From 0d7d845a8788b2d85e55e4a5f6a802eb80614ac4 Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 12:49:30 +0100
Subject: [PATCH 1/7] Render command palette text safely

Build command result rows with DOM nodes so search titles and excerpts are inserted as text instead of interpolated into innerHTML.

Keep icon rendering unchanged because those strings are defined in-repo, and add a regression test that proves HTML in search results is displayed as text rather than creating DOM nodes.
---
 assets/js/command-palette.js               | 28 ++++++++++++----------
 tests/command-palette-stale-search.test.js | 20 ++++++++++++++++
 2 files changed, 36 insertions(+), 12 deletions(-)

diff --git a/assets/js/command-palette.js b/assets/js/command-palette.js
index 60299cd..278c8df 100644
--- a/assets/js/command-palette.js
+++ b/assets/js/command-palette.js
@@ -5,8 +5,7 @@
 
 // Store mutable state on window so duplicate script inclusion does not throw
 // on redeclaration before layout issues are fixed.
-window.__commandPaletteSearchToken =
-  window.__commandPaletteSearchToken || 0;
+window.__commandPaletteSearchToken = window.__commandPaletteSearchToken || 0;
 
 function nextSearchToken() {
   window.__commandPaletteSearchToken += 1;
@@ -137,21 +136,26 @@ function renderSections(sections, container) {
       const cmdEl = document.createElement("div");
       cmdEl.className = "command-palette-command";
 
-      let cmdContent = `
-        <div class="command-palette-icon">${cmd.icon || ""}</div>
-        <div class="command-palette-title">${cmd.title}</div>
-      `;
+      const iconEl = document.createElement("div");
+      iconEl.className = "command-palette-icon";
+      iconEl.innerHTML = cmd.icon || "";
+      cmdEl.appendChild(iconEl);
+
+      const titleEl = document.createElement("div");
+      titleEl.className = "command-palette-title";
+      titleEl.textContent = cmd.title || "";
+      cmdEl.appendChild(titleEl);
 
       // Add excerpt for search results if available
       if (cmd.excerpt) {
-        cmdContent += `<div class="command-palette-excerpt">${cmd.excerpt.substring(
-          0,
-          120
-        )}${cmd.excerpt.length > 120 ? "..." : ""}</div>`;
+        const excerptEl = document.createElement("div");
+        excerptEl.className = "command-palette-excerpt";
+        const excerpt = cmd.excerpt.substring(0, 120);
+        excerptEl.textContent =
+          excerpt + (cmd.excerpt.length > 120 ? "..." : "");
+        cmdEl.appendChild(excerptEl);
       }
 
-      cmdEl.innerHTML = cmdContent;
-
       cmdEl.addEventListener("click", function () {
         if (typeof cmd.handler === "function") {
           document.getElementById("simple-command-palette").style.display =
diff --git a/tests/command-palette-stale-search.test.js b/tests/command-palette-stale-search.test.js
index 88c40fb..ffba203 100644
--- a/tests/command-palette-stale-search.test.js
+++ b/tests/command-palette-stale-search.test.js
@@ -123,4 +123,24 @@ describe("command palette stale-search guard", () => {
     expect(resultsContainer.innerHTML).toBe(snapshotAfterCurrent);
     expect(resultsContainer.textContent).not.toContain("Late Stale Result");
   });
+
+  it("renders title and excerpt as text for search results", async () => {
+    window.renderCommandResults("abc");
+
+    resolveFirst([
+      {
+        title: "<img src=x onerror=alert(1)>Unsafe",
+        excerpt: "<script>alert(1)</script>Excerpt",
+        icon: "",
+        section: "Search Results",
+      },
+    ]);
+    await Promise.resolve();
+    await Promise.resolve();
+
+    expect(resultsContainer.querySelector("img")).toBeNull();
+    expect(resultsContainer.querySelector("script")).toBeNull();
+    expect(resultsContainer.textContent).toContain("Unsafe");
+    expect(resultsContainer.textContent).toContain("Excerpt");
+  });
 });

From bfbd618d0b1db7276d5aaec15b8caf014dd98a56 Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 12:49:35 +0100
Subject: [PATCH 2/7] Pin Font Awesome stylesheet loading

Replace runtime Font Awesome injection in each layout with a fixed CDN stylesheet reference protected by SRI.

This removes the hostname-based script/css branching, avoids loading a kit script into the page head, and keeps icon rendering consistent across local and deployed pages.
---
 _layouts/default.html         | 35 +++++--------------------
 _layouts/history.html         | 35 +++++--------------------
 _layouts/join-us.html         | 30 +++++----------------
 _layouts/research.html        | 35 +++++--------------------
 _layouts/teaching-course.html | 49 ++++++++++-------------------------
 _layouts/teaching.html        | 35 +++++--------------------
 _layouts/team.html            | 35 +++++--------------------
 7 files changed, 56 insertions(+), 198 deletions(-)

diff --git a/_layouts/default.html b/_layouts/default.html
index 224888c..ba6b29a 100644
--- a/_layouts/default.html
+++ b/_layouts/default.html
@@ -151,34 +151,13 @@
       });
     })();
   </script>
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-      
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 
 </head>
 <body id="top">
diff --git a/_layouts/history.html b/_layouts/history.html
index b9f13fb..db26b26 100644
--- a/_layouts/history.html
+++ b/_layouts/history.html
@@ -130,34 +130,13 @@
     })();
   </script>
 
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-      
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top">
 
diff --git a/_layouts/join-us.html b/_layouts/join-us.html
index 22f3612..d96a825 100644
--- a/_layouts/join-us.html
+++ b/_layouts/join-us.html
@@ -93,29 +93,13 @@
       });
     })();
   </script>
-  <script>
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-      const FA_VERSION = '6.7.2';
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top">
   <div id="preloader"><div id="loader"></div></div>
diff --git a/_layouts/research.html b/_layouts/research.html
index 2d93833..e6c492a 100644
--- a/_layouts/research.html
+++ b/_layouts/research.html
@@ -113,34 +113,13 @@
       });
     })();
   </script>
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-      
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top">
 
diff --git a/_layouts/teaching-course.html b/_layouts/teaching-course.html
index c5ba319..aad04da 100644
--- a/_layouts/teaching-course.html
+++ b/_layouts/teaching-course.html
@@ -5,7 +5,7 @@
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <meta name="base-url" content="{{ site.baseurl }}">
-  <title>{% if page.title %}{{ page.title }} - {% endif %}{{ site.title }}</title>
+  <title>{% if page.title %}{{ page.title | escape_once }} - {% endif %}{{ site.title | escape_once }}</title>
 
