fisker / blog Goto Github PK
View Code? Open in Web Editor NEWfisker's blog
Home Page: https://www.fiskercheung.com/
License: MIT License
fisker's blog
Home Page: https://www.fiskercheung.com/
License: MIT License
今天读了一些关于 html form
元素的文档, 记录几点
因为在 http 规范中 POST
GET
PUT
等方法都是大写的,我一直以为 method 也应该用大写,实际上按照规范应该是小写
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fs-method
虽然他们大小写不敏感,但还是按照规法比较好,实际上不管你写大写还是小写 form.method 都会是小写的。同样 button[formmethod]
也应该小写
我想到去看下这个是因为我最近用到了 method="dialog"
form.enctype
在 html5 中新增了一个 text/plain
, 搜了一圈也没找到具体增加这个的原因,可能真的如找到的几篇文章所言也就 form[action^="mailto:"]
的时候有点用吧
input[type="checkbox"]
indeterminate 不会影响 checkbox 的提交, 只和 checked
有关。
如果要提交 indeterminate
状态,可以创建一个 input[type="hidden"]
来保存
规范 https://html.spec.whatwg.org/multipage/forms.html#htmlformelement
我以前不知道的几点
用 name
或 id
访问 form control 元素的时候, 和 input 的 type 无关。
只和元素的个数有个 只要是多个元素 就会返回 RadioNodeList
(即使他们的type不是radio),如果只有一个元素,就会返回 HTMLElement
(即使input的type是radio) 。
因为上一条的原因,如果表单里面只有一个同名的 radio
那么这里可能会踩到坑 那就是这个radio
可能并没有被选中。因为只有一个元素的时候返回的是 HTMLInputElement
一般都会有value
img
当你访问的name没有 form control 元素,但是有一个img[id="name"]
时,你会得到一个<img>元素,其他具有同样id的元素则不会
input
的 id
或 name
改变,你仍然可以用原来的 id
或 name
访问到这个input
, 直到这个元素被移除CSS Peek -- cause vscode freeze
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Error type: undefined. Note: this is a nested preset so please contact the preset author if you are unable to fix it yourself.
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_OPERATORS expansion allow attackers to cause a denial-of-service resulting from stack consumption via a crafted sass file, as demonstrated by recursive calls involving clone(), cloneChildren(), and copy().
Publish Date: 2018-12-04
URL: CVE-2018-19838
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19838
Fix Resolution: 3.5.5
Step up your Open Source Security Game with WhiteSource here
function reverseImage(image) {
const canvas = document.createElement('canvas')
const {width, height} = image
Object.assign(canvas, {width, height})
const context= canvas.getContext('2d')
context.drawImage(image, 0, 0)
const {data} = context.getImageData(0, 0, width, height)
const imageData = new ImageData(
new Uint8ClampedArray(
Array.from(data).map(x => 255 - x).reverse()
),
height,
width
)
Object.assign(canvas,{width: height, height: width})
context.putImageData(imageData, 0, 0)
return canvas
}
function simpleImageEncode(imageUrl) {
return new Promsie(resolve => {
const image = new Image()
image.src = imageUrl
image.onload = () => {
resolve(reverseImage(image))
}
})
}
Update: not safe, alpha value postion can't change, will lost color, should only switch postion of rgb value
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An issue was discovered in LibSass through 3.5.4. A NULL pointer dereference was found in the function Sass::Functions::selector_append which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11694
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
A use-after-free vulnerability exists in handle_error() in sass_context.cpp in LibSass 3.4.x and 3.5.x through 3.5.4 that could be leveraged to cause a denial of service (application crash) or possibly unspecified other impact.
