From fde324d1a764841debefedf588c4b06a3f73484c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 17 Feb 2026 06:27:32 +0000
Subject: Fix link underlines in v3 UI and SSRF proxy bypass

- Add text-decoration: none to .item-description a links in v3 CSS
  to match v1 style (no underlines on feed item content links)
- Fix safehttp to disable proxy on safe client; without this, HTTP
  proxy env vars bypass the DialContext SSRF check for IPs like
  10.0.0.1, causing TestSafeClient to fail

https://claude.ai/code/session_01DpWhB9uGGMBnzqS28HxnuV
---
 frontend-vanilla/src/style.css | 5 +++++
 internal/safehttp/safehttp.go  | 1 +
 2 files changed, 6 insertions(+)

diff --git a/frontend-vanilla/src/style.css b/frontend-vanilla/src/style.css
index a3a7978..5fb436c 100644
--- a/frontend-vanilla/src/style.css
+++ b/frontend-vanilla/src/style.css
@@ -422,6 +422,11 @@ select:focus {
   word-break: break-word;
 }
 
+.item-description a {
+  text-decoration: none;
+  color: var(--link-color);
+}
+
 .item-description img,
 .item-description video,
 .item-description pre {
diff --git a/internal/safehttp/safehttp.go b/internal/safehttp/safehttp.go
index e0859c4..f2c316b 100644
--- a/internal/safehttp/safehttp.go
+++ b/internal/safehttp/safehttp.go
@@ -80,6 +80,7 @@ func NewSafeClient(timeout time.Duration) *http.Client {
 
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.DialContext = SafeDialer(dialer)
+	transport.Proxy = nil // Disable proxy to ensure SSRF checks are not bypassed
 
 	return &http.Client{
 		Timeout:   timeout,
-- 
cgit v1.2.3