yiekheng e1ba1da2de feat(web): safeRedirect helper for the login \?next= param ...

Falls back to / for anything that isn't a single-slash-prefixed
relative path. Locks out protocol-relative (//evil.com), absolute
(https://evil.com), and javascript: redirects. 7 tests cover the
full attacker matrix.

2026-05-10 17:44:10 +08:00

..

bot

fix(bot): dedupe duplicate reminder.fire jobs (msg sent twice)

2026-05-10 16:41:11 +08:00

web

feat(web): safeRedirect helper for the login \?next= param

2026-05-10 17:44:10 +08:00