Refactor theme and language validation to use basic format checks instead of allowlists
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m22s
All checks were successful
Build & Push Docker Image / build (push) Successful in 6m22s
This commit is contained in:
@@ -11,7 +11,7 @@ A modern, self-hosted BigBlueButton frontend with beautiful themes, federation,
|
||||
|
||||
### Core Features
|
||||
- 🎥 **Video Conferencing** – Integrated BigBlueButton support for professional video meetings
|
||||
- 🎨 **15+ Themes** – Dracula, Nord, Catppuccin, Rosé Pine, Gruvbox, and more (extensible via volume mount)
|
||||
- 🎨 **15+ Themes** – Dracula, Nord, Catppuccin, Rosé Pine, Gruvbox, and more
|
||||
- 📝 **Room Management** – Create unlimited rooms with custom settings, access codes, and moderator codes
|
||||
- 🔐 **User Management** – Registration, login, role-based access control (Admin/User)
|
||||
- 📹 **Recording Management** – View, publish, and delete meeting recordings per room
|
||||
@@ -42,7 +42,7 @@ A modern, self-hosted BigBlueButton frontend with beautiful themes, federation,
|
||||
|
||||
### Security
|
||||
- 🛡️ **Comprehensive Rate Limiting** – Login, register, profile, avatar, guest-join, and federation endpoints
|
||||
- 🔒 **Input Validation** – Email format, field length limits, theme/language allowlists, color format validation
|
||||
- 🔒 **Input Validation** – Email format, field length limits, ID format checks, color format validation
|
||||
- 🕐 **Timing-Safe Comparisons** – Access codes and moderator codes compared with `crypto.timingSafeEqual`
|
||||
- 📏 **Streaming Upload Limits** – Avatar (5 MB) and presentation (50 MB) uploads reject early without buffering
|
||||
- 🧹 **XSS Prevention** – HTML-escaped emails, XML-escaped BBB parameters, SVG sanitization
|
||||
@@ -186,7 +186,7 @@ redlight/
|
||||
│ ├── i18n/ # Translations (DE, EN)
|
||||
│ ├── pages/ # Page components
|
||||
│ ├── services/ # API client
|
||||
│ ├── themes/ # Tailwind theme config (volume-mountable)
|
||||
│ ├── themes/ # Tailwind theme config
|
||||
│ └── main.jsx # Frontend entry point
|
||||
├── public/ # Static assets
|
||||
├── uploads/ # User avatars, branding & presentations (runtime)
|
||||
@@ -206,7 +206,7 @@ redlight/
|
||||
- **Email Verification** – Optional SMTP-based email verification with resend support
|
||||
- **CORS Protection** – Restricted to `APP_URL` in production, open in development
|
||||
- **Rate Limiting** – Login, register, profile, password, avatar, guest-join, and federation endpoints
|
||||
- **Input Validation** – Email regex, field length limits, theme/language allowlists, hex-color format checks
|
||||
- **Input Validation** – Email regex, field length limits, ID format checks, hex-color format checks
|
||||
- **Timing-Safe Comparisons** – Access codes and moderator codes compared via `crypto.timingSafeEqual`
|
||||
- **Upload Safety** – Streaming body size limits (avatar 5 MB, presentation 50 MB) abort early without buffering
|
||||
- **XSS / Injection Prevention** – HTML-escaped emails, XML-escaped BBB API parameters, SVG logos served as `attachment`
|
||||
|
||||
Reference in New Issue
Block a user