const{createApp}=Vue
const{createVuetify,useGoTo,useDisplay}=Vuetify
var data={alert:{show:false,color:'success',text:'',timeout:0,},theme:{dark:false,},nav:{showDrawer:false,showTOC:true,tocPanel:0,tab:'account',post:{discussionId:6837,currentPage:1,targetPage:1,total:26,anchor:0,goToOptions:{container:null,duration:0,easing:'easeInOutCubic',offset:-100,},worker:null,task:[],active:[],apiLock:[],originLike:new Map([]),},related:{block:1,}},search:{width:80,text:null,loading:false,},tags:[{id:20,url:'/t/2c0b5e546a045c756077023a1a1e',name:'Js|Ts|H5',color:'#FFA726',icon:'mdi-language-javascript',},],posts:[{id:84357,num:0,uid:15309,content:'描述\u003Cp\u003E前端构建工具 Vite 在 6.2.3 、6.1.2 、6.0.12 、5.4.15 及 4.5.10 之前的版本存在安全漏洞。\u003C/p\u003E\u003Cp\u003E正常情况下 仅允许访问 Vite 服务白名单内的文件，但通过在 URL 后添加?raw??或?import\u0026amp;raw;??参数可绕过限制，返回目标文件内容（若存在）。\u003C/p\u003E\u003Cp\u003E该漏洞成因在于多处代码虽移除了尾部分隔符（如?），但未在查询字符串正则表达式中进行相应处理，导致可读取任意文件内容并返回至浏览器。\u003C/p\u003E\u003Cp\u003E仅当应用显式将 Vite 开发服务器暴露至网络（使用--host 参数或配置 server.host 选项）时才会受影响。该问题已在 6.2.3 、6.1.2 、6.0.12 、5.4.15 和 4.5.10 版本中修复。\u003C/p\u003E影响\u003Cp\u003E黑客只需在 URL 中加上魔法咒语\u0026#34;?raw??\u0026#34;或\u0026#34;?import\u0026amp;raw;??\u0026#34;，就能绕过 访问限制，轻松读取你的.env 、API 密钥、.bash_history 甚至那些\u0026#34;绝对不能让人看到\u0026#34;的配置文件！\u003C/p\u003E\u003Cp\u003E没错，你的命令历史和各种密钥可能正在向陌生人招手！\u003C/p\u003E修复建议\u003Cp\u003E将 Vite 升级到已修复的版本：6.2.3 、6.1.2 、6.0.12 、5.4.15 或 4.5.10\u003C/p\u003E\u003Cp\u003E如非必要，不要使用\u003Ccode\u003E--host\u003C/code\u003E或\u003Ccode\u003Eserver.host\u003C/code\u003E配置选项将开发服务器暴露在网络上\u003C/p\u003E参考\u003Cp\u003Ehttps://github.com/advisories/GHSA-x574-m823-4x7w\u003C/p\u003E',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 08:04:50',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84358,num:1,uid:8857,content:'之前是 next 现在是 vite ,看来用前端开发服务器还是差点意思, 不是那么完美',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 08:51:22',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84359,num:2,uid:170,content:'看清楚啊，是开发服务器，又不是生产服务器\u003Cbr\u003E@zeroskylian',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 08:56:11',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[3,],mentionUsers:[],likeUsers:[],},{id:84360,num:3,uid:8857,content:'#2 刚上班, 脑子没转过来 \u003Cimg src\u003D\"https://i.imgur.com/Iy0taMy.png\"\u003E',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 09:00:33',updatedAt:'2025-03-29 12:05:58',mentionNum:2,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84361,num:4,uid:796,content:'多大点事儿',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 09:00:44',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84362,num:5,uid:36,content:'需要用 vite 做服务器,还要开放到公网, 不过这玩意是咋发现的, 真离谱',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 09:08:19',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84363,num:6,uid:2500,content:'前段时间 esbuild 的开发服务器也爆了个漏洞好像，挺奇妙的',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 09:14:52',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84364,num:7,uid:15310,content:'我的扫描器昨天晚上已经发布了\u003Cbr\u003Ehttps://github.com/xuemian168/CVE-2025-30208\u003Cbr\u003E支持 FOFA 自动化和手动操作',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 09:18:19',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[10,],mentionUsers:[],likeUsers:[],},{id:84365,num:8,uid:3900,content:'这个名字起的不好，有歧义',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 