Change dev command from pnpm to npm#26
Closed
JocelynYZAX wants to merge 1 commit into
Closed
Conversation
Member
|
有冲突吧, 前一个PR还在让大家安装pnpm |
ashert-hsueh
pushed a commit
to ashert-hsueh/involutionhell.github.io
that referenced
this pull request
Jun 26, 2026
新增 lib/json-ld.ts 把 JSON.stringify 输出里能闭合 <script> 块的字符 (< > & U+2028 U+2029)替换成字面 \uXXXX 6 字符序列。JSON.parse 仍能 还原;浏览器 HTML 解析器看不到 < 自然不会闭合 script 块,阻断 stored XSS。 迁移点: - app/[locale]/u/[username]/page.tsx 的 personJsonLd(含用户 bio,攻击面最大) - app/[locale]/docs/[...slug]/page.tsx 的 articleJsonLd / breadcrumbJsonLd - app/layout.tsx 的 WebSite / Organization 结构化数据(当前都是常量但 defense-in-depth 一并迁移,避免未来加 user-generated 字段时漏改) 测试:tests/json-ld.test.ts 4 条覆盖 - </script> 攻击载荷不再出现在输出里 - 普通对象仍是合法 JSON(JSON.parse 能还原) - < > & 都被转义 - user-generated 字段往返保真 文档:docs/SECURITY_INVARIANTS.md 新增 INV-FE-001 条目,与 backend 仓库 SECURITY.md 共用同一套不变量编号空间(前端用 INV-FE-* 前缀避免冲突)。 历史:2026-05-07 三方 CR attack chain A 起点。配合 backend 仓库 PR InvolutionHell#26 一同收口(admin→superadmin 提权阻断 / chat 越权写阻断 / 密码迁 bcrypt / user_follows 表补建 / compose 弱密码默认值收紧)。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.