Publish Date: 2018-05-26
URL: CVE-2018-11499
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
vi /etc/ssh/sshd_config
# 更新
yum update -y
# 依赖
yum install -y xz openssl gawk file wget
# 下载脚本
wget -N --no-check-certificate "https://raw.githubusercontent.com/chiakge/installNET/master/Install.sh"
chmod +x Install.sh
./Install.sh
https://www.oldking.net/697.html
wget --no-check-certificate https://git.io/superupdate.sh
chmod +x superupdate.sh
./superupdate.sh
wget --no-check-certificate https://github.com/teddysun/across/raw/master/bbr.sh && chmod +x bbr.sh && ./bbr.sh
uname -r
sysctl net.ipv4.tcp_available_congestion_control # 返回值有 bbr
sysctl net.ipv4.tcp_congestion_control # 返回值有 bbr
sysctl net.core.default_qdisc #返回值为 fq
lsmod | grep bbr # 返回值有 tcp_bbr
wget -N --no-check-certificate "https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh"
chmod +x tcp.sh
./tcp.sh
vi /etc/sysconfig/network-scripts/ifcfg-eth0
# DNS1=1.1.1.1
# DNS2=8.8.8.8
systemctl disable firewalld
systemctl stop firewalld
https://www.bandwagonhost.net/2144.html
https://www.thegeekdiary.com/how-to-enable-ipv6-on-centos-rhel-7/
wget --no-check-certificate https://github.com/teddysun/across/raw/master/unixbench.sh
chmod +x unixbench.sh
./unixbench.sh
wget --no-check-certificate -qO bench.sh https://bench.sh/
chmod +x bench.sh
./bench.sh
https://www.oldking.net/599.html
wget --no-check-certificate https://raw.githubusercontent.com/oooldking/script/master/superbench.sh
chmod +x superbench.sh
./superbench.sh
https://www.oldking.net/305.html
wget https://raw.githubusercontent.com/oooldking/script/master/superspeed.sh
chmod +x superspeed.sh
./superspeed.sh
https://github.com/FunctionClub/ZBench
wget -N --no-check-certificate https://raw.githubusercontent.com/FunctionClub/ZBench/master/ZBench-CN.sh
chmod +x ZBench-CN.sh
./ZBench-CN.sh
准备
yum install wget unzip -y
BBR
wget -N --no-check-certificate https://raw.githubusercontent.com/chiakge/Linux-NetSpeed/master/tcp.sh
chmod +x tcp.sh
./tcp.sh
安装
wget -N --no-check-certificate https://raw.githubusercontent.com/atrandys/trojan/master/trojan_mult.sh
chmod +x trojan_mult.sh
./trojan_mult.sh
https://www.atrandys.com/2019/1963.html
/usr/src/trojan/server.conf
systemctl restart trojan
/usr/share/nginx/html/
ssr.sh
https://github.com/ToyoDAdoubi/doubi#ssrsh
https://doub.io/ss-jc42/
wget -N --no-check-certificate https://raw.githubusercontent.com/ToyoDAdoubi/doubi/master/ssr.sh
chmod +x ssr.sh
./ssr.sh
ssrmu.sh
https://github.com/ToyoDAdoubi/doubi#ssrmush
https://doub.io/ss-jc60/
wget -N --no-check-certificate https://raw.githubusercontent.com/ToyoDAdoubi/doubi/master/ssrmu.sh
chmod +x ssrmu.sh
./ssrmu.sh
https://github.com/ToyoDAdoubi/doubi#brooksh
wget -N --no-check-certificate https://raw.githubusercontent.com/ToyoDAdoubi/doubi/master/brook.sh
chmod +x brook.sh
./brook.sh
https://github.com/Jrohy/multi-v2ray
wget -qO multi-v2ray.sh https://multi.netlify.com/v2ray.sh
chmod +x multi-v2ray.sh
./multi-v2ray.sh
https://github.com/FunctionClub/V2ray.Fun
wget --no-check-certificate -qO v2ray.fun.sh https://raw.githubusercontent.com/FunctionClub/V2ray.Fun/master/install.sh
chmod +x v2ray.fun.sh
./v2ray.fun.sh
https://www.atrandys.com/2018/886.html
https://github.com/hongwenjun/vps_setup
wget https://git.io/wireguard.sh
chmod +x wireguard.sh
./wireguard.sh