10:28:24',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84366,num:9,uid:5056,content:'总有聪明的懒蛋觉得开发服务器也能用来部署',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 10:33:25',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84367,num:10,uid:15311,content:'#7 有点好奇为什么你的 poc 没有别的 POC 的 star 高，明明你的发布时间更早 \u003Cimg src\u003D\"https://i.imgur.com/F29pmQ6.png\"\u003E  难道是语言的问题么',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 10:39:55',updatedAt:'2025-03-29 12:05:58',mentionNum:7,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84368,num:11,uid:14675,content:'首先对外的服务器，第一件事就是对端口进行控制，最好就是能不暴露就不暴露，\u003Cbr\u003E如果只是内部使用，可以试试 零信任，或者 ssh 隧道。\u003Cbr\u003E开发的话，可以用 vscode 远程开发插件',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 10:57:43',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84369,num:12,uid:892,content:'5 分，不太高。毕竟仅仅是 dev server 。真有小白用 dev server 作为 prod hosting 的话，只能说是 skill issue 了。',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:01:51',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84370,num:13,uid:2949,content:'用的 Nuxt ，没发现这个问题。',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:07:27',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84371,num:14,uid:15310,content:'大概率是的，而且我的 POC 明显更完善。还有一个原因可能是 TOP1 自带流量',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:31:08',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84372,num:15,uid:2352,content:'内容太夸张了, vite 都是本地开发用的, 根本没有什么隐患',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:37:11',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84373,num:16,uid:15310,content:'其实公网上很多这种情况',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:43:40',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84374,num:17,uid:8114,content:'笑死，刚上班的状态确实是这样的',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 11:50:35',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84375,num:18,uid:8774,content:'哈哈，不排除有人用 vite 起个 npm run dev 跑服务',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 12:10:23',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},{id:84376,num:19,uid:15312,content:'屁大点儿事，一惊一乍，像个菜鸡',ipRegion:'',updatedByUid:0,createdAt:'2025-03-27 12:25:36',updatedAt:'2025-03-29 12:05:58',mentionNum:0,mentionedBy:[],mentionUsers:[],likeUsers:[],},],usersMap:new Map([[892,{uid:892,url:'/u/122379096a045c776863546f39012435',avatar:'/a/122379096a045c776863546f39012435',username:'jaylee4869🤖',}],[8857,{uid:8857,url:'/u/080d625e6a045c7f686f516f210e2a1f',avatar:'/a/080d625e6a045c7f686f516f210e2a1f',username:'zeroskylian🤖',}],[2949,{uid:2949,url:'/u/3e7b041a6a045c75696e5f6f31216420',avatar:'/a/3e7b041a6a045c75696e5f6f31216420',username:'sn0wdr1am🤖',}],[2500,{uid:2500,url:'/u/2c2a483c6a045c75656a566f435a672a',avatar:'/a/2c2a483c6a045c75656a566f435a672a',username:'Linho1219🤖',}],[15310,{uid:15310,url:'/u/3e3f77256a045d72636b566f42106b03',avatar:'/a/3e3f77256a045d72636b566f42106b03',username:'xuemian🤖',}],[15309,{uid:15309,url:'/u/1e7e031f6a045d72636a5f6f2f1d0a16',avatar:'/a/1e7e031f6a045d72636a5f6f2f1d0a16',username:'ic3z🤖',}],[15312,{uid:15312,url:'/u/63227f396a045d72636b546f2e083516',avatar:'/a/63227f396a045d72636b546f2e083516',username:'dyq917🤖',}],[3900,{uid:3900,url:'/u/14247f096a045c74696a566f063e662e',avatar:'/a/14247f096a045c74696a566f063e662e',username:'KinBob🤖',}],[2352,{uid:2352,url:'/u/1100611d6a045c75636f546f345d022b',avatar:'/a/1100611d6a045c75636f546f345d022b',username:'weijancc🤖',}],[5056,{uid:5056,url:'/