   <!-- Critical CSS for fastest paint -->
   <style>
@@ -36,10 +36,10 @@
   <link rel="mask-icon" href="/assets/favicon/safari-pinned-tab.svg" color="#5bbad5">
   
   <!-- SEO Meta Tags -->
-  <meta name="description" content="{% if page.description %}{{ page.description }}{% else %}Detailed course information and materials from the Computational Multiphase Physics Laboratory{% endif %}">
+  <meta name="description" content="{% if page.description %}{{ page.description | escape_once }}{% else %}Detailed course information and materials from the Computational Multiphase Physics Laboratory{% endif %}">
   <meta name="author" content="CoMPhy Lab">
   <meta name="robots" content="index, follow">
-  <meta name="keywords" content="{% if page.keywords %}{{ page.keywords }}{% else %}computational physics course, course materials, lectures, tutorials, multiphase physics education{% endif %}">
+  <meta name="keywords" content="{% if page.keywords %}{{ page.keywords | escape_once }}{% else %}computational physics course, course materials, lectures, tutorials, multiphase physics education{% endif %}">
 
   <!-- Font dependencies with font-display: swap -->
   <style>
@@ -67,14 +67,14 @@
   {
     "@context": "https://schema.org",
     "@type": "Course",
-    "name": "{% if page.title %}{{ page.title }}{% else %}Course - Computational Multiphase Physics{% endif %}",
-    "description": "{% if page.description %}{{ page.description }}{% else %}Detailed course information and materials{% endif %}",
+    "name": {{ page.title | default: "Course - Computational Multiphase Physics" | jsonify }},
+    "description": {{ page.description | default: "Detailed course information and materials" | jsonify }},
     "provider": {
       "@type": "Organization",
       "name": "Computational Multiphase Physics Laboratory",
-      "sameAs": "{{ site.url }}"
+      "sameAs": {{ site.url | jsonify }}
     },
-    "url": "{{ site.url }}{{ page.url }}"
+    "url": {{ site.url | append: page.url | jsonify }}
   }
   </script>
 
@@ -134,34 +134,13 @@
     document.documentElement.classList.remove('no-js');
     document.documentElement.classList.add('js');
   </script>
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-      
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top">
 
diff --git a/_layouts/teaching.html b/_layouts/teaching.html
index 272a8c4..8f3c0c0 100644
--- a/_layouts/teaching.html
+++ b/_layouts/teaching.html
@@ -130,34 +130,13 @@
     })();
   </script>
 
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-      
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top">
 
diff --git a/_layouts/team.html b/_layouts/team.html
index 5863052..306d707 100644
--- a/_layouts/team.html
+++ b/_layouts/team.html
@@ -123,34 +123,13 @@
       });
     })();
   </script>
-  <script>
-    // Check if we're on localhost
-    if (window.location.hostname === 'localhost' || window.location.hostname === '127.0.0.1') {
-      // Load Font Awesome stylesheets with improved error handling and version extraction
-      function loadStylesheet(href) {
-        const link = document.createElement('link');
-        link.rel = 'stylesheet';
-        link.href = href;
-        link.crossOrigin = 'anonymous';
-        link.onerror = () => console.error(`Failed to load stylesheet: ${href}`);
-        document.head.appendChild(link);
-        return link;
-      }
-
-      const FA_VERSION = '6.7.2';  // Extract version to a constant for easier updates
-
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/solid.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/brands.css`);
-      loadStylesheet(`https://use.fontawesome.com/releases/v${FA_VERSION}/css/fontawesome.css`);
-    } else {
-      // Use Kit for production with defer
-      var script = document.createElement('script');
-      script.src = 'https://kit.fontawesome.com/b1cfd9ca75.js';
-      script.crossOrigin = 'anonymous';
-      script.defer = true;
-      document.head.appendChild(script);
-    }
-  </script>
+  <link
+    rel="stylesheet"
+    href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.7.2/css/all.min.css"
+    integrity="sha512-Evv84Mr4kqVGRNSgIGL/F/aIDqQb7xQ2vcrdIwxfjThSH8CSR7PBEakCr51Ck+w+/U6swU2Im1vVX0SVk9ABhg=="
+    crossorigin="anonymous"
+    referrerpolicy="no-referrer"
+  >
 </head>
 <body id="top" class="team-page-body">
 

From 691aeb1cff977588ece4ccc802f32e6880216755 Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 12:49:55 +0100
Subject: [PATCH 3/7] Harden featured homepage embeds

Sanitize cloned featured-paper elements before inserting them into the homepage card list.

Rebuild iframe-only media as trusted YouTube nocookie embeds with explicit sandbox and referrer policy settings, and add coverage for both the preserved safe embed path and rejected untrusted iframe sources.
---
 assets/js/main.js                        | 78 ++++++++++++++++++++++--
 tests/featured-papers-regression.test.js | 56 ++++++++++++++---
 2 files changed, 122 insertions(+), 12 deletions(-)

diff --git a/assets/js/main.js b/assets/js/main.js
index f65e304..8fcf6cb 100644
--- a/assets/js/main.js
+++ b/assets/js/main.js
@@ -143,6 +143,63 @@
       window.location.pathname === "/index.html"
     ) {
       try {
+        const sanitizeElement = (element) => {
+          if (typeof DOMPurify === "undefined") {
+            console.warn(
+              "Skipping featured content because DOMPurify is unavailable."
+            );
+            return null;
+          }
+
+          const wrapper = document.createElement("div");
+          wrapper.innerHTML = DOMPurify.sanitize(element.outerHTML);
+          return wrapper.firstElementChild;
+        };
+
+        const cloneTrustedIframe = (iframe) => {
+          const src = iframe.getAttribute("src") || "";
+          let parsedUrl;
+
+          try {
+            parsedUrl = new URL(src, window.location.origin);
+          } catch (error) {
+            console.warn("Skipping invalid featured iframe URL:", src, error);
+            return null;
+          }
+
+          const isTrustedYouTubeEmbed =
+            parsedUrl.protocol === "https:" &&
+            parsedUrl.hostname === "www.youtube-nocookie.com" &&
+            parsedUrl.pathname.startsWith("/embed/");
+
+          if (!isTrustedYouTubeEmbed) {
+            console.warn("Skipping untrusted featured iframe:", src);
+            return null;
+          }
+
+          const iframeClone = document.createElement("iframe");
+          ["width", "height", "title", "allow"].forEach((attribute) => {
+            const value = iframe.getAttribute(attribute);
+            if (value) {
+              iframeClone.setAttribute(attribute, value);
+            }
+          });
+          iframeClone.src = parsedUrl.toString();
+          iframeClone.setAttribute("loading", "lazy");
+          iframeClone.setAttribute(
+            "referrerpolicy",
+            "strict-origin-when-cross-origin"
+          );
+          iframeClone.setAttribute(
+            "sandbox",
+            "allow-scripts allow-same-origin allow-presentation"
+          );
+          if (iframe.hasAttribute("allowfullscreen")) {
+            iframeClone.setAttribute("allowfullscreen", "");
+          }
+          return iframeClone;
+        };
+
         const response = await fetch("/research/");
         if (!response.ok) {
           throw new Error(
@@ -216,7 +273,12 @@
             }
 
