catlog22/Claude-Code-Workflow
1
0
Fork 0
mirror of https://github.com/catlog22/Claude-Code-Workflow.git synced 2026-03-04 15:53:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Refactor workflow-lite-planex documentation to standardize phase naming and improve clarity

Browse Source 
- Updated phase references in SKILL.md and 01-lite-plan.md to use "LP-Phase" prefix for consistency.
- Added critical context isolation note in 01-lite-plan.md to clarify phase invocation rules.
- Enhanced execution process descriptions to reflect updated phase naming conventions.

Improve error handling in frontend routing

- Introduced ChunkErrorBoundary component to handle lazy-loaded chunk load failures.
- Wrapped lazy-loaded routes with error boundary and suspense for better user experience.
- Created PageSkeleton component for loading states in lazy-loaded routes.

Sanitize header values in notification routes

- Added regex validation for header values to prevent XSS attacks by allowing only printable ASCII characters.

Enhance mobile responsiveness in documentation styles

- Updated CSS breakpoints to use custom properties for better maintainability.
- Improved layout styles across various components to ensure consistent behavior on mobile devices.
This commit is contained in:
catlog22
2026-03-02 16:36:40 +08:00
parent 980be3d87d
commit 57636040d2
22 changed files with 1149 additions and 383 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ccw/src/core/routes/notification-routes.ts
View File

@@ -39,6 +39,11 @@ const FEISHU_HOSTNAMES = ['feishu.cn', 'larksuite.com', 'lark.com'];
const DINGTALK_HOSTNAMES = ['dingtalk.com', 'oapi.dingtalk.com'];
const WECOM_HOSTNAMES = ['qyapi.weixin.qq.com', 'work.weixin.qq.com'];
// Pattern for safe header values - only printable ASCII characters (no control chars)
// This prevents XSS by ensuring header values don't contain HTML/JS metacharacters
// Space (0x20) through tilde (0x7E) are printable ASCII characters
const SAFE_HEADER_VALUE_REGEX = /^[\x20-\x7E]+$/;
/**
* Validate URL format (must be http or https)
*/
@@ -113,6 +118,11 @@ function isValidHeaders(headers: unknown): { valid: boolean; error?: string } {
if (typeof value !== 'string') {
return { valid: false, error: `Header '${key}' value must be a string` };
}
// Sanitize header value - only allow printable ASCII characters
// This prevents XSS by blocking HTML/JS metacharacters and control characters
if (!SAFE_HEADER_VALUE_REGEX.test(value)) {
return { valid: false, error: `Header '${key}' contains invalid characters. Only printable ASCII characters (space through tilde) are allowed.` };
}
// Block potentially dangerous headers
const lowerKey = key.toLowerCase();
if (['host', 'content-length', 'connection'].includes(lowerKey)) {