u/390e5e396a045c72606f506f100f090d',avatar:'/a/390e5e396a045c72606f506f100f090d',username:'Vegetable🤖',}],[170,{uid:170,url:'/u/0824735d6a045c77616d566f050f647e',avatar:'/a/0824735d6a045c77616d566f050f647e',username:'zhengfan2016🤖',}],[8774,{uid:8774,url:'/u/361e0b246a045c7f676d526f30501409',avatar:'/a/361e0b246a045c7f676d526f30501409',username:'liubaicai🤖',}],[14675,{uid:14675,url:'/u/3225515b6a045d73666d536f122d2373',avatar:'/a/3225515b6a045d73666d536f122d2373',username:'jenson47🤖',}],[796,{uid:796,url:'/u/0f0c05056a045c776763506f0e282712',avatar:'/a/0f0c05056a045c776763506f0e282712',username:'wangtian2020🤖',}],[8114,{uid:8114,url:'/u/683a6a036a045c7f616b526f12103137',avatar:'/a/683a6a036a045c7f616b526f12103137',username:'imba97🤖',}],[15311,{uid:15311,url:'/u/027f783a6a045d72636b576f1a39091e',avatar:'/a/027f783a6a045d72636b576f1a39091e',username:'Nldgd**🤖',}],[36,{uid:36,url:'/u/203c022c6a045c776069506f3e250728',avatar:'/a/203c022c6a045c776069506f3e250728',username:'paopjian🤖',}],]),related:[{title:'推荐一款自己写的提升效率的浏览器插件： HarmonyAutoCopy，让文本复制更轻松！',url:'/d/6f06033d6a045c77606a567a475c646a1f371708',},{title:'程序猿创业失败，转行做独立开发',url:'/d/393e7d3e6a045c77606a56754350616a59191c16',},{title:'发现一个有意思的项目，把一个字符串隐藏到另一个字符串中',url:'/d/3c117a346a045c77606a56754359676a5b323b0b',},{title:'编程小白，终于成功上线了自己的第一个导航站😭 激动',url:'/d/333944256a045c77606a56754451666a3e0e3e67',},{title:'vue 指令更新问题',url:'/d/2f3c4a3e6a045c77606a5675445e636a250e3f24',},{title:'小红书 ｜ 图文，视频，评论 浏览与导出工具',url:'/d/1b1806556a045c77606a56754458676a04343b26',},{title:'[BadouCMS] Vue3+TypeScript+ThinkPHP8 构建 CMS 系统(开源)',url:'/d/303350036a045c77606a56754458626a20390564',},{title:'开发了一个开箱即用的本地终端 Ztty',url:'/d/0c045a2e6a045c77606a5675455e6b6a3e200734',},{title:'第一个完全用 AI 工具生成的工具站',url:'/d/6a18771a6a045c77606a5675475e616a01126104',},{title:'为什么 vue 的 nuxt.js 不跟进 nextjs 的 app route 目录结构',url:'/d/02116a1e6a045c77606a56744f516a6a1b02141e',},{title:'做定时任务，一定要用这个神库！',url:'/d/2a1a550b6a045c77606a56744f5b626a5c151613',},{title:'XUGOU - 轻量级系统监控平台，基于 CloudFlare 零成本部署！',url:'/d/0a21430f6a045c77606a56744f58656a0f741e25',},{title:'NextJS 超瓜皮漏洞，赶紧升级！',url:'/d/03226a096a045c77606a56744258646a59126264',},{title:'Typescript 如此成功，为何没有发展出所谓 “Typthon”?',url:'/d/35315c016a045c77606a5674445f626a0e730224',},{title:'为什么 Python 、Node.js 就不能学习一下 C#这种优雅的依赖管理方式？',url:'/d/0f1f5f3d6a045c77606a5674445c676a04311f60',},{title:'求助！双显卡连接 6 个屏幕，展示不同的 URL 页面。Electron 的 displayId 每次重启都会变',url:'/d/1f3158176a045c77606a56744551676a24111b3b',},{title:'关于 react native 和 flutter',url:'/d/6f7c03286a045c77606a56774e50616a27221935',},{title:'[野生程序员花三天时间用 Cursor 复刻经典游戏「俄罗丝方块」，求各位提点建议]',url:'/d/6b047a5e6a045c77606a56774e5c626a2b361d65',},{title:'分享一个用 JS、canvas 写的星空穿越效果',url:'/d/191c61346a045c77606a5677425e6a6a2f28273c',},{title:'郑州招 Python , Node.js 开发岗',url:'/d/082c61146a045c77606a5677425e616a3d706116',},],}
const App={setup(){const goTo=useGoTo()
const{mdAndUp}=useDisplay()
return{goTo,mdAndUp}},data(){return data;},mounted(){const themeDark=localStorage.getItem("themeDark")
if(themeDark!==null){this.theme.dark=JSON.parse(themeDark)}
if(this.nav.post.total>(this.nav.post.currentPage-1)*100+20){let moreLen=100
if(this.nav.post.total<this.nav.post.currentPage*100){moreLen=this.nav.post.total-(this.nav.post.currentPage-1)*100}
let morePosts=Array.from({length:moreLen},(_,v)=>({id:null,num:(this.nav.post.currentPage-1)*100+v,uid:null,content:null,ipRegion:null,updatedByUid:null,createdAt:null,updatedAt:null,mentionNum:null,mentionedBy:null,mentionUsers:null,likeUsers:null,}))