             // Get all content until the next h3 or end
-            let content = [section.cloneNode(true)];
+            const safeSection = sanitizeElement(section);
+            if (!safeSection) {
+              return;
+            }
+
+            let content = [safeSection];
             let nextEl = section.nextElementSibling;
 
             while (nextEl) {
@@ -254,16 +316,22 @@
               // Otherwise keep the iframe so cards do not lose their only media.
               if (nextEl.matches("iframe")) {
                 if (!sectionHasStaticImage) {
-                  const iframeClone = nextEl.cloneNode(true);
-                  iframeClone.setAttribute("loading", "lazy");
-                  content.push(iframeClone);
+                  const iframeClone = cloneTrustedIframe(nextEl);
+                  if (iframeClone) {
+                    content.push(iframeClone);
+                  }
                 }
                 nextEl = nextEl.nextElementSibling;
                 continue;
               }
 
               // Include everything else (tags, images, badges)
-              const clone = nextEl.cloneNode(true);
+              const clone = sanitizeElement(nextEl);
+
+              if (!clone) {
+                nextEl = nextEl.nextElementSibling;
+                continue;
+              }
 
               // If it's a tags element, make spans clickable
               if (clone.matches(".tags")) {
diff --git a/tests/featured-papers-regression.test.js b/tests/featured-papers-regression.test.js
index a2f2655..9e60b44 100644
--- a/tests/featured-papers-regression.test.js
+++ b/tests/featured-papers-regression.test.js
@@ -2,7 +2,12 @@ describe("featured papers homepage media handling", () => {
   const researchHtml = `
     <h3 id="1">[1] Iframe-only featured paper</h3>
     <div class="tags"><span>Featured</span></div>
-    <iframe src="https://www.youtube-nocookie.com/embed/abc123"></iframe>
+    <iframe
+      src="https://www.youtube-nocookie.com/embed/abc123"
+      srcdoc="<script>alert('xss')</script>"
+      title="YouTube video player"
+      allowfullscreen
+    ></iframe>
 
     <h3 id="2">[2] Featured paper with static image</h3>
     <div class="tags"><span>Featured</span></div>
@@ -59,14 +64,51 @@ describe("featured papers homepage media handling", () => {
       await Promise.resolve();
       await Promise.resolve();
 
-    const cards = document.querySelectorAll(".featured-paper");
-    const firstIframe = cards[0].querySelector("iframe");
+      const cards = document.querySelectorAll(".featured-paper");
+      const firstIframe = cards[0].querySelector("iframe");
 
-    expect(cards).toHaveLength(2);
-    expect(firstIframe).not.toBeNull();
-    expect(firstIframe.getAttribute("loading")).toBe("lazy");
-    expect(cards[1].querySelector("iframe")).toBeNull();
+      expect(cards).toHaveLength(2);
+      expect(firstIframe).not.toBeNull();
+      expect(firstIframe.getAttribute("loading")).toBe("lazy");
+      expect(firstIframe.getAttribute("sandbox")).toBe(
+        "allow-scripts allow-same-origin allow-presentation"
+      );
+      expect(firstIframe.getAttribute("referrerpolicy")).toBe(
+        "strict-origin-when-cross-origin"
+      );
+      expect(firstIframe.getAttribute("srcdoc")).toBeNull();
+      expect(cards[1].querySelector("iframe")).toBeNull();
       expect(cards[1].querySelector("img")).not.toBeNull();
     }
   );
+
+  it("drops untrusted iframe sources from featured cards", async () => {
+    fetch.mockImplementation((url) => {
+      if (url === "/research/") {
+        return Promise.resolve({
+          ok: true,
+          text: () =>
+            Promise.resolve(`
+              <h3 id="1">[1] Untrusted featured paper</h3>
+              <div class="tags"><span>Featured</span></div>
+              <iframe src="data:text/html,<script>alert(1)</script>"></iframe>
+            `),
+        });
+      }
+
+      return Promise.resolve({
+        ok: true,
+        text: () => Promise.resolve(""),
+      });
+    });
+
+    require("../assets/js/main.js");
+
+    window.dispatchEvent(new Event("load"));
+    await Promise.resolve();
+    await Promise.resolve();
+
+    const firstCard = document.querySelector(".featured-paper");
+    expect(firstCard.querySelector("iframe")).toBeNull();
+  });
 });

From 87bb1a290f5dad91a25b7a069b040c39fd68940b Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 12:50:04 +0100
Subject: [PATCH 4/7] Harden setup and SEO build inputs

Stop bootstrap-by-download behavior in setup.sh when Ruby or Node.js are missing, pin the remaining GitHub App token action by commit SHA, and switch SEO config loading to YAML.safe_load.

Also normalize internal SEO output paths through URI parsing and cleanpath checks before writing under _site so crafted URLs cannot escape the build output directory.
---
 .../sync-org-profile-publications.yml         |  2 +-
 scripts/generate_seo_tags.rb                  | 64 ++++++++++++++-----
 scripts/setup.sh                              | 58 ++++-------------
 3 files changed, 61 insertions(+), 63 deletions(-)

diff --git a/.github/workflows/sync-org-profile-publications.yml b/.github/workflows/sync-org-profile-publications.yml
index f2e7dd9..9a69ce1 100644
--- a/.github/workflows/sync-org-profile-publications.yml
+++ b/.github/workflows/sync-org-profile-publications.yml
@@ -21,7 +21,7 @@ jobs:
     steps:
       - name: Create GitHub App token
         id: app-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@c8f55efbd427e7465d6da1106e7979bc8aaee856 # v1.10.1
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
diff --git a/scripts/generate_seo_tags.rb b/scripts/generate_seo_tags.rb
index eb3c4e7..1f0be6e 100755
--- a/scripts/generate_seo_tags.rb
+++ b/scripts/generate_seo_tags.rb
@@ -5,6 +5,8 @@
 require 'set'
 require 'yaml'
 require 'cgi'
+require 'pathname'
+require 'uri'
 
