Conversation
- 全栈流量统计:daily_views 表 + /api/stats/traffic + SparkLine SVG 折线图 - 后台仪表盘重构:去除重复元素,紧凑横排导航条,文章操作 hover 显现 - Pages Functions 反向代理:/api/* /cdn/* /rss.xml 同域代理到 Workers - Bug 修复:CORS OPTIONS 预检处理、totalViews 数据口径统一、SVG gradient ID 唯一化 - 文档更新:README、Wiki 部署指南、架构概览、功能特性、API 参考 - 新增 @cloudflare/workers-types + functions/tsconfig.json - wrangler.toml 补充 migrations_dir、D1 迁移状态修复
one-ea
added a commit
that referenced
this pull request
Apr 11, 2026
- #1 _middleware: Response.json<T>() 泛型编译错误 → 类型断言 - #2 _middleware: 可选链调用链不完整 → 条件表达式 - #3 _middleware: 注入的 URL/日期属性未转义 → 统一 esc() - #4 not-found: 404 页未设 noindex → SeoHead 新增 noindex + robots meta 支持 - #5 not-found: 返回上页无 history 兜底 → history.length 判断,兜底首页 - #7 SECURITY.md: 安全报告联系方式不完整 → 添加 GitHub 个人主页联系 - #8 server/index.ts: sitemap lastmod 无效日期兜底 → isNaN 校验回退当天
one-ea
added a commit
that referenced
this pull request
Apr 19, 2026
Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15)
2 tasks
one-ea
added a commit
that referenced
this pull request
Apr 19, 2026
…se (#38) * fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * feat(privacy): add cookie consent banner, privacy policy page, and GDPR notice - Add CookieConsent component: bottom banner with accept/reject, stores consent in localStorage, fires 'cookie-consent-accepted' event for third-party script injection gating - Add /privacy route with full privacy policy page (bilingual) - Gate custom_header/footer script injection behind cookie consent: scripts only load after user accepts; non-script HTML injects immediately as before - Add GDPR warning in admin settings 'Extensions & Injection' tab - Add PRIVACY.md to repo root - Add privacy page link in cookie consent banner --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
one-ea
added a commit
that referenced
this pull request
Apr 21, 2026
…fau5b9au3001u79fbu52a8u7aefu4ee3u7801u5757u4f18u5316u3001u6807u7b7eu6298u53e0 (#40) * fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * feat(privacy): add cookie consent banner, privacy policy page, and GDPR notice - Add CookieConsent component: bottom banner with accept/reject, stores consent in localStorage, fires 'cookie-consent-accepted' event for third-party script injection gating - Add /privacy route with full privacy policy page (bilingual) - Gate custom_header/footer script injection behind cookie consent: scripts only load after user accepts; non-script HTML injects immediately as before - Add GDPR warning in admin settings 'Extensions & Injection' tab - Add PRIVACY.md to repo root - Add privacy page link in cookie consent banner * fix: 修复移动端代码块横向滚动崩坏问题 - code-block-wrapper 增加 -webkit-overflow-scrolling: touch(iOS 惯性滚动) - pre 和 code 元素增加 white-space: pre 强制不换行,内容真实撑开 wrapper - 移动端 pre 增加 width: max-content + min-width: 100% 确保可超出容器宽度 - code-line 从 display: inline-block 改为 display: block,避免 min-width: 100% 在移动端按父容器宽度错误计算导致代码不撑开横向滚动区域 - 兜底 pre:not(.hljs) 同步修复 * fix: 修复代码块布局坍塌(移除循环宽度依赖) code-line 改回 display: inline-block,移除 width: max-content 和 min-width: calc(100%+8px) 的循环依赖写法(该写法导致移动端代码 内容完全消失)。pre 的 white-space: pre 已足够阻止换行, wrapper 的 overflow-x: auto 负责横向滚动。 * feat: 独立页动态导航、后台侧栏固定、移动端代码块优化、标签折叠 - navbar: 从 /api/pages 获取 showInNav=true 的页面动态注入导航栏 - footer: 底部新增独立页面链接 - admin-layout: 侧栏改用 fixed 定位,彻底脱离文档流 - dashboard: 标签区折叠展开,默认显示2行+展开按钮 - globals.css: 移动端代码块优化(行号flex布局、顶栏sticky、尺寸缩减) - .gitignore: 重写并清理不存在的条目 - 清理 .kilo 和 .playwright-mcp 残留 - 新增 AGENTS.md 和 opencode.json 项目配置 --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
one-ea
added a commit
that referenced
this pull request
Apr 25, 2026
Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15)
one-ea
added a commit
that referenced
this pull request
Apr 25, 2026
* fix(security): harden Monolith against XSS, SSRF, info leaks, and abuse Critical/High: - Sanitize custom_header/footer through DOMPurify before injection, forbid inline scripts, only allow external script src (fixes #1) - Add security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, HSTS (fixes #5) - Remove authorEmail from public comment API, use DiceBear avatars based on nickname instead of Gravatar hash (fixes #2, #14) - Add login rate limiting: 5 attempts per 15 min per IP (fixes #3) - Reflect request Origin in CORS instead of wildcard (fixes #4) - Add SSRF protection for WebDAV backup and image localization: only allow https://, block private/internal IPs (fixes #6, #13) - Filter javascript: URIs in markdown link renderer (fixes #7) Medium: - Replace hardcoded reaction salt with REACTION_SALT env var (fixes #9) - Add .env.* to .gitignore, remove .env.production from tracking (fixes #10) - Disable source maps in production build (fixes #11) - Remove infrastructure details from health endpoint (fixes #15) * chore: add KaTeX math support, clean up project redundancies - feat: KaTeX math formula rendering ($...$ inline, $$...$$ block) - fix: protect code blocks from KaTeX parsing - chore: remove orphaned .wiki-tmp submodule - chore: remove unused marked import/dep from server - chore: move @types/dompurify, shadcn to devDependencies - chore: add .playwright-mcp/, .wiki-tmp/ to .gitignore - chore: delete stray test artifacts --------- Co-authored-by: one-ea <one-ea@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
变更概要
🆕 新功能
daily_views表 +/api/stats/traffic公开接口 + 首页侧边栏 SVGSparkLine折线图(零依赖)/api/*、/cdn/*、/rss.xml同域代理到 Workers 后端,支持API_BASE环境变量配置🔄 重构
🐛 Bug 修复
totalViews数据口径不一致(daily_views vs posts.view_count)redirect: "manual")React.useId())📝 文档
⚙️ 配置
@cloudflare/workers-types+functions/tsconfig.jsonwrangler.toml补充migrations_dir19 files changed, 643 insertions(+), 284 deletions(-)