Update fork#8
Open
imconnorngl wants to merge 56 commits into
Open
Conversation
…-release/prod Version Packages (Stable)
…-release/prod Version Packages (Stable)
Co-authored-by: DespicableGoose <68354378+DespicableGoose@users.noreply.github.com>
…-release/prod Version Packages (Stable)
Signed-off-by: Zalko <88582103+Zalk0@users.noreply.github.com>
`svelte-seo`'s `jsonLd` prop emits the script tag through `{@html` ... `+
JSON.stringify(data)}`, but `JSON.stringify` does not escape `<`, `>` or `&`.
Stats pages flow `routeIgn` from `page.params.ign` into the JSON-LD `name`
field, so visiting `/stats/<script>alert(1)</script>` was enough to break out
of the script tag and execute arbitrary HTML/JS from `<head>`.
Add a `JsonLd` component that serialises through `safeJsonLd`, which escapes
those three characters to their unicode escapes — still valid JSON for
crawlers, but a closing `</script>` can no longer appear in the payload.
Switch both `<SvelteSeo>` callers (`SEO.svelte`, `+layout.svelte`) from the
vulnerable `jsonLd` prop to `<JsonLd data={...} />`. The layout's JSON-LD is
fully hardcoded today and so wasn't exploitable, but routing it through the
safe component means future edits can't accidentally introduce a regression.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`takumi-js@1.1.1` (Rust commit `adc48da`, "Treat absolute/floated children
as out-of-flow for inline layout detection") reworked which children
participate in inline formatting context. The `<img class="absolute inset-0
... object-cover">` we used to paint the card background no longer renders
under the new rules — and because the card text and emoji are white, the
missing background made them appear to vanish too.
Move `skycrypt-background` to `background-image: url(...)` on the parent
`<main>` in both `Base.svelte` and `ErrorCard.svelte`. This is the pattern
the takumi docs document for persistent images ("The image key can be used
in any `src` field or `background-image`, `mask-image` CSS property") and
sidesteps the layout-pipeline change. Verified end-to-end against the napi
renderer: the broken pattern produced 12kb of mostly-empty PNG, the fix
produces 852kb with the background, text and emoji all rendered correctly.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
`gh release create --generate-notes` builds the release body from PRs
merged between the previous tag and the new one, so any commit pushed
straight to `dev`/`prod` (even with a changeset) silently disappears
from the release page. v3.6.1-beta.0 is an example: both fixes were
in CHANGELOG.md but the release showed only the woodsplitter PR.
Read the section between `## ${version}` and the next `## ` heading
out of CHANGELOG.md, write it to a tempfile, and pass it via
`--notes-file` instead. Falls back to `--generate-notes` if no
matching section is found, so we never publish an empty release body.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Drop the `{@html ... + "/script>"}` template-literal trick and use
`<svelte:element this={"script"} type="application/ld+json">{json}</svelte:element>`
instead. No `{@html}`, no closing-tag splitting, no inline safety
comments — the template now reads as plainly as a normal element.
The `safeJsonLd` helper still escapes `<`, `>` and `&` to their unicode
escapes before serialisation. That's important even with Svelte's text
escaping in the picture: Svelte would only encode `<` to `<`, which
prevents XSS but corrupts the JSON-LD value (a crawler reading the
raw `<script>` text per HTML spec would see literal `<` characters
in the parsed JSON string). Pre-escaping to `<` / `>` /
`&` keeps the payload XSS-safe AND lets `JSON.parse` decode it
back to the original characters losslessly, so the data round-trips.
Verified end-to-end against `svelte/server` with both a malicious
`</script><script>alert('xss')</script>` payload and a benign
`Foo & bar < baz > qux` description: round-trip equality on both,
zero literal `</script` anywhere in the rendered script body.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reverts 9b8e3d8. The PR-list output from `gh release create --generate-notes` is the preferred format; restoring the existing release scripts to that behaviour. v3.6.1-beta.0 and v3.6.1-beta.1 release pages were also rewritten back to their original auto-generated notes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
skycrypt-embed-lunarclient-com | d20fa5c | May 14 2026, 05:26 PM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Type of Change
Related Issues
Changes Made
Screenshots/Videos
Testing
Test Environment
Checklist
Code Quality Checks
pnpm lintpasses without errorspnpm formathas been run (or no formatting issues exist)pnpm buildcompletes successfullyAdditional Notes
Deployment Notes