Conversation
- Remove .agents/ directory (contains passwords, SSH keys, system config) - Remove root package-lock.json (workspace-level, not needed in repo) - Add .agents/ and /package-lock.json to .gitignore
- Create ProtectedRoute component that blocks rendering until auth check completes - Wrap all /admin/* routes in ProtectedRoute (except /admin/login) - Prevents unauthenticated users from viewing admin UI during async auth check - Shows loading spinner during verification, redirects to login on failure
- Rewrite README.md with badges, architecture diagram, feature table, full docs links - Add Bug Report issue template - Add Feature Request issue template - Add PR template with change type checklist
…EADME GitHub README does not support ../../wiki relative paths, all links now point to https://github.com/one-ea/Monolith/wiki/*
[HIGH] fix(backup): R2 restore was a hollow shell — added POST /api/admin/backup/r2-restore endpoint that reads full JSON from R2 and calls importAll() for real data restoration [HIGH] fix(auth): remove redundant checkAuth() in editor.tsx and backup.tsx pages (ProtectedRoute already handles auth at route level, double-check caused extra API call) [MEDIUM] fix(backup): add listed/pinned/publishAt fields to importAll insert (previously imported posts could lose listed=false privacy setting) [MEDIUM] fix(search): remove LIKE scan on content column (large field, full table scan) now only searches title + excerpt for better performance [MEDIUM] feat(security): integrate DOMPurify for XSS sanitization in renderMarkdown allows iframe/video/data-* attributes for B站/YouTube embed and copy buttons [MEDIUM] fix(import): cleanup unused checkAuth import from editor.tsx
- Dashboard: header flex-wrap, stats grid-cols-2, icon buttons smaller - Editor: toolbar overflow-x-auto for scrollable tool buttons - Archive/About: add px-[16px] mobile padding, responsive title sizes - Post: loading/article padding, title 24px mobile / 32px desktop - Backup: grid-cols-1 mobile, header flex-col, container padding
one-ea
added a commit
that referenced
this pull request
Apr 11, 2026
- #1 _middleware: Response.json<T>() 泛型编译错误 → 类型断言 - #2 _middleware: 可选链调用链不完整 → 条件表达式 - #3 _middleware: 注入的 URL/日期属性未转义 → 统一 esc() - #4 not-found: 404 页未设 noindex → SeoHead 新增 noindex + robots meta 支持 - #5 not-found: 返回上页无 history 兜底 → history.length 判断,兜底首页 - #7 SECURITY.md: 安全报告联系方式不完整 → 添加 GitHub 个人主页联系 - #8 server/index.ts: sitemap lastmod 无效日期兜底 → isNaN 校验回退当天
one-ea
added a commit
that referenced
this pull request
Apr 19, 2026
Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15)
2 tasks
one-ea
added a commit
that referenced
this pull request
Apr 19, 2026
…se (#38) * fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * feat(privacy): add cookie consent banner, privacy policy page, and GDPR notice - Add CookieConsent component: bottom banner with accept/reject, stores consent in localStorage, fires 'cookie-consent-accepted' event for third-party script injection gating - Add /privacy route with full privacy policy page (bilingual) - Gate custom_header/footer script injection behind cookie consent: scripts only load after user accepts; non-script HTML injects immediately as before - Add GDPR warning in admin settings 'Extensions & Injection' tab - Add PRIVACY.md to repo root - Add privacy page link in cookie consent banner --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
one-ea
added a commit
that referenced
this pull request
Apr 21, 2026
…fau5b9au3001u79fbu52a8u7aefu4ee3u7801u5757u4f18u5316u3001u6807u7b7eu6298u53e0 (#40) * fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * feat(privacy): add cookie consent banner, privacy policy page, and GDPR notice - Add CookieConsent component: bottom banner with accept/reject, stores consent in localStorage, fires 'cookie-consent-accepted' event for third-party script injection gating - Add /privacy route with full privacy policy page (bilingual) - Gate custom_header/footer script injection behind cookie consent: scripts only load after user accepts; non-script HTML injects immediately as before - Add GDPR warning in admin settings 'Extensions & Injection' tab - Add PRIVACY.md to repo root - Add privacy page link in cookie consent banner * fix: 修复移动端代码块横向滚动崩坏问题 - code-block-wrapper 增加 -webkit-overflow-scrolling: touch(iOS 惯性滚动) - pre 和 code 元素增加 white-space: pre 强制不换行,内容真实撑开 wrapper - 移动端 pre 增加 width: max-content + min-width: 100% 确保可超出容器宽度 - code-line 从 display: inline-block 改为 display: block,避免 min-width: 100% 在移动端按父容器宽度错误计算导致代码不撑开横向滚动区域 - 兜底 pre:not(.hljs) 同步修复 * fix: 修复代码块布局坍塌(移除循环宽度依赖) code-line 改回 display: inline-block,移除 width: max-content 和 min-width: calc(100%+8px) 的循环依赖写法(该写法导致移动端代码 内容完全消失)。pre 的 white-space: pre 已足够阻止换行, wrapper 的 overflow-x: auto 负责横向滚动。 * feat: 独立页动态导航、后台侧栏固定、移动端代码块优化、标签折叠 - navbar: 从 /api/pages 获取 showInNav=true 的页面动态注入导航栏 - footer: 底部新增独立页面链接 - admin-layout: 侧栏改用 fixed 定位,彻底脱离文档流 - dashboard: 标签区折叠展开,默认显示2行+展开按钮 - globals.css: 移动端代码块优化(行号flex布局、顶栏sticky、尺寸缩减) - .gitignore: 重写并清理不存在的条目 - 清理 .kilo 和 .playwright-mcp 残留 - 新增 AGENTS.md 和 opencode.json 项目配置 --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
one-ea
added a commit
that referenced
this pull request
Apr 25, 2026
Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15)
one-ea
added a commit
that referenced
this pull request
Apr 25, 2026
* fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * chore: add KaTeX math support, clean up project redundancies - feat: KaTeX math formula rendering ($...$ inline, $$...$$ block) - fix: protect code blocks from KaTeX parsing - chore: remove orphaned .wiki-tmp submodule - chore: remove unused marked import/dep from server - chore: move @types/dompurify, shadcn to devDependencies - chore: add .playwright-mcp/, .wiki-tmp/ to .gitignore - chore: delete stray test artifacts --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
one-ea
added a commit
that referenced
this pull request
Apr 25, 2026
* fix(ci): downgrade actions/checkout & setup-node from v6 to v4 v6 在某些 runner 上 setup-node 步骤直接失败 (deploy run #1/#2)。 降级到 v4 是稳定 LTS 版本,社区主流仍在使用,规避兼容性风险。 - deploy-cloudflare.yml - eslint.yml * chore(repo): refresh metadata — README/SECURITY/.gitignore + drop legacy AGENTS/opencode - README.md: 精简至长期稳定版(移除版本徽章 + 5 象限特性 + 三层架构图) - SECURITY.md: 重写为 5 模块 / 14 项加固清单,对齐 .trae/memory/06-security.md - .gitignore: 增补 .trae/、CLAUDE.md、AGENTS.md、opencode.json 等本地工具产物 - 删除 AGENTS.md / opencode.json(已迁移至 .trae/ 体系) --------- Co-authored-by: Easy <easy@Ubuntu-26.04-LTS>
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
全面修复移动端排版断裂问题