.vscode
+/public
+/src/App.test.tsx
+/src/App.tsx
+/src/index.tsx
+...
+# src/lib/ is NOT excluded
+```
+
+**Decision**: Accepted as intentional. Publishing TypeScript source allows consumer developers to navigate to original definitions in their IDEs ("Go to Definition") and understand the library internals when debugging. Since all consumers are internal company projects, the exposure risk does not apply.
+
+---
+
+### SEC-016 -- Unchecked DOM Null References in Spin Component -- FIXED
+
+**File**: `src/lib/components/Spin.tsx:16,22,24`
+**CVSS**: N/A
+**Status**: FIXED
+
+`document.getElementById(targetId)` was cast to `HTMLElement` without a null check. If `targetId` didn't exist in the DOM, the cast lied about the null value and Syncfusion's `createSpinner`/`showSpinner`/`hideSpinner` threw runtime errors.
+
+```typescript
+// Spin.tsx:16 (before fix)
+createSpinner({
+    target: document.getElementById(targetId) as HTMLElement
+});
+// Spin.tsx:22 (before fix)
+showSpinner(document.getElementById(targetId) as HTMLElement);
+```
+
+**Applied Fix**: Replaced all three `as HTMLElement` casts with proper null guards. In the `useEffect`, the element is looked up and an early `return` is used if null. In the render body, `showSpinner`/`hideSpinner` are only called when the element exists. Removed all unsafe type assertions.
+
+---
+
+## Positive Findings
+
+These security-positive patterns should be maintained:
+
+1. **No `dangerouslySetInnerHTML`** -- Zero usage across all components
+2. **No `eval()` or `new Function()`** -- No dynamic code execution
+3. **No `document.write()` or `innerHTML`** -- No unsafe DOM content insertion
+4. **No localStorage/sessionStorage for tokens** -- Session tokens not persisted in browser storage
+5. **Cache-busting headers** -- `Cache-Control: no-cache, no-store, must-revalidate` applied consistently in FetchWrapper and managers
+6. **`X-Content-Type-Options: nosniff`** -- Set in FetchWrapper and ConfigurationManager headers
+7. **AbortController timeout** -- FetchWrapper implements configurable request timeouts (default 60s)
+8. **FetchWrapper response validation** -- `fetchWrapper.ts:113` correctly checks `response.status < 200 || response.status >= 300`
+9. **Zero npm audit vulnerabilities** -- `npm audit` reports 0 known vulnerabilities
+10. **lodash removed from library** -- `lodash.merge()` replaced with safe custom merge; lodash is no longer imported in any published source file
+11. **React JSX rendering** -- Components use JSX which auto-escapes interpolated strings
+12. **Type-safe component props** -- Union type literals for `Toaster_Type`, `AppInputType_Type`, and `AppIcon` `name` prop
+
+---
+
+## Summary Table
+
+| ID | Severity | Category | File(s) | CVSS | Status |
+|----|----------|----------|---------|------|--------|
+| SEC-001 | HIGH | XSS | Toaster.tsx | 7.1 | FIXED |
+| SEC-002 | HIGH | Prototype Pollution | LanguageLoader.tsx | 7.3 | FIXED |
+| SEC-003 | MEDIUM | Session Security | fetchWrapper.ts | 5.3 | Open |
+| SEC-004 | MEDIUM | HTTP Handling | ConfigurationManager.ts, LanguageManager.ts | 5.3 | FIXED |
+| SEC-005 | MEDIUM | Information Leakage | 7 files (25+ occurrences) | 4.3 | FIXED |
+| SEC-006 | MEDIUM | Authentication | fetchWrapper.ts | 5.0 | Open |
+| SEC-007 | MEDIUM | Deserialization | ConfigurationLoader.tsx, LanguageLoader.tsx + 2 | 4.3 | FIXED |
+| SEC-008 | LOW | Path Traversal | LanguageLoader.tsx, ConfigurationLoader.tsx + 2 | 3.5 | Open |
+| SEC-009 | LOW | ReDoS | UrlUtils.ts | 3.7 | Open |
+| SEC-010 | LOW | URL Injection | fetchWrapper.ts | 3.1 | Open |
+| SEC-011 | LOW | Error Handling | CurrencyUtiles.ts, DateUtils.ts + 2 | 2.5 | FIXED |
+| SEC-012 | LOW | Response Validation | fetchWrapper.ts | 2.5 | FIXED |
+| SEC-013 | INFO | Type Safety | tsconfig.json | -- | FIXED |
+| SEC-014 | INFO | Information Leakage | tsconfig.json, .npmignore | -- | Accepted Risk |
+| SEC-015 | INFO | Information Leakage | .npmignore, package.json | -- | Accepted Risk |
+| SEC-016 | INFO | Runtime Safety | Spin.tsx | -- | FIXED |
+
+---
+
+## Remediation Priority
+
+| Priority | Findings | Action |
+|----------|----------|--------|
+| ~~**Immediate**~~ | ~~SEC-001, SEC-002~~ | ~~Sanitize Toaster content; replace `_.merge()` with safe alternative~~ -- **ALL FIXED** |
+| **Short-term** | ~~SEC-004, SEC-005~~, SEC-003, SEC-006 | ~~Add `res.ok` checks; remove console logging~~ **FIXED**; Default credentials to `same-origin`; evaluate SessionToken migration |
+| **Medium-term** | ~~SEC-007~~, SEC-008, SEC-009 | ~~Add JSON validation~~ **FIXED**; validate path/language inputs; replace URL regex with `URL` constructor |
+| **Long-term** | SEC-010, ~~SEC-011, SEC-012, SEC-013, SEC-014, SEC-015, SEC-016~~ | Fix URL encoding; ~~improve error handling~~ **FIXED**; ~~validate Content-Type~~ **FIXED**; ~~enable strict mode~~ **FIXED**; ~~source map/source publishing~~ **ACCEPTED RISK**; ~~null-guard Spin~~ **FIXED** |
+
+---
+
+## Remediation Recap
+
+| ID | Severity | Finding | Fix Applied | Files Changed |
+|----|----------|---------|-------------|---------------|
+| SEC-001 | HIGH | XSS via Syncfusion Toast HTML rendering | Added `escapeHtml()` function that encodes `&`, `<`, `>`, `"`, `'` as HTML entities. Applied to `title` and `content` before all `.show()` calls. | `Toaster.tsx` |
+| SEC-002 | HIGH | Prototype pollution via `lodash.merge()` | Removed lodash import. Replaced with `safeMerge()` that skips `__proto__`, `constructor`, `prototype` keys via a `BLOCKED_KEYS` Set. | `LanguageLoader.tsx` |
+| SEC-004 | MEDIUM | Missing `res.ok` check on fetch responses | Added `if (!res.ok) throw new Error(...)` immediately after `fetch()` and before `res.json()` in both manager functions. | `ConfigurationManager.ts`, `LanguageManager.ts` |
+| SEC-005 | MEDIUM | 25+ console calls leaking paths and data in production | Created centralized `Logger` utility (disabled by default, opt-in via `Logger.enableDebug()`). Replaced all 25 `console.*` calls across 7 files. All output prefixed with `[react-base]`. | `Logger.ts` (new), `ConfigurationLoader.tsx`, `ConfigurationReturner.tsx`, `ConfigurationManager.ts`, `LanguageLoader.tsx`, `LanguageReturner.tsx`, `LanguageManager.ts`, `fetchWrapper.ts` |
+| SEC-007 | MEDIUM | Unvalidated JSON dispatched to Redux store | Added plain object validation after `res.json()`: rejects `null`, primitives, and arrays. Only `typeof === 'object' && !Array.isArray()` passes through. | `ConfigurationManager.ts`, `LanguageManager.ts` |
+| SEC-011 | LOW | Silent error swallowing in utility functions | Added `Logger.warn` with descriptive messages and error objects to all 7 empty catch blocks in `CurrencyUtiles.ts` and `DateUtils.ts`. Updated manager catch blocks to include the `err` object. Added logging to `LanguageManager.getLabel` catch. | `CurrencyUtiles.ts`, `DateUtils.ts`, `ConfigurationManager.ts`, `LanguageManager.ts` |
+| SEC-012 | LOW | No Content-Type validation on fetch responses | Split JSON/blob branches. Added `Content-Type` header check for `application/json` before calling `.json()`. Non-JSON responses now throw a descriptive error instead of a generic `SyntaxError`. | `fetchWrapper.ts` |
+| SEC-013 | INFO | TypeScript strict mode disabled | Changed `strict: false` to `strict: true` in `tsconfig.json`. Fixed 4 compilation errors: typed array literals, guarded optional param, typed uninitialized variable. All strict checks now active. | `tsconfig.json`, `AppPagination.tsx`, `FileUtils.ts`, `UrlUtils.ts`, `fetchWrapper.ts` |
+| SEC-016 | INFO | Unchecked DOM null references in Spin | Replaced all `as HTMLElement` casts with null guards. `createSpinner`, `showSpinner`, `hideSpinner` only called when element exists. | `Spin.tsx` |
+
+**Overall progress**: 9/16 fixed, 2/16 accepted risk, 5/16 open (2/2 HIGH fixed, 3/5 MEDIUM fixed, 2/5 LOW fixed, 2/4 INFO fixed, 2/4 INFO accepted). All HIGH-severity issues resolved. Remaining 5 open findings require architectural decisions (credentials mode, SessionToken migration, input validation, URL handling).