https://gitlab.com/misakablog/naiveproxy-script
wget https://gitlab.com/misakablog/naiveproxy-script/-/raw/main/naiveproxy.sh
chmod +x naiveproxy.sh
./naiveproxy.sh
const config = require('../blog-config.js')
const localforage = require('localforage')
const template = require('lodash.template')
const marked = require('marked')
const Promise = window.Promise || require('es6-promise').Promise
const assign = Object.assign || require('object.assign')
const highlight = require('highlight.js')
marked.setOptions({
highlight: function(code) {
return highlight.highlightAuto(code).value;
}
})
fork 这个 repo
https://github.com/fisker/blog
git checkout 到本地
安装依赖
yarn
修改 blog-config.js
需要修改的地方
本地预览
npm run dev
发布
npm run publish
commit, push 到 github
在仓库的 settings 里面 找到 GitHub Pages 把 Source 修改为 master/docs 以后就可以访问了
https 和 自定义域名的问题可以用 https://www.netlify.com/ 解决
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an endless loop (containing a Sass::Inspect::operator()(Sass::String_Quoted*) stack frame) may cause a Denial of Service via crafted sass input files with stray '&' or '/' characters.
Publish Date: 2018-12-03
URL: CVE-2018-19826
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::handle_error which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11698
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
使用issues写博客的时候 如果用匿名的api会存在访问次数限制的问题。
可以一个公共的 access token 让用户来使用。
申请的办法 点击这个地址
勾上 repo/public_repo 就可以了
需要注意的是 access token不能出现在仓库的代码中,只要上传的代码中包含了这个 token, token 就会立即失效
变通的办法
let token = ['f6a841b6', 'a39cd242cba5970', 'b59488d68a23f05d4'].join('')
let token = 'f6a841b6' +'a39cd242cba5970b59488d68a23f05d4'
let token = atob('ZjZhODQxYjZhMzljZDI0MmNiYTU5NzBiNTk0ODhkNjhhMjNmMDVkNA')
总之不要直接出现就可以了
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::skip_over_scopes which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11693
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
inline-block 子元素 在 nowrap 容器下的宽度 可能和预期的不太一样
demo: https://jsfiddle.net/fisker/r96jnwda/
stackoverflow 上也有类似的提问
解决方案很多,可以自己尝试。
利用这点,倒是可以做一个布局的尝试
适用于一部分内容宽度固定 另一部分占据剩余空间的布局
好处是非常简单就可以垂直居中。
下载 ngx_brotli
模块
cd ~
git clone --recursive [email protected]:google/ngx_brotli.git
修改 nginx
编译参数
cd ~/lnmp1.6
vi lnmp.conf
在 Nginx_Modules_Options
增加
--add-module=/root/ngx_brotli
编译 nginx
./upgrade.sh nginx
输入
版本号后,等待安装完成即可
启用 Brotli
, 修改 nginx
的配置文件 增加
# brotli
brotli on;
brotli_comp_level 6;
brotli_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
更多指令查看 https://github.com/google/ngx_brotli#configuration-directives
Lodash modular utilities.
path: /tmp/git/blog/node_modules/lodash-cli/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Dependency Hierarchy:
In the node_module "lodash" before version 4.17.11 the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2018-11-25
URL: WS-2018-0210
Type: Change files
Origin: lodash/lodash@90e6199
Release Date: 2018-08-31
Fix Resolution: Replace or update the following files: lodash.js, test.js
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
In LibSass 3.5.5, a use-after-free vulnerability exists in the SharedPtr class in SharedPtr.cpp (or SharedPtr.hpp) that may cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-12-03
URL: CVE-2018-19827
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Deeply assign the enumerable properties of source objects to a destination object.