 # Get the project root directory (one level up from scripts)
 ROOT_DIR = File.expand_path('..', __dir__)
@@ -13,11 +15,26 @@
 config_path = File.join(ROOT_DIR, '_config.yml')
 site_config = {}
 if File.exist?(config_path)
-  site_config = YAML.load_file(config_path)
+  site_config = YAML.safe_load(
+    File.read(config_path),
+    permitted_classes: [],
+    permitted_symbols: [],
+    aliases: false
+  ) || {}
 end
 
 # Site domain configuration
-SITE_DOMAIN = ENV['SITE_DOMAIN'] || site_config['url']&.gsub(/^https?:\/\//, '') || 'comphy-lab.org'
+site_domain_source = ENV['SITE_DOMAIN'] || site_config['url'] || 'https://comphy-lab.org'
+SITE_DOMAIN = begin
+  parsed_site_url = URI.parse(
+    site_domain_source.match?(/\Ahttps?:\/\//) ?
+      site_domain_source :
+      "https://#{site_domain_source}"
+  )
+  parsed_site_url.host || 'comphy-lab.org'
+rescue URI::InvalidURIError
+  'comphy-lab.org'
+end
 
 # Load search database
 search_db_path = File.join(ROOT_DIR, 'assets', 'js', 'search_db.json')
@@ -51,11 +68,12 @@
 #   normalize_url("/contact#team")   #=> "contact/index.html"
 #   normalize_url("/index.html")   #=> "index.html"
 def normalize_url(url)
-  # Add debugging
-  original_url = url.dup
-  
+  original_url = url.to_s.dup
+
   # Remove anchor
-  url = url.split('#').first
+  url = original_url.split('#').first.to_s
+
+  return nil if url.empty?
 
   # Ensure URL starts with a slash
   url = "/#{url}" unless url.start_with?('/')
@@ -64,12 +82,15 @@ def normalize_url(url)
   url = "/index.html" if url == "/"
 
   # Add .html extension to URLs without extension
-  unless url.include?('.')
+  if File.extname(url).empty?
     url = "#{url.chomp('/')}/index.html"
   end
 
+  normalized = Pathname.new(url).cleanpath.to_s
+  return nil unless normalized.start_with?('/')
+
   # Remove leading slash for file operations
-  result = url.sub(/^\//, '')
+  result = normalized.sub(/^\//, '')
   
   # Debug output
   puts "URL Normalization: #{original_url} -> #{result}" if ENV['DEBUG']
@@ -84,15 +105,20 @@ def normalize_url(url)
 
   # Convert URL with domain to relative URL
   if url.start_with?('http')
-    # Skip truly external URLs (not on our domain)
-    site_domain_pattern = Regexp.new("https?://#{Regexp.escape(SITE_DOMAIN)}")
-    unless url.match?(site_domain_pattern)
+    begin
+      parsed_url = URI.parse(url)
+    rescue URI::InvalidURIError
+      puts "Skipping invalid URL: #{url}" if ENV['DEBUG']
+      next
+    end
+
+    unless parsed_url.is_a?(URI::HTTP) && parsed_url.host == SITE_DOMAIN
       puts "Skipping external URL: #{url}" if ENV['DEBUG']
       next
     end
-    
-    # Remove domain part for our own domain
-    url = url.sub(site_domain_pattern, '')
+
+    url = parsed_url.path.to_s
+    url = '/' if url.empty?
     puts "Converted URL to relative: #{url}" if ENV['DEBUG']
   end
 
@@ -105,6 +131,8 @@ def normalize_url(url)
     # Normalize URL for internal files
     normalized_url = normalize_url(url)
   end
+
+  next unless normalized_url
   
   normalized_urls[url] = normalized_url
 
@@ -257,7 +285,13 @@ def update_description_meta(doc, head, description)
   descriptions = descriptions_by_url[url] || Set.new
   
   # Get file path
-  file_path = File.join(site_dir, url)
+  file_path = File.expand_path(url, site_dir)
+  site_root = File.expand_path(site_dir)
+
+  unless file_path.start_with?("#{site_root}#{File::SEPARATOR}")
+    puts "Skipping unsafe output path for #{url}" if ENV['DEBUG']
+    next
+  end
   
   # Update HTML file if it exists
   if update_html_with_metadata(file_path, keywords, descriptions)
diff --git a/scripts/setup.sh b/scripts/setup.sh
index 19b38c0..485edab 100755
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -1,8 +1,9 @@
 #!/bin/bash
 
 # CoMPhy Lab Website Setup Script
-# Complete setup for both clean machines and existing development environments
-# This script will install Ruby, Node.js, and all dependencies if not present
+# Setup for existing development environments
+# Install Ruby and Node.js with a trusted package manager before running this
+# If rbenv is already installed, it can still install the repo-pinned Ruby
 # Usage: ./scripts/setup.sh
 
 set -e  # Exit on error
@@ -25,33 +26,10 @@ echo "📦 Checking Ruby installation..."
 
 # First check if Ruby is installed at all
 if ! command -v ruby &> /dev/null; then
-  echo "❌ Ruby not found. Installing Ruby via rbenv..."
-
-  # Install rbenv
-  if [ ! -d "$HOME/.rbenv" ]; then
-    git clone https://github.com/rbenv/rbenv.git ~/.rbenv
-    echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
-    echo 'eval "$(rbenv init -)"' >> ~/.bashrc
-
-    # Also add to ~/.bash_profile for macOS compatibility
-    echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
-    echo 'eval "$(rbenv init -)"' >> ~/.bash_profile
-
-    # Install ruby-build plugin
-    git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
-  fi
-
-  # Set PATH for current session
-  export PATH="$HOME/.rbenv/bin:$PATH"
-  eval "$(rbenv init -)"
-
-  # Install repo-pinned Ruby
-  echo "Installing Ruby ${REQUIRED_RUBY_VERSION}..."
-  rbenv install -s "${REQUIRED_RUBY_VERSION}"
-  rbenv local "${REQUIRED_RUBY_VERSION}"
-  rbenv rehash
-
-  echo "✅ Ruby installed successfully: $(ruby --version)"
+  echo "❌ Ruby not found."
+  echo "   Install Ruby ${REQUIRED_RUBY_VERSION} with a trusted"
+  echo "   package manager before running this script again."
+  exit 1
 
