Fixes XSS via malicious userscript @name, @author, @version, @description
metadata and script setting titles/descriptions. Also escapes checkbox
grid labels. All use existing escapeHtml() helper.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Security fixes:
- Replace Caesar cipher with electron.safeStorage for account credentials
- Validate shell.openExternal URLs (allow only http/https protocols)
- Remove rejectUnauthorized:false from all HTTPS calls
- Add redirect domain validation to auto-updater
- Fix XSS in matchmaker popup (innerHTML → textContent/createTextNode)
- Add IPC config key whitelist to prevent arbitrary store access
- Credentials never sent to renderer; decrypted on-demand via IPC
Optimizations and cleanup:
- Simplify onBeforeRequest from double-registration to single handler
- Lazy-init matchmaker popup DOM (defer until first use)
- Invalidate game config cache immediately on write, not on flush
- Remove unused STANDARD_ASSET_RE and KeybindDef exports
- Deduplicate Keybind type (import from config.ts)
- Replace custom hasOwn wrapper with Object.hasOwn
Bug fix:
- Stop Krunker's global keydown handler from eating keystrokes in
alt manager input fields (stopPropagation)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Show Accounts menu button even with no saved accounts so users can
add accounts from the in-game menu. Remove hardcoded electronDist
from electron-builder.yml — let electron-builder auto-detect on
Linux CI, Windows CI overrides via -c.electronDist flag.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
On non-Windows (CI), skip writing path.txt so electron-nightly still
downloads the native Linux binary into dist/. The patched Windows
binary goes to dist-win/ and is used via -c.electronDist override.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Rename data folders from KCCClient to "Krunker Civilian Client" for
swapper, userscripts, and documents output. Bump version to 0.5.0.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Point electron download script to Krunker-Civilian-Client repo.
Remove mirror-releases workflow (repo is public, no KPC copy needed).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace old KPC placeholder icon with new crosshair design. Generate
multi-size .ico (16-256px) and .png from 1024x1024 source. Update
Discord RPC to new application ID (1477679025248800982).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Cross-platform Krunker.io game client forked from Krunker Police Client
with all KPD/moderator features stripped: no KPD auth, OBS recording,
evidence uploads, yt-dlp, bytenode, or code obfuscation.
Retained: unlimited FPS (custom Electron 42), ad blocking, resource
swapper, matchmaker, userscripts, chat translator, Discord RPC, alt
account manager, configurable keybinds, and advanced Chromium flags.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bigjakk