security updates

2026-03-18 04:06:34 -06:00
parent 9722474440
commit 75d12b2950
5 changed files with 56 additions and 12 deletions
--- a/src/routes/admin/+page.server.js
+++ b/src/routes/admin/+page.server.js
@@ -1,9 +1,14 @@
 import { getAdminStats, listReports, listRecentPersonalitiesAdmin, listContactMessages } from '$lib/server/db.js';

 export async function load({ url }) {
-  const reportFilter  = url.searchParams.get('reports') ?? 'open';
-  const messageFilter = url.searchParams.get('messages') ?? 'unread';
-  const adminQ        = url.searchParams.get('q') ?? '';
+  const VALID_REPORT_FILTERS  = ['open', 'dismissed', 'all'];
+  const VALID_MESSAGE_FILTERS = ['unread', 'all'];
+
+  const reportFilter  = VALID_REPORT_FILTERS.includes(url.searchParams.get('reports') ?? '')
+    ? url.searchParams.get('reports') : 'open';
+  const messageFilter = VALID_MESSAGE_FILTERS.includes(url.searchParams.get('messages') ?? '')
+    ? url.searchParams.get('messages') : 'unread';
+  const adminQ        = (url.searchParams.get('q') ?? '').slice(0, 200);
  const adminPage     = Math.max(1, parseInt(url.searchParams.get('page') ?? '1'));

  const stats = getAdminStats();
--- a/src/routes/admin/+page.svelte
+++ b/src/routes/admin/+page.svelte
@@ -276,8 +276,7 @@
                {msg.name || 'Anonymous'}
              </span>
              {#if msg.email}
-                <a href="mailto:{msg.email}"
-                   style="font-family:'DM Mono',monospace; font-size:11px; color:var(--cyan);
+                <a href="/cdn-cgi/l/email-protection#205b4d53470e454d41494c5d" style="font-family:'DM Mono',monospace; font-size:11px; color:var(--cyan);
                          text-decoration:none;">
                  {msg.email}
                </a>
@@ -643,5 +642,3 @@
        </button>
      {/each}
    </div>
-  {/if}
-</div>