this.posts.push(...morePosts.slice(20))}
this.workerStart()
const hash=window.location.hash
const match=hash.match(/#(\d+)/)
if(match){const n=parseInt(match[1],10)
if(n>=(this.nav.post.currentPage-1)*100&&n<this.nav.post.currentPage*100){this.$nextTick(()=>{this.jumpTo(n)})}}
this.$nextTick(()=>{this.addHeadingIds()
tocbot.init({tocSelector:'.toc',contentSelector:'#post-content-0',headingSelector:'h2, h3, h4',headingsOffset:100,scrollSmoothOffset:-100,scrollSmooth:true,collapseDepth:6,onClick:function(e){setTimeout(()=>{history.replaceState(null,'',window.location.pathname+window.location.search)},0)},})
tocbot.refresh()});},beforeUnmount(){this.workerStop()
if(this.quill){this.quill.destroy()
this.quill=null}},computed:{dposts(){return this.posts.slice(20);},},created(){},methods:{successAlert(msg){this.alert={show:true,color:'success',text:msg,timeout:1500,}},failureAlert(msg){this.alert={show:true,color:'error',text:msg,timeout:5000,}},flipThemeDark(){this.theme.dark=!this.theme.dark
localStorage.setItem("themeDark",JSON.stringify(this.theme.dark))},toSearch(){if(!this.search.text){this.failureAlert('搜索词不能为空')
return}
let keywords=this.search.text.trim()
if(keywords.length<1){this.failureAlert('搜索词不能为空')
return}
if(keywords.length>100){this.failureAlert('搜索词过长')
return}
this.doSearch(keywords)},toReg(){window.location.href="/reg"},toLogin(){window.location.href="/login"},toPage(){let url=window.location.href
url=url.replace(/(\/\d+)?(#[0-9]+)?$/,this.nav.post.targetPage>1?`/${this.nav.post.targetPage}`:'')
window.location.href=url},toLoadRelated({done}){if(this.my&&this.my.uid){this.apiLoadRelated({done})}else{done('ok')}},workerStart(){this.nav.post.worker=setInterval(()=>{this.workerLoad()},500);},workerStop(){if(this.nav.post.worker){clearInterval(this.nav.post.worker);this.nav.post.worker=null;}},async jumpTo(num){const page=Math.floor(num/100)+1
const i=num-(page-1)*100
if(page===this.nav.post.currentPage){this.goTo("#post-"+num,this.nav.post.goToOptions)
if(!this.posts[i].id){const block=Math.floor(num/20)+1
this.nav.post.apiLock[block]=true
await this.apiLoadPosts(block)
this.$nextTick(()=>{this.goTo("#post-"+num,this.nav.post.goToOptions)})}}else{let url=window.location.href
url=url.replace(/(\/\d+)?(#[0-9]+)?$/,page>1?`/${page}`:'')
url=url+"#"+num
window.location.href=url}},postIntersect(num){return(isIntersecting,entries,observer)=>{if(isIntersecting){this.nav.post.task.push(num)
this.nav.post.active.push(num)
this.nav.post.active=this.nav.post.active.filter(item=>Math.abs(item-num)<=5)
this.nav.post.active.sort((a,b)=>a-b)}else{this.nav.post.active=this.nav.post.active.filter(item=>item!==num)}
if(this.nav.post.active[0]){this.nav.post.anchor=this.nav.post.active[0]}else{this.nav.post.anchor=0}}},async apiLoadPosts(block){try{const response=await axios.post('/fapi/v1/post/block/'+block,{discussionId:this.nav.post.discussionId,})
if(response.data.code===0){response.data.data.posts.forEach(post=>{const i=post.num%100
Object.assign(this.posts[i],post)})
response.data.data.users.forEach(user=>{this.usersMap.set(user.uid,user)})}else{this.failureAlert('回帖数据加载失败: '+response.data.msg)}}catch(error){this.failureAlert('回帖数据加载失败: '+error)}
this.nav.post.apiLock[block]=false},workerLoad(){while(this.nav.post.task.length){const num=this.nav.post.task.pop()
