release(v1.9.7): harden client path guard and refine header/folder strip CSS

2025-11-14 20:11:19 -05:00
parent 930ed954ec
commit 3b636f69d8
5 changed files with 994 additions and 1856 deletions
--- a/public/js/folderManager.js
+++ b/public/js/folderManager.js
@@ -1026,7 +1026,7 @@ export function openColorFolderModal(folder) {
 function isSafeFolderPath(p) {
  // Client-side defense-in-depth; server already enforces safe segments.
  // Allows letters/numbers/space/_-. and slashes between segments.
-  return /^(root|[A-Za-z0-9][A-Za-z0-9 _\-.]*)(\/[A-Za-z0-9][A-Za-z0-9 _\-.]*)*$/.test(String(p || ''));
+  return /^(root|(?!\.)[^/\0]+)(\/(?!\.)[^/\0]+)*$/.test(String(p || ''));
 }

 function makeChildLi(parentPath, item) {