| Commit message (Collapse) | Author | Age | Files | Lines | |
|---|---|---|---|---|---|
| * | fix(security): sanitize badge_wall_css server-side, render via textContent | Fuwn | 31 hours | 1 | -0/+25 |
| | | | | | | | | | | | | | | | | | Custom badge-wall CSS was sanitised only client-side with a fragile regex and injected via innerHTML, while the stored value stayed raw. Sanitise at the write boundary instead (setCSS, covering both the REST and GraphQL paths) with a css-tree pass that parses leniently and drops @import, behavior/-moz-binding, expression()/javascript: values, and </style> break-out attempts; render with textContent instead of innerHTML so break-out is impossible by construction (CSP already blocks inline script). css-tree stays server-only. A behaviour-gate test confirms ordinary CSS (backdrop-filter, content, url(), @media, @keyframes) is preserved while the dangerous constructs are removed. The previous regex also silently stripped all `content:` declarations; those now render correctly. | ||||
| * | fix(security): sanitize third-party RSS HTML before {@html} | Fuwn | 39 hours | 1 | -0/+16 |
| | | | | | | | | | | | | The /updates page rendered manga/novel feed fields (content, titles, series names) from mangaupdates/syosetu/wlnupdates via {@html} with no sanitization. CSP already blocks script execution, but injected markup could still phish, redirect, or track. Add sanitizeFeedHtml (DOMPurify with a small safe allow-list) and apply it on ingest. A behaviour-gate test plus a check against the live mangaupdates feed confirm legitimate formatting (entities, <i>/<b>/<a href>) is preserved while <script>, event handlers, <iframe>/<meta>/<style> and javascript: URLs are removed. | ||||
| * | feat(scroll): add global smooth scrolling via Lenis | Fuwn | 2026-05-08 | 1 | -0/+19 |
| | | |||||
| * | build(dev): use portless for named .localhost dev URL | Fuwn | 2026-04-18 | 1 | -0/+11 |
| | | |||||
| * | chore(pnpm): Update lockfile | Fuwn | 2026-03-27 | 1 | -18/+917 |
| | | |||||
| * | chore(effect): add v4 cookie decode foundation and tests | Fuwn | 2026-03-03 | 1 | -7/+155 |
| | | |||||
| * | ci(quality): add graphql + env placeholders for reproducible typecheck | Fuwn | 2026-03-01 | 1 | -125/+128 |
| | | |||||
| * | chore(trigger): migrate project setup from v3 to v4 | Fuwn | 2026-03-01 | 1 | -902/+526 |
| | | |||||
| * | chore(tooling): remove legacy eslint and prettier | Fuwn | 2026-03-01 | 1 | -792/+0 |
| | | |||||
| * | chore(tooling): migrate lint and format to biome | Fuwn | 2026-03-01 | 1 | -4501/+1658 |
| | | |||||
| * | fix(anime): unify due classification and harden subtitle matching | Fuwn | 2026-03-01 | 1 | -2/+727 |
| | | |||||
| * | feat(+layout.svelte): Add Web Analytics | Fuwn | 2026-01-26 | 1 | -1477/+4286 |
| | | |||||
| * | feat: Add BotID | Fuwn | 2026-01-26 | 1 | -4245/+1492 |
| | | |||||
| * | chore(deps): Update Trigger.dev packages | Fuwn | 2026-01-23 | 1 | -301/+312 |
| | | |||||
| * | fix: Add null guards and improve error messaging for user lookups | Fuwn | 2026-01-23 | 1 | -19/+5 |
| | | |||||
| * | fix: Resolve unused imports, dead code, and type definitions | Fuwn | 2026-01-23 | 1 | -0/+14 |
| | | |||||
| * | feat(List): Add media roulette | Fuwn | 2026-01-23 | 1 | -1472/+4232 |
| | | |||||
| * | deps(houdini): Bump version to next | Fuwn | 2026-01-23 | 1 | -4221/+1556 |
| | | |||||
| * | fix(html): Replace self-closing non-void HTML elements with proper closing tags | Fuwn | 2026-01-23 | 1 | -1468/+4219 |
| | | |||||
| * | fix(deps): Add missing fast-levenshtein dependencysvelte-5-migration | Fuwn | 2026-01-22 | 1 | -0/+16 |
| | | |||||
| * | chore(deps): Migrate from npm to pnpm | Fuwn | 2026-01-22 | 1 | -0/+8372 |