+
+---
+
+## Changes from Previous Report (2026-02-02)
+
+- **Restructured findings** from 18 to 16 by consolidating related issues (e.g., path traversal across multiple loaders, JSON deserialization across multiple dispatchers)
+- **Downgraded ReDoS** (SEC-009) from HIGH to LOW after analysis showing `/` and `.` delimiters constrain the attack surface
+- **Added SEC-003** as a standalone finding -- `credentials: 'include'` was previously embedded in another finding
+- **Added SEC-007** -- unvalidated JSON to Redux store was previously split across multiple findings
+- **Clarified SEC-006** -- documented the specific redirect-based token leakage mechanism for custom headers
+- **Noted lodash dependency classification** -- lodash is in devDependencies, meaning consumers control the runtime version
+- **Added positive finding #8** -- FetchWrapper does validate response status correctly (the gap is only in the manager utilities)
+- **Ran `npm audit`** -- confirmed zero known dependency vulnerabilities

package/docs/SPIN.md

@@ -0,0 +1,45 @@
+# Spin
+
+Loading spinner overlay using Syncfusion's spinner utilities. This is a headless component (renders no visible DOM) -- it controls a spinner attached to a target DOM element.
+
+## Import
+
+```javascript
+import { Components } from '@firedesktop/react-base';
+const { Spin } = Components;
+```
+
+## Props
+
+| Prop | Type | Required | Default | Description |
+|------|------|----------|---------|-------------|
+| `spinning` | `boolean` | Yes | -- | Show (`true`) or hide (`false`) the spinner |
+| `targetId` | `string` | No | `'root'` | DOM element ID where the spinner is attached |
+
+## Usage
+
+```jsx
+const [loading, setLoading] = useState(false);
+
+<Spin spinning={loading} />
+```
+
+### On a specific container
+
+```jsx
+<div id="my-panel">
+  <Spin spinning={loading} targetId="my-panel" />
+  {/* panel content */}
+</div>
+```
+
+## Behavior
+
+- Creates the Syncfusion spinner on the target element when the component mounts
+- Shows/hides the spinner based on the `spinning` prop
+- If the target element does not exist in the DOM, the component does nothing (null-safe)
+- Returns an empty `<React.Fragment />` -- it does not render any visible output
+
+## Dependencies
+
+Uses `createSpinner`, `showSpinner`, `hideSpinner` from `@syncfusion/ej2-popups` (bundled dependency).

package/docs/TOASTER.md

@@ -0,0 +1,75 @@
+# Toaster
+
+Toast notification component using Syncfusion's ToastComponent. Displays styled notifications for errors, info, success, and warnings.
+
+## Import
+
+```javascript
+import { Components } from '@firedesktop/react-base';
+const { Toaster, Toaster_Types } = Components;
+```
+
+## Types
+
+```typescript
+type Toaster_Type = 'Error' | 'Information' | 'Success' | 'Warning';
+
+type Toaster_Prop_Type = {
+    content?: string;
+    title: string;
+    type: Toaster_Type;
+};
+```
+
+## Props
+
+| Prop | Type | Required | Description |
+|------|------|----------|-------------|
+| `propertiesObject` | `Toaster_Prop_Type` | Yes | Toast configuration object |
+
+### `propertiesObject` fields
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `title` | `string` | Yes | Toast title |
+| `content` | `string` | No | Toast body message |
+| `type` | `Toaster_Type` | Yes | Notification type |
+
+## Usage
+
+```jsx
+const [toast, setToast] = useState(null);
+
+{toast && <Toaster propertiesObject={toast} />}
+```
+
+### Showing different notification types
+
+```jsx
+// Success
+setToast({ title: 'Saved', content: 'Record saved.', type: 'Success' });
+
+// Error
+setToast({ title: 'Error', content: 'Failed to save.', type: 'Error' });
+
+// Warning
+setToast({ title: 'Warning', content: 'Unsaved changes.', type: 'Warning' });
+
+// Information
+setToast({ title: 'Info', content: 'New version available.', type: 'Information' });
+```
+
+## Behavior
+
+- Displays a toast notification positioned to the right
+- Each type has a distinct CSS class and icon:
+  - `Error` -- `e-toast-danger`, error icon, 4s timeout
+  - `Information` -- `e-toast-info`, info icon
+  - `Success` -- `e-toast-success`, success icon
+  - `Warning` -- `e-toast-warning`, warning icon
+- Shows a progress bar and close button
+- Title and content are HTML-escaped before rendering (XSS protection)
+
+## Dependencies
+
+Uses `ToastComponent` from `@syncfusion/ej2-react-notifications` (bundled dependency). Requires the Syncfusion Bootstrap4 theme CSS for styling.