fix: sanitize API_KEY and BLOCK_PRIVATE_IPS in config generation

- Fix Issue 1: Normalize BLOCK_PRIVATE_IPS to safe boolean (true/false) using shell case statement to prevent PHP injection from non-boolean values like 'yes'
- Fix Issue 2: Strip single quotes from API_KEY to prevent PHP string injection if the value contains quotes
- Update docker-compose-dev.yml to document these configuration options

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose-dev.yml

@@ -13,5 +13,7 @@ services:
 
     environment:
       - URL=http://localhost:8080
+      # - API_KEY=your-secret-key      # if set, all /api requests must provide it
+      # - BLOCK_PRIVATE_IPS=true       # block LAN/loopback/metadata IPs (recommended for public hosting)
     ports:
       - 8080:80

docker/start.sh

@@ -14,11 +14,18 @@ chmod 777 /srv/logs
 
 echo ' [+] Building config'
 _buildConfig() {
+    local block_private api_key
+    case "${BLOCK_PRIVATE_IPS:-false}" in
+        true|1|yes) block_private=true ;;
+        *)          block_private=false ;;
+    esac
+    api_key="${API_KEY:-}"
+    api_key="${api_key//\'/}"
     echo "<?php"
     echo "date_default_timezone_set('Europe/Vienna');"
     echo "define('URL','${URL:-http://localhost:8080}');"
-    echo "define('API_KEY','${API_KEY:-}');"
+    echo "define('API_KEY','${api_key}');"
-    echo "define('BLOCK_PRIVATE_IPS',${BLOCK_PRIVATE_IPS:-false});"
+    echo "define('BLOCK_PRIVATE_IPS',${block_private});"
     echo ""
 }