Security hardening and fix all compile warnings
Security fixes: - Validate theme background image URLs against whitelist pattern - Add board permission check to Socket.IO join-board handler - Disable raw HTML passthrough in markdown parser (XSS prevention) - Add UUID validation on avatar and branding route params (path traversal) - Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy) - Validate webhook URLs (HTTPS only, block internal addresses) - Add import payload size limit (5MB) - Remove server uptime from health endpoint - Make seed password configurable via SEED_ADMIN_PASSWORD env var - Patch DOMPurify dependency vulnerability via npm audit fix Warning fixes: - Convert $state(prop) to $effect.pre sync pattern (state_referenced_locally) - Add for/id pairings to form labels (a11y_label_has_associated_control) - Add svelte-ignore for intentional autofocus usage (a11y_autofocus) - Add ARIA roles to interactive/overlay divs (a11y_no_static_element_interactions) - Add aria-label to icon-only buttons (a11y_consider_explicit_label) - Add keyboard handler alongside click events (a11y_click_events_have_key_events) - Fix non-reactive fileInput declaration Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -11,10 +11,14 @@
|
||||
let { value, readonly = false, onsave }: Props = $props();
|
||||
|
||||
let editing = $state(false);
|
||||
let draft = $state(value);
|
||||
let draft = $state('');
|
||||
let previewing = $state(false);
|
||||
let ready = $state(false);
|
||||
|
||||
$effect.pre(() => {
|
||||
if (!editing) draft = value;
|
||||
});
|
||||
|
||||
onMount(async () => {
|
||||
await initDOMPurify();
|
||||
ready = true;
|
||||
@@ -31,11 +35,6 @@
|
||||
editing = false;
|
||||
previewing = false;
|
||||
}
|
||||
|
||||
// Keep draft in sync when value prop changes externally
|
||||
$effect(() => {
|
||||
if (!editing) draft = value;
|
||||
});
|
||||
</script>
|
||||
|
||||
{#if editing && !readonly}
|
||||
@@ -89,6 +88,8 @@
|
||||
<!-- svelte-ignore a11y_click_events_have_key_events a11y_no_static_element_interactions -->
|
||||
<div
|
||||
class="{!readonly ? 'cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-800 rounded' : ''} p-2 -mx-2 min-h-[40px]"
|
||||
role="button"
|
||||
tabindex="0"
|
||||
onclick={() => { if (!readonly) editing = true; }}
|
||||
>
|
||||
{#if value}
|
||||
|
||||
Reference in New Issue
Block a user