aboutsummaryrefslogtreecommitdiff
path: root/package.json
Commit message (Collapse)AuthorAgeFilesLines
* fix(security): sanitize badge_wall_css server-side, render via textContentFuwn29 hours1-0/+2
| | | | | | | | | | | | | | | | Custom badge-wall CSS was sanitised only client-side with a fragile regex and injected via innerHTML, while the stored value stayed raw. Sanitise at the write boundary instead (setCSS, covering both the REST and GraphQL paths) with a css-tree pass that parses leniently and drops @import, behavior/-moz-binding, expression()/javascript: values, and </style> break-out attempts; render with textContent instead of innerHTML so break-out is impossible by construction (CSP already blocks inline script). css-tree stays server-only. A behaviour-gate test confirms ordinary CSS (backdrop-filter, content, url(), @media, @keyframes) is preserved while the dangerous constructs are removed. The previous regex also silently stripped all `content:` declarations; those now render correctly.
* fix(security): sanitize third-party RSS HTML before {@html}Fuwn38 hours1-0/+1
| | | | | | | | | | | The /updates page rendered manga/novel feed fields (content, titles, series names) from mangaupdates/syosetu/wlnupdates via {@html} with no sanitization. CSP already blocks script execution, but injected markup could still phish, redirect, or track. Add sanitizeFeedHtml (DOMPurify with a small safe allow-list) and apply it on ingest. A behaviour-gate test plus a check against the live mangaupdates feed confirm legitimate formatting (entities, <i>/<b>/<a href>) is preserved while <script>, event handlers, <iframe>/<meta>/<style> and javascript: URLs are removed.
* feat(scroll): add global smooth scrolling via LenisFuwn2026-05-081-0/+1
|
* fix(dev): route portless .localhost URL through app origin and proxy CORSFuwn2026-04-181-1/+1
|
* build(dev): use portless for named .localhost dev URLFuwn2026-04-181-1/+2
|
* chore: normalise graphql generation scriptsFuwn2026-03-221-2/+3
|
* chore(pnpm): Update pnpmFuwn2026-03-221-1/+1
|
* chore(effect): add v4 cookie decode foundation and testsFuwn2026-03-031-0/+1
|
* chore(dx): add fast changed-files lint and format commandsFuwn2026-03-011-1/+5
|
* chore(dx): add local check with fallback env defaultsFuwn2026-03-011-1/+2
|
* chore(dx): add CI-equivalent local check commandFuwn2026-03-011-0/+1
|
* ci(quality): add graphql + env placeholders for reproducible typecheckFuwn2026-03-011-0/+1
|
* chore(trigger): migrate project setup from v3 to v4Fuwn2026-03-011-2/+1
|
* chore(tooling): add biome format check scriptFuwn2026-03-011-1/+2
|
* chore(biome): drop formatter style overridesFuwn2026-03-011-65/+65
|
* chore(tooling): remove legacy eslint and prettierFuwn2026-03-011-7/+0
|
* chore(tooling): migrate lint and format to biomeFuwn2026-03-011-2/+3
|
* fix(anime): unify due classification and harden subtitle matchingFuwn2026-03-011-1/+3
|
* feat(+layout.svelte): Add Web AnalyticsFuwn2026-01-261-0/+1
|
* feat: Add BotIDFuwn2026-01-261-0/+1
|
* chore(deps): Update Trigger.dev packagesFuwn2026-01-231-2/+2
|
* fix: Add null guards and improve error messaging for user lookupsFuwn2026-01-231-2/+1
|
* fix: Resolve unused imports, dead code, and type definitionsFuwn2026-01-231-0/+1
|
* deps(houdini): Bump version to nextFuwn2026-01-231-1/+1
|
* chore(prettier): Remove deprecated pluginSearchDirs optionFuwn2026-01-231-2/+2
|
* fix(deps): Add missing fast-levenshtein dependencysvelte-5-migrationFuwn2026-01-221-3/+4
|
* chore(deps): Prepare for CorepackFuwn2026-01-221-1/+2
|
* chore(deps): Migrate from npm to pnpmFuwn2026-01-221-9/+1
|
* fix(notifications): Replace svelte-notifications with custom store for Svelte 5Fuwn2026-01-221-1/+0
|
* fix(deps): Pin SvelteKit and adapter versions for sveltekit-graphql ↵Fuwn2026-01-221-3/+11
| | | | compatibility
* deps(svelte): Migrate to Svelte 5 with compatibility modeFuwn2026-01-221-1/+3
|
* deps(svelte): Migrate to Svelte 5Fuwn2026-01-221-9/+9
|
* deps(sveltekit): Migrate to SvelteKit 2Fuwn2026-01-221-4/+4
|
* deps: Revert to commit 731733eFuwn2025-12-011-38/+30
|
* fix(stores): Move anime and manga from localStorage to IndexedDBFuwn2025-06-111-0/+1
|
* deps: Update all applicable dependenciesFuwn2025-06-091-28/+35
|
* deps(Trigger.dev): Bump dependenciesFuwn2025-06-091-2/+2
|
* fix: SvelteKit migration errorsFuwn2025-06-091-1/+1
|
* deps(Svelte): Migrate to Svelte 5Fuwn2025-06-091-10/+10
|
* deps(SvelteKit): Migrate to SvelteKit 2Fuwn2025-06-091-2/+3
|
* feat(tools): add simple trackerFuwn2024-10-121-0/+1
|
* chore(prettier): use spaces instead of tabsFuwn2024-10-091-62/+62
|
* chore(npm): fix graphql builderFuwn2024-09-281-1/+1
|
* feat(api): set up graphql apiFuwn2024-09-281-0/+1
|
* deps(nodejs): bunx update-browserslist-db@latestFuwn2024-09-011-0/+1
|
* deps(web-push): add typesFuwn2024-07-251-0/+1
|
* ci(trigger): update project referencesFuwn2024-07-241-60/+60
|
* refactor(trigger): v2 -> v3Fuwn2024-07-241-60/+60
|
* feat: background notificationsFuwn2024-07-241-1/+7
|
* fix(match): delayed and subtitled time compatibilityFuwn2024-05-241-53/+53
|
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-03 05:41:29 +0000