Merge pull request #82 from acaptutorials/dev

acaptutorials · web-flow · commit 665a2d2da788 · 2025-02-05T17:42:57.000+08:00
v1.3.1
diff --git a/docs/pages/announcements/firebase-storage-2024.mdx b/docs/pages/announcements/firebase-storage-2024.mdx
@@ -140,20 +140,27 @@ Yes. Ensuring **system integrity** and **strong security measures** is critical
 
 Activating a paid Firebase subscription unlocks advanced features, but security considerations must be addressed first. Unresolved security flaws introduced in the latest major updates for ACAP 2.0+ could lead to <u>data breaches</u>, <u>unauthorized changes</u>, and <u>increased costs</u>.
 
-<Callout type="error">
-Before activating a paid Firebase subscription, consider whether unresolved [ACAP Security Technical Debts](/changelog#acap-2-security-debts) exist. **ACAP 2.0+ introduces known security flaws** that may impact user confidentiality, system integrity, and reliability.
+<Callout type="error" emoji="">
+🚫
+
+Before activating a paid Firebase subscription, consider whether unresolved [ACAP Security Technical Debts](/changelog#acap-2-security-debts) exist. **[ACAP 2.0+](/changelog/#version-2-acap-20) introduces known security flaws** that may impact user confidentiality, system integrity, and reliability.
 
 #### Key issues include:
 
 1. **Lenient Firestore security rules** – Direct **writes via Firestore REST APIs** bypass front-end controls, potentially allowing unauthorized data entry.
-   ```
+   ```text copy
    Temporary Mitigation: Restrict writes using Firestore security rules.
-   Permanent Mitigation: Perform database WRITE operations from the
-      Node backend coupled with data validation.
-   ```
-2. **Cross-Site Scripting (XSS) vulnerability** – **WYSIWYG crop recommendations** (only when editing recommendations) allow unvalidated HTML input, which may lead to stored XSS attacks (malicious scripts that persist in the database and execute when viewed).
+   Permanent Mitigation: Permanently restrict writes using
+      Firestore security rules and perform database WRITE operations
+      from the Node backend coupled with data validation.
    ```
+2. **Cross-Site Scripting (XSS) vulnerability** – **WYSIWYG crop recommendations** (only when "editing" recommendations) allow unvalidated HTML input, which may lead to stored XSS attacks (malicious scripts that persist in the database and execute when viewed).
+   ```text copy
    Temporary Mitigation: Implement input sanitization before storage.
+   Permanent Mitigation: Permanently restrict writes using
+      Firestore security rules and perform database WRITE operations
+      from the Node backend coupled with more
+      robust/predictable data sanitization.
    ```
 3. **Firestore database pollution** – Insufficient validation in **"Support Services"** data allows disorganized writes, which could:
    - Lead to excessive Firebase usage.