 # Check if rbenv is being used and handle version issues
 elif command -v rbenv &> /dev/null && [ -f ".ruby-version" ]; then
@@ -108,24 +86,10 @@ if command -v node &> /dev/null; then
   NODE_VERSION=$(node --version)
   echo "✅ Node.js installed: $NODE_VERSION"
 else
-  echo "❌ Node.js not found. Installing Node.js via nvm..."
-
-  # Install nvm
-  if [ ! -d "$HOME/.nvm" ]; then
-    curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
-  fi
-
-  # Source nvm for current session
-  export NVM_DIR="$HOME/.nvm"
-  [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
-  [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
-
-  # Install latest Node.js
-  echo "Installing latest Node.js..."
-  nvm install node
-  nvm use node
-
-  echo "✅ Node.js installed successfully: $(node --version)"
+  echo "❌ Node.js not found."
+  echo "   Install a current LTS Node.js release with a trusted"
+  echo "   package manager before running this script again."
+  exit 1
 fi
 
 # Check npm installation

From fd5fe9732cecb29de1af1eb8872ed5a6245beb77 Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 14:53:39 +0100
Subject: [PATCH 5/7] Tighten iframe and Ruby setup safeguards

Replace inherited featured iframe permissions with a fixed allowlist and stronger sandboxing. Also let setup.sh bootstrap the repo-pinned Ruby through rbenv even when ruby is not initially on PATH, matching the script's documented behavior.
---
 assets/js/main.js                        | 16 ++++++-
 scripts/setup.sh                         | 21 +++++----
 tests/featured-papers-regression.test.js | 56 +++++++++++++++++++++++-
 3 files changed, 81 insertions(+), 12 deletions(-)

diff --git a/assets/js/main.js b/assets/js/main.js
index 8fcf6cb..0582efa 100644
--- a/assets/js/main.js
+++ b/assets/js/main.js
@@ -178,13 +178,25 @@
           }
 
           const iframeClone = document.createElement("iframe");
-          ["width", "height", "title", "allow"].forEach((attribute) => {
+          ["width", "height", "title"].forEach((attribute) => {
             const value = iframe.getAttribute(attribute);
             if (value) {
               iframeClone.setAttribute(attribute, value);
             }
           });
           iframeClone.src = parsedUrl.toString();
+          iframeClone.setAttribute(
+            "allow",
+            [
+              "accelerometer",
+              "autoplay",
+              "clipboard-write",
+              "encrypted-media",
+              "gyroscope",
+              "picture-in-picture",
+              "web-share",
+            ].join("; ")
+          );
           iframeClone.setAttribute("loading", "lazy");
           iframeClone.setAttribute(
             "referrerpolicy",
@@ -192,7 +204,7 @@
           );
           iframeClone.setAttribute(
             "sandbox",
-            "allow-scripts allow-same-origin allow-presentation"
+            "allow-scripts allow-presentation"
           );
           if (iframe.hasAttribute("allowfullscreen")) {
             iframeClone.setAttribute("allowfullscreen", "");
diff --git a/scripts/setup.sh b/scripts/setup.sh
index 485edab..95c5603 100755
--- a/scripts/setup.sh
+++ b/scripts/setup.sh
@@ -24,16 +24,11 @@ REQUIRED_BUNDLER_VERSION="$(awk '/^BUNDLED WITH$/{getline; gsub(/^[[:space:]]+/,
 # Check Ruby installation
 echo "📦 Checking Ruby installation..."
 
-# First check if Ruby is installed at all
-if ! command -v ruby &> /dev/null; then
-  echo "❌ Ruby not found."
-  echo "   Install Ruby ${REQUIRED_RUBY_VERSION} with a trusted"
-  echo "   package manager before running this script again."
-  exit 1
-
 # Check if rbenv is being used and handle version issues
-elif command -v rbenv &> /dev/null && [ -f ".ruby-version" ]; then
+if command -v rbenv &> /dev/null && [ -f ".ruby-version" ]; then
   echo "📌 Project requires Ruby ${REQUIRED_RUBY_VERSION} (via .ruby-version)"
+  RBENV_ROOT="$(rbenv root)"
+  export PATH="${RBENV_ROOT}/bin:${RBENV_ROOT}/shims:${PATH}"
 
   # Check if the required version is installed
   if ! rbenv versions --bare | grep -q "^${REQUIRED_RUBY_VERSION}$"; then
@@ -42,10 +37,18 @@ elif command -v rbenv &> /dev/null && [ -f ".ruby-version" ]; then
     rbenv install -s "${REQUIRED_RUBY_VERSION}"
   fi
 
-  rbenv local "${REQUIRED_RUBY_VERSION}"
+  export RBENV_VERSION="${REQUIRED_RUBY_VERSION}"
   rbenv rehash
 fi
 
+# First check if Ruby is installed at all
+if ! command -v ruby &> /dev/null; then
+  echo "❌ Ruby not found on PATH."
+  echo "   Install Ruby ${REQUIRED_RUBY_VERSION} with a trusted"
+  echo "   package manager or rbenv before running this script again."
+  exit 1
+fi
+
 # Now check Ruby again
 if command -v ruby &> /dev/null; then
   RUBY_VERSION=$(ruby --version 2>&1 || echo "Ruby version check failed")
diff --git a/tests/featured-papers-regression.test.js b/tests/featured-papers-regression.test.js
index 9e60b44..a46c214 100644
--- a/tests/featured-papers-regression.test.js
+++ b/tests/featured-papers-regression.test.js
@@ -70,8 +70,19 @@ describe("featured papers homepage media handling", () => {
       expect(cards).toHaveLength(2);
       expect(firstIframe).not.toBeNull();
       expect(firstIframe.getAttribute("loading")).toBe("lazy");
+      expect(firstIframe.getAttribute("allow")).toBe(
+        [
+          "accelerometer",
+          "autoplay",
+          "clipboard-write",
+          "encrypted-media",
+          "gyroscope",
+          "picture-in-picture",
+          "web-share",
+        ].join("; ")
+      );
       expect(firstIframe.getAttribute("sandbox")).toBe(
-        "allow-scripts allow-same-origin allow-presentation"
+        "allow-scripts allow-presentation"
       );
       expect(firstIframe.getAttribute("referrerpolicy")).toBe(
         "strict-origin-when-cross-origin"
@@ -111,4 +122,47 @@ describe("featured papers homepage media handling", () => {
     const firstCard = document.querySelector(".featured-paper");
     expect(firstCard.querySelector("iframe")).toBeNull();
   });
+
+  it("replaces inherited iframe permissions", async () => {
+    fetch.mockImplementation((url) => {
+      if (url === "/research/") {
+        return Promise.resolve({
+          ok: true,
+          text: () =>
+            Promise.resolve(`
+              <h3 id="1">[1] Featured paper with permissive iframe</h3>
+              <div class="tags"><span>Featured</span></div>
+              <iframe
+                src="https://www.youtube-nocookie.com/embed/xyz789"
+                allow="camera; microphone; geolocation"
+              ></iframe>
+            `),
+        });
+      }
+
+      return Promise.resolve({
+        ok: true,
+        text: () => Promise.resolve(""),
+      });
+    });
+
+    require("../assets/js/main.js");
+
+    window.dispatchEvent(new Event("load"));
+    await Promise.resolve();
+    await Promise.resolve();
+
+    const firstIframe = document.querySelector(".featured-paper iframe");
+    expect(firstIframe.getAttribute("allow")).toBe(
+      [
+        "accelerometer",
+        "autoplay",
+        "clipboard-write",
+        "encrypted-media",
+        "gyroscope",
+        "picture-in-picture",
+        "web-share",
+      ].join("; ")
+    );
+  });
 });

From 031eecde3de50be438851f4b1c4cdb5fdf8954b6 Mon Sep 17 00:00:00 2001
From: Vatsal Sanjay <vatsal.sanjay@comphy-lab.org>
Date: Wed, 1 Apr 2026 17:29:28 +0100
Subject: [PATCH 6/7] Close remaining client-side hardening gaps

Fix the still-relevant stale findings in the current tree: protect command-palette external links with noopener, build the research tag filter with DOM nodes instead of HTML string interpolation, stop reparsing research badge paragraph content through innerHTML, replace the remaining Dropbox-hosted research image with a local asset, and repair fix-quotes.sh so it no longer risks emptying files when run.
---
 _layouts/research.html            |  14 ++--
 _research/index.md                |   2 +-
 assets/js/command-data.js         |  91 +++++++++++++++-------
 scripts/fix-quotes.sh             |  34 ++++----
 tests/command-data-actual.test.js | 125 +++++++++++++++++++++++-------
 5 files changed, 185 insertions(+), 81 deletions(-)

diff --git a/_layouts/research.html b/_layouts/research.html
index e6c492a..3c6b779 100644
--- a/_layouts/research.html
+++ b/_layouts/research.html
@@ -355,33 +355,35 @@ <h3>Contents</h3>
             const badgeContainer = document.createElement('span');
             badgeContainer.className = 'badge-container';
             
-            // Get the text content before any badges
-            let textContent = '';
+            // Preserve non-badge content without reparsing it as HTML
+            const nonBadgeNodes = [];
             let hasNonBadgeContent = false;
             
             // First pass: collect all non-badge content
             for (let node of p.childNodes) {
               if (node.nodeType === 3) { // Text node
                 if (node.textContent.trim()) {
-                  textContent += node.textContent;
+                  nonBadgeNodes.push(document.createTextNode(node.textContent));
                   hasNonBadgeContent = true;
                 }
               } else if (node.nodeType === 1) { // Element node
                 const href = node.getAttribute('href');
                 if (!href || (!href.includes('arxiv.org') && !href.includes('github.com') && !href.includes('blogs.comphy-lab.org'))) {
-                  textContent += node.outerHTML;
+                  nonBadgeNodes.push(node.cloneNode(true));
                   hasNonBadgeContent = true;
                 }
               }
             }
             
             // Clear the paragraph
-            p.innerHTML = '';
+            p.replaceChildren();
             
             // Add back the text content if it exists
             if (hasNonBadgeContent) {
               const textSpan = document.createElement('span');
-              textSpan.innerHTML = textContent.trim();
+              nonBadgeNodes.forEach((node) => {
+                textSpan.appendChild(node);
+              });
               p.appendChild(textSpan);
             }
             
diff --git a/_research/index.md b/_research/index.md
index 6a1b5c9..696dc38 100644
--- a/_research/index.md
+++ b/_research/index.md
@@ -156,7 +156,7 @@ title: Research
 [![GitHub](https://img.shields.io/badge/GitHub-100000?style=flat-square&logo=github&logoColor=white)](https://github.com/VatsalSy/Impact-forces-of-water-drops-falling-on-superhydrophobic-surfaces.git)
 [![Blog](https://img.shields.io/badge/Blog-Coming%20Soon-yellow?style=flat-square&logo=obsidian&logoColor=white)](https://blogs.comphy-lab.org/0_ToDo-Blog-public)
 
-![Parameter space of drop impact](https://www.dropbox.com/scl/fi/rwrl444r73nayhw1jl4j2/SL2-theory_num.png?rlkey=ekywyjaui2n79djl4qtgevegn&raw=1){: width="75%" .center-block style="display: block; margin-left: auto; margin-right: auto;"}
+![Parameter space of drop impact](/assets/images/research/drop-impact-prl.png){: width="75%" .center-block style="display: block; margin-left: auto; margin-right: auto;"}
 
 <h3 id="14">[14] <strong>Sanjay, V.</strong>, Zhang, B., Lv, C., & Lohse, D. The role of viscosity on drop impact forces on non-wetting surfaces. J. Fluid Mech., 1004, A6 (2025).</h3>
 
diff --git a/assets/js/command-data.js b/assets/js/command-data.js
index 2b5a4a7..82882e6 100644
--- a/assets/js/command-data.js
+++ b/assets/js/command-data.js
@@ -3,6 +3,13 @@
 (function () {
   // Initialize command data
 
+  const openExternalUrl = (url) => {
+    const externalWindow = window.open(url, "_blank", "noopener,noreferrer");
+    if (externalWindow) {
+      externalWindow.opener = null;
+    }
+  };
+
   // Define the command data
   window.commandData = [
     // Navigation commands
@@ -85,7 +92,7 @@
       id: "github",
       title: "Visit GitHub",
       handler: () => {
-        window.open("https://github.com/comphy-lab", "_blank");
+        openExternalUrl("https://github.com/comphy-lab");
       },
 
       section: "External Links",
@@ -95,9 +102,8 @@
       id: "scholar",
       title: "Visit Google Scholar",
       handler: () => {
-        window.open(
+        openExternalUrl(
           "https://scholar.google.com/citations?user=tHb_qZoAAAAJ&hl=en",
-          "_blank"
         );
       },
 