const i=num-(this.nav.post.currentPage-1)*100
if(!this.posts[i].id){const block=Math.floor(num/20)+1
if(!this.nav.post.apiLock[block]){this.nav.post.apiLock[block]=true
this.apiLoadPosts(block)}}}},getTimeInfo(t){if(!t){return ""}
const now=new Date();const then=new Date(t);const diff=now-then;const minute=60*1000;const hour=minute*60;const day=hour*24;const month=day*30;const year=month*12;if(diff<minute)return ' @ 刚刚'
else if(diff<hour)return ` @ ${Math.floor(diff/minute)}分钟前`
else if(diff<day)return ` @ ${Math.floor(diff/hour)}小时前`
else if(diff<month)return ` @ ${Math.floor(diff/day)}天前`
else if(diff<year)return ` @ ${Math.floor(diff/month)}月前`
else return ` @ ${Math.floor(diff/year)}年前`},getUsernameByUid(uid){const user=this.usersMap.get(uid)
if(!user){return "user"+uid}
return user.username},getUsernameByPostNum(num){const post=this.posts.find(post=>post.num===num)
if(!post){return "#"+num}
const uid=post.uid
const username=this.usersMap.get(uid)?.username
if(!username){return "#"+num}
return username},getUsernameByPostId(id){const post=this.posts.find(post=>post.id===id)
if(!post){return "#"+this.getPostNumByPostId(id)}
const uid=post.uid
const username=this.usersMap.get(uid).username
if(!username){return "#"+this.getPostNumByPostId(id)}
return username},getPostNumByPostId(id){const post=this.posts.find(post=>post.id===id)
return post.num},getPostById(id){const post=this.posts.find(post=>post.id===id)
return post},getPostByNum(num){const post=this.posts.find(post=>post.num===num)
return post},getAvatarByUid(uid){const avatar=this.usersMap.get(uid)?.avatar
if(!avatar){return this.getRandomAvatar()}
return avatar},getAvatarByPostNum(num){const post=this.posts.find(post=>post.num===num)
if(!post){return this.getRandomAvatar()}
const uid=post.uid
return this.getAvatarByUid(uid)},getRandomAvatar(){const num=Math.floor(Math.random()*100)
return "https://randomuser.me/api/portraits/men/"+num+".jpg"},getUrlByUid(uid){const url=this.usersMap.get(uid)?.url
if(!url){return ""}
return url},getTextByPostNum(num){const post=this.posts.find(post=>post.num===num)
if(!post||!post.content){return '点击跳转到#'+num+'查看'}
const parser=new DOMParser()
const doc=parser.parseFromString(post.content,'text/html')
const text=doc.body.textContent||''
return text.slice(0,100)},addHeadingIds(){const content=document.getElementById('post-content-0')
if(!content){this.nav.showTOC=false
return}
const headings=content.querySelectorAll('h2, h3, h4')
headings.forEach((heading,index)=>{if(!heading.id){heading.id=`toc-nav-${index}`}})
if(headings.length==0){this.nav.showTOC=false}},async doSearch(keywords){this.search.loading=true
try{const response=await axios.post('/fapi/v1/search',{keywords:keywords,})
if(response.data.code===0){if(response.data.data.hash&&response.data.data.hash.length===32){window.location.href="/s/"+response.data.data.hash}else{this.failureAlert('搜索失败: 搜索服务异常')}}else{this.failureAlert('搜索失败: '+response.data.msg)}}catch(error){this.failureAlert('搜索失败: '+error)}
this.search.loading=false},debounce(fn,delay){let timer=null
return function(...args){if(timer)clearTimeout(timer)
timer=setTimeout(()=>{fn.apply(this,args)},delay);};},},watch:{'nav.post.targetPage':{handler:async function(newV,oldV){this.toPage()},immediate:false},},}
const vuetify=createVuetify({defaults:{global:{ripple:true,},},})
const app=createApp(App)
app.use(vuetify).mount("#app")