correct threshold status code

server/main.go

@@ -4,6 +4,8 @@
 //  * check that the body contains a proper last-modified tag
 //  * implement peer sharing and receiving
 //  * display HTML safely (strip javascript with sanitize API maybe?)
+//    * the sanitize API is not yet available anywhere (6/15/22)
+//    * https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/sanitize#browser_compatibility
 //  * add /<key> to show a single board
 package main
 
@@ -241,8 +243,7 @@ func (s *Spring83Server) publishBoard(w http.ResponseWriter, r *http.Request) {
 		// than <an inscrutable gigantic number>
 		if binary.BigEndian.Uint64(key) >= keyThreshold {
 			if err != nil || len(key) != 32 {
-				// the spec doesn't specify the proper return value in this case
-				http.Error(w, "Key greater than threshold", http.StatusBadRequest)
+				http.Error(w, "Key greater than threshold", http.StatusForbidden)
 				return
 			}
 		}

server/templates/index.html

@@ -16,11 +16,12 @@ window.addEventListener("DOMContentLoaded", (_evt) => {
   });
   document.querySelector("#containers").innerHTML = divs.join("\n");
 
-  // maybe use: https://developer.mozilla.org/en-US/docs/Web/API/Sanitizer/sanitize
-  // to try and strip XSS/scripts?
   boards.forEach(board => {
     const container = document.querySelector(`#b${board.Key}`);
     const shadow = container.attachShadow({mode: 'closed'});
+
+    // would like to use SetHTML, which would sanitize the DOM, but it's not
+    // yet available. This HTML can run scripts and XSS on you
     shadow.innerHTML = board.Board;
   });
 });