@@ -108,7 +114,7 @@
       id: "youtube",
       title: "Visit YouTube Channel",
       handler: () => {
-        window.open("https://www.youtube.com/@CoMPhyLab", "_blank");
+        openExternalUrl("https://www.youtube.com/@CoMPhyLab");
       },
 
       section: "External Links",
@@ -118,7 +124,7 @@
       id: "bluesky",
       title: "Visit Bluesky",
       handler: () => {
-        window.open("https://bsky.app/profile/comphy-lab.org", "_blank");
+        openExternalUrl("https://bsky.app/profile/comphy-lab.org");
       },
 
       section: "External Links",
@@ -154,9 +160,8 @@
       id: "repository",
       title: "View Website Repository",
       handler: () => {
-        window.open(
-          "https://github.com/comphy-lab/comphy-lab.github.io",
-          "_blank"
+        openExternalUrl(
+          "https://github.com/comphy-lab/comphy-lab.github.io"
         );
       },
 
@@ -251,31 +256,65 @@
               tags.add(tag.textContent);
             });
 
-            let html = '<h2 style="margin-top: 0;">Filter Research by Tag</h2>';
-            html +=
-              '<div class="tag-filter-container" style="display: flex; flex-wrap: wrap; gap: 10px; margin: 20px 0;">';
+            const modalContent = document.createElement("div");
 
-            // Add clickable tag buttons
-            tags.forEach((tag) => {
-              html += `<button class="tag-filter-btn" style="padding: 8px 12px; background-color: #5b79a8; color: white; border: none; border-radius: 4px; cursor: pointer; margin: 5px;">${tag}</button>`;
-            });
+            const heading = document.createElement("h2");
+            heading.style.marginTop = "0";
+            heading.textContent = "Filter Research by Tag";
+            modalContent.appendChild(heading);
 
-            html += "</div>";
+            const tagContainer = document.createElement("div");
+            tagContainer.className = "tag-filter-container";
+            tagContainer.style.display = "flex";
+            tagContainer.style.flexWrap = "wrap";
+            tagContainer.style.gap = "10px";
+            tagContainer.style.margin = "20px 0";
+            modalContent.appendChild(tagContainer);
 
-            // Add keyboard navigation info
-            html += `<div style="margin-top: 15px; font-size: 0.9em; text-align: center; color: #888;">
-              <span style="margin-right: 15px;"><kbd>←</kbd> <kbd>→</kbd> <kbd>↑</kbd> <kbd>↓</kbd> to navigate</span>
-              <span style="margin-right: 15px;"><kbd>enter</kbd> to select</span>
-              <span><kbd>esc</kbd> to close</span>
-            </div>`;
+            tags.forEach((tag) => {
+              const button = document.createElement("button");
+              button.className = "tag-filter-btn";
+              button.type = "button";
+              button.style.padding = "8px 12px";
+              button.style.backgroundColor = "#5b79a8";
+              button.style.color = "white";
+              button.style.border = "none";
+              button.style.borderRadius = "4px";
+              button.style.cursor = "pointer";
+              button.style.margin = "5px";
+              button.textContent = tag;
+              tagContainer.appendChild(button);
+            });
 
-            // Add close button
-            html +=
-              '<div style="text-align: center; margin-top: 20px;"><button id="close-tag-filter" style="padding: 8px 16px; background-color: #333; color: white; border: none; border-radius: 4px; cursor: pointer;">Close</button></div>';
+            const instructions = document.createElement("p");
+            instructions.style.marginTop = "15px";
+            instructions.style.fontSize = "0.9em";
+            instructions.style.textAlign = "center";
+            instructions.style.color = "#888";
+            instructions.textContent =
+              "Use arrow keys to navigate, Enter to select, and Esc to close.";
+            modalContent.appendChild(instructions);
+
+            const closeWrapper = document.createElement("div");
+            closeWrapper.style.textAlign = "center";
+            closeWrapper.style.marginTop = "20px";
+
+            const closeButton = document.createElement("button");
+            closeButton.id = "close-tag-filter";
+            closeButton.type = "button";
+            closeButton.style.padding = "8px 16px";
+            closeButton.style.backgroundColor = "#333";
+            closeButton.style.color = "white";
+            closeButton.style.border = "none";
+            closeButton.style.borderRadius = "4px";
+            closeButton.style.cursor = "pointer";
+            closeButton.textContent = "Close";
+            closeWrapper.appendChild(closeButton);
+            modalContent.appendChild(closeWrapper);
 
             // Create modal using shared utility
             const modal = Utils.createModal({
-              content: html,
+              content: modalContent,
               darkMode: darkMode,
             });
 
diff --git a/scripts/fix-quotes.sh b/scripts/fix-quotes.sh
index acf0d6e..7bb1431 100755
--- a/scripts/fix-quotes.sh
+++ b/scripts/fix-quotes.sh
@@ -1,30 +1,22 @@
 #!/bin/bash
 
+set -euo pipefail
+
 # Script to fix quote style issues in JavaScript files
 cd "$(dirname "$0")/.." || exit 1
 
-# Detect the platform to use appropriate sed command
-if [[ "$(uname)" == "Darwin" ]]; then
-    # macOS (BSD sed)
-    sed_cmd="sed -i ''"
-else
-    # Linux/Unix (GNU sed)
-    sed_cmd="sed -i"
+ESLINT_BIN="./node_modules/.bin/eslint"
+
+if [[ ! -x "$ESLINT_BIN" ]]; then
+    echo "❌ Local ESLint binary not found at $ESLINT_BIN"
+    echo "   Run npm install before using scripts/fix-quotes.sh."
+    exit 1
 fi
 
-# Replace single quotes with double quotes in JavaScript files
-find ./assets/js -name "*.js" -type f -print0 | while IFS= read -r -d '' file; do
-    # Create a temp file for the transformation
-    tmp_file=$(mktemp)
-    
-    # Process the file
-    cat "$file" | $sed_cmd "s/'[^']*'/\$(echo & | sed 's/'/\"/g')/g" > "$tmp_file"
-    
-    # Move the temp file to the original
-    mv "$tmp_file" "$file"
-    
-    echo "Processed $file"
-done
+"$ESLINT_BIN" assets/js \
+    --ext .js \
+    --fix \
+    --rule 'quotes:["error","double",{"avoidEscape":true,"allowTemplateLiterals":true}]'
 
