Skip to content

Change dev command from pnpm to npm#26

Closed
JocelynYZAX wants to merge 1 commit into
InvolutionHell:mainfrom
JocelynYZAX:patch-1
Closed

Change dev command from pnpm to npm#26
JocelynYZAX wants to merge 1 commit into
InvolutionHell:mainfrom
JocelynYZAX:patch-1

Conversation

@JocelynYZAX

Copy link
Copy Markdown
Contributor

No description provided.

@longsizhuo

Copy link
Copy Markdown
Member

有冲突吧, 前一个PR还在让大家安装pnpm

@longsizhuo longsizhuo closed this Sep 14, 2025
ashert-hsueh pushed a commit to ashert-hsueh/involutionhell.github.io that referenced this pull request Jun 26, 2026
新增 lib/json-ld.ts 把 JSON.stringify 输出里能闭合 <script> 块的字符
(< > & U+2028 U+2029)替换成字面 \uXXXX 6 字符序列。JSON.parse 仍能
还原;浏览器 HTML 解析器看不到 < 自然不会闭合 script 块,阻断 stored XSS。

迁移点:
- app/[locale]/u/[username]/page.tsx 的 personJsonLd(含用户 bio,攻击面最大)
- app/[locale]/docs/[...slug]/page.tsx 的 articleJsonLd / breadcrumbJsonLd
- app/layout.tsx 的 WebSite / Organization 结构化数据(当前都是常量但
  defense-in-depth 一并迁移,避免未来加 user-generated 字段时漏改)

测试:tests/json-ld.test.ts 4 条覆盖
- </script> 攻击载荷不再出现在输出里
- 普通对象仍是合法 JSON(JSON.parse 能还原)
- < > & 都被转义
- user-generated 字段往返保真

文档:docs/SECURITY_INVARIANTS.md 新增 INV-FE-001 条目,与 backend 仓库
SECURITY.md 共用同一套不变量编号空间(前端用 INV-FE-* 前缀避免冲突)。

历史:2026-05-07 三方 CR attack chain A 起点。配合 backend 仓库
PR InvolutionHell#26 一同收口(admin→superadmin 提权阻断 / chat 越权写阻断 / 密码迁
bcrypt / user_follows 表补建 / compose 弱密码默认值收紧)。
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants