Update RELEASE.md with CSRF_SECRET instructions

Added instructions for the required CSRF_SECRET environment variable for CSRF protection in Kubernetes deployments.

backend/src/security.ts

@@ -30,9 +30,7 @@ let activeConfig: SecurityConfig = { ...defaultConfig };
  * Configure security settings
  * @param config Partial configuration to merge with defaults
  */
-export const configureSecuritySettings = (
+export const configureSecuritySettings = (config: Partial<SecurityConfig>): void => {
-  config: Partial<SecurityConfig>
-): void => {
   activeConfig = { ...activeConfig, ...config };
 };
 
@@ -320,13 +318,10 @@ export const appStateSchema = z
       .optional()
       .nullable(),
     currentItemRoundness: z
-      .union([
+      .object({
-        z.enum(["sharp", "round"]),
+        type: z.enum(["round", "sharp"]),
-        z.object({
+        value: z.number().finite().min(0).max(1),
-          type: z.enum(["round", "sharp"]),
+      })
-          value: z.number().finite().min(0).max(1),
-        }),
-      ])
       .optional()
       .nullable(),
     currentItemFontSize: z
@@ -432,19 +427,10 @@ export const sanitizeDrawingData = (data: {
       ];
 
       // Dangerous URL protocols to block entirely
-      const dangerousProtocols = [
+      const dangerousProtocols = [/^javascript:/i, /^vbscript:/i, /^data:text\/html/i];
-        /^javascript:/i,
-        /^vbscript:/i,
-        /^data:text\/html/i,
-      ];
 
       // Suspicious patterns for security validation within data URLs
-      const suspiciousPatterns = [
+      const suspiciousPatterns = [/<script/i, /javascript:/i, /on\w+\s*=/i, /<iframe/i];
-        /<script/i,
-        /javascript:/i,
-        /on\w+\s*=/i,
-        /<iframe/i,
-      ];
 
       // Maximum size for dataURL (configurable, default 10MB to prevent DoS)
       const MAX_DATAURL_SIZE = activeConfig.maxDataUrlSize;
@@ -462,8 +448,8 @@ export const sanitizeDrawingData = (data: {
                 const normalizedValue = value.toLowerCase();
 
                 // First, check for dangerous protocols - block these entirely
-                const hasDangerousProtocol = dangerousProtocols.some(
+                const hasDangerousProtocol = dangerousProtocols.some((pattern) =>
-                  (pattern) => pattern.test(value)
+                  pattern.test(value)
                 );
 
                 if (hasDangerousProtocol) {
@@ -479,8 +465,8 @@ export const sanitizeDrawingData = (data: {
 
                 if (isSafeImageType) {
                   // Check for suspicious content and size limits
-                  const hasSuspiciousContent = suspiciousPatterns.some(
+                  const hasSuspiciousContent = suspiciousPatterns.some((pattern) =>
-                    (pattern) => pattern.test(value)
+                    pattern.test(value)
                   );
                   const isTooLarge = value.length > MAX_DATAURL_SIZE;
 
@@ -584,7 +570,7 @@ const getCsrfSecret = (): Buffer => {
   const envLabel = process.env.NODE_ENV ? ` (${process.env.NODE_ENV})` : "";
   console.warn(
     `[security] CSRF_SECRET is not set${envLabel}. Using an ephemeral per-process secret. ` +
-      "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
+    "For horizontal scaling (k8s), set CSRF_SECRET to the same value on all instances."
   );
   return cachedCsrfSecret;
 };

frontend/src/pages/Editor.tsx

@@ -301,7 +301,6 @@ export const Editor: React.FC = () => {
 
     try {
       const persistableAppState = {
-        ...appState,
         viewBackgroundColor: appState?.viewBackgroundColor || '#ffffff',
         gridSize: appState?.gridSize || null,
       };