 # Let the user know we're done
-echo "Quote style fixed in JavaScript files"
\ No newline at end of file
+echo "Quote style fixed in JavaScript files"
diff --git a/tests/command-data-actual.test.js b/tests/command-data-actual.test.js
index 9ca9009..beb77a4 100644
--- a/tests/command-data-actual.test.js
+++ b/tests/command-data-actual.test.js
@@ -8,62 +8,133 @@ global.Fuse = jest.fn().mockImplementation(() => ({
 }));
 global.sortCoursesByDate = jest.fn();
 
-describe('command-data.js actual implementation', () => {
+describe("command-data.js actual implementation", () => {
   beforeEach(() => {
     // Clear any previous command data
     window.commandData = [];
     window.searchData = [];
-    
+    window.matchMedia = jest.fn().mockReturnValue({ matches: false });
+    window.open = jest.fn();
+
     // Reset DOM
-    document.body.innerHTML = '';
-    
+    document.body.innerHTML = "";
+    Object.defineProperty(window.HTMLElement.prototype, "scrollIntoView", {
+      configurable: true,
+      value: jest.fn(),
+    });
+
+    window.Utils = {
+      isMacPlatform: jest.fn().mockReturnValue(false),
+      createModal: jest.fn(({ content }) => {
+        const modal = document.createElement("div");
+        const contentEl = document.createElement("div");
+        contentEl.setAttribute("tabindex", "-1");
+        if (typeof content === "string") {
+          contentEl.innerHTML = content;
+        } else {
+          contentEl.appendChild(content);
+        }
+        modal.appendChild(contentEl);
+        modal.closeModal = jest.fn(() => modal.remove());
+        return modal;
+      }),
+    };
+
     // Reset mocks
     jest.clearAllMocks();
     jest.resetModules();
   });
 
-  it('should load and define window.commandData', () => {
+  it("should load and define window.commandData", () => {
     // Load the actual module
-    require('../assets/js/command-data.js');
-    
+    require("../assets/js/command-data.js");
+
     // Check that commandData is defined
     expect(window.commandData).toBeDefined();
     expect(Array.isArray(window.commandData)).toBe(true);
     expect(window.commandData.length).toBeGreaterThan(0);
   });
 
-  it('should have navigation commands', () => {
-    require('../assets/js/command-data.js');
-    
-    const navigationCommands = window.commandData.filter(cmd => cmd.section === 'Navigation');
+  it("should have navigation commands", () => {
+    require("../assets/js/command-data.js");
+
+    const navigationCommands = window.commandData.filter(
+      (cmd) => cmd.section === "Navigation"
+    );
     expect(navigationCommands.length).toBeGreaterThan(0);
-    
+
     // Check for specific navigation commands
-    const homeCommand = window.commandData.find(cmd => cmd.id === 'home');
+    const homeCommand = window.commandData.find((cmd) => cmd.id === "home");
     expect(homeCommand).toBeDefined();
-    expect(homeCommand.title).toBe('Go to Home');
+    expect(homeCommand.title).toBe("Go to Home");
   });
 
-  it('should add event listener on DOMContentLoaded', () => {
-    const addEventListenerSpy = jest.spyOn(document, 'addEventListener');
-    
-    require('../assets/js/command-data.js');
-    
+  it("should add event listener on DOMContentLoaded", () => {
+    const addEventListenerSpy = jest.spyOn(document, "addEventListener");
+
+    require("../assets/js/command-data.js");
+
     // Check that DOMContentLoaded listener was added
-    expect(addEventListenerSpy).toHaveBeenCalledWith('DOMContentLoaded', expect.any(Function));
+    expect(addEventListenerSpy).toHaveBeenCalledWith(
+      "DOMContentLoaded",
+      expect.any(Function)
+    );
   });
 
-  it('should handle page-specific initialization', () => {
+  it("should handle page-specific initialization", () => {
     // Update the current URL without replacing the jsdom location object.
-    window.history.replaceState({}, '', '/team/');
-    
-    require('../assets/js/command-data.js');
-    
+    window.history.replaceState({}, "", "/team/");
+
+    require("../assets/js/command-data.js");
+
     // Trigger DOMContentLoaded
-    const event = new Event('DOMContentLoaded');
+    const event = new Event("DOMContentLoaded");
     document.dispatchEvent(event);
-    
+
     // Should not throw errors
     expect(window.commandData).toBeDefined();
   });
+
+  it("opens external links with noopener protection", () => {
+    const externalWindow = { opener: { location: "about:blank" } };
+    window.open = jest.fn().mockReturnValue(externalWindow);
+
+    require("../assets/js/command-data.js");
+
+    const githubCommand = window.commandData.find((cmd) => cmd.id === "github");
+    githubCommand.handler();
+
+    expect(window.open).toHaveBeenCalledWith(
+      "https://github.com/comphy-lab",
+      "_blank",
+      "noopener,noreferrer"
+    );
+    expect(externalWindow.opener).toBeNull();
+  });
+
+  it("renders research tag buttons as text", () => {
+    window.history.replaceState({}, "", "/research");
+    document.body.innerHTML = `
+      <div class="tags">
+        <span></span>
+      </div>
+    `;
+    document.querySelector(".tags span").textContent = "<img src=x>";
+
+    require("../assets/js/command-data.js");
+
+    document.dispatchEvent(new Event("DOMContentLoaded"));
+
+    const filterCommand = window.commandData.find(
+      (cmd) => cmd.id === "filter-research"
+    );
+    filterCommand.handler();
+
+    const modal = document.body.lastElementChild;
+    const tagButton = modal.querySelector(".tag-filter-btn");
+
+    expect(tagButton).not.toBeNull();
+    expect(tagButton.textContent).toBe("<img src=x>");
+    expect(tagButton.querySelector("img")).toBeNull();
+  });
 });

From 82bd3c84953d98bc2fea221f194561e4d7ab23ee Mon Sep 17 00:00:00 2001
From: comphy-bot <worthington@comphy-lab.org>
Date: Wed, 1 Apr 2026 17:42:37 +0100
Subject: [PATCH 7/7] Remove invalid trailing comma in link helper

---
 assets/js/command-data.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/js/command-data.js b/assets/js/command-data.js
index 82882e6..fa69cdc 100644
--- a/assets/js/command-data.js
+++ b/assets/js/command-data.js
@@ -103,7 +103,7 @@
       title: "Visit Google Scholar",
       handler: () => {
         openExternalUrl(
-          "https://scholar.google.com/citations?user=tHb_qZoAAAAJ&hl=en",
+          "https://scholar.google.com/citations?user=tHb_qZoAAAAJ&hl=en"
         );
       },