blume@1.0.2
Patch Changes
-
d62dbd0: Harden the pre-paint inline scripts and the route-normalizing regexes against the issues CodeQL flagged.
The theme and banner scripts in
<head>used to be built by interpolating config values into JavaScript source withJSON.stringify. JSON escaping isn’t a code-context escape —</script>and U+2028/U+2029 pass straight through it — so a craftedbanner.idor theme value could break out of the script. Both scripts are now constants and take their values fromdata-*attributes on their own<script>tag, which Astro HTML-escapes.ReferenceLayouthad drifted to its own inline copies of both scripts; it now shares the same module asRootLayoutandPageLayout.Route and slug normalization used
/^\/+|\/+$/-style patterns to trim leading and trailing separators. Those take quadratic time on a long run of the trimmed character, and they run on values that come from outside Blume (configured routes, OpenAPI spec URLs, the site origin), so a pathological config could hang the build. They’re replaced by linear trimming helpers incore/trim.ts; behavior is unchanged.