path: /tmp/git/blog/node_modules/assign-deep/package.json
Library home page: http://registry.npmjs.org/assign-deep/-/assign-deep-0.3.1.tgz
Dependency Hierarchy:
assign-deep node module before 0.4.7 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3720
Release Date: 2018-06-07
Fix Resolution: 0.4.7
Step up your Open Source Security Game with WhiteSource here
Response: https://developer.mozilla.org/en-US/docs/Web/API/Response
FileReader: https://developer.mozilla.org/en-US/docs/Web/API/FileReader
Response是Promise的,而FileReader是基于事件的
同样读取一个文件
使用 FileReader
;(file => {
const fr = new FileReader()
fr.onload = () => {
console.log(
'FileReader.readAsText()',
fr.result
)
}
fr.readAsText(file)
})(new File(['hello from fisker.txt'], 'fisker.txt'))
使用 Response 则优雅很多
;(async file => {
console.log(
'Response.text()',
await new Response(file).text()
)
})(new File(['hello from fisker.txt'], 'fisker.txt'))
不过两者的api有很大不同,有些api没有对应的方法
FileReader.readAsArrayBuffer() -> Body.arrayBuffer()
FileReader.readAsBinaryString() -> 无
FileReader.readAsDataURL() -> 无
FileReader.readAsText() -> Body.text()
不过也不是很难实现
readAsBinaryString
document.createElement('canvas').toBlob(async file => {
// FileReader
const bin1 = await new Promise(resolve => {
const fr = new FileReader()
fr.onload = () => {
resolve(fr.result)
}
fr.readAsBinaryString(file)
})
console.log('FileReader.readAsBinaryString()', bin1)
// Response
const buffer = await new Response(file).arrayBuffer()
const bin2 = String.fromCharCode.apply(null, new Uint8Array(buffer))
console.log('Response.arrayBuffer()', bin1)
// 校验
console.log(`bin1 equals bin2: ${bin1 === bin2}`)
})
readAsDataURL
;(async file => {
// FileReader
const url1 = await new Promise(resolve => {
const fr = new FileReader()
fr.onload = () => {
resolve(fr.result)
}
fr.readAsDataURL(file)
})
console.log('FileReader.readAsDataURL()', url1)
// Response
const buffer = await new Response(file).arrayBuffer()
const url2 = 'data:' + file.type + ';base64,' +
btoa(String.fromCharCode.apply(null, new Uint8Array(buffer)))
console.log('Response.arrayBuffer()', url2)
// 校验
console.log(`url1 equals url2: ${url1 === url2}`)
})(new File(['hello from fisker.txt'], 'fisker.txt', {type: 'text/plain'}))
Brace expansion as known from sh/bash
path: /tmp/git/blog/node_modules/lodash-cli/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz
Dependency Hierarchy:
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
Publish Date: 2018-01-27
URL: CVE-2017-18077
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/338
Release Date: 2017-04-25
Fix Resolution: Upgrade to version 1.1.7 or later.
Step up your Open Source Security Game with WhiteSource here
在上一篇 promise化的confirm 应该总是 resolved 提到 confirm 的设计
那么对于已有的 resolve/reject 的设计,该怎么让函数永远返回 resolved 的 promise
花了点时间写了个库 p-resolvify
比如 Element-ui 的 confirm 我们就可以
Vue.prototype.$confirm = resolvify(Vue.prototype.$confirm)
或者
ELEMENT.MessageBox.confirm = resolvify(ELEMENT.MessageBox.confirm)
就可以
let result = await this.$confirm('确定?')
而不需要
let result
try {
result = await this.$confirm('确定?')
} catch(err) {
result = 'cancel'
}
一些ui库把 confirm 设计成 类似
function badConfirm(msg) {
return window.confirm(msg)
? Promise.resolve(true)
: Promise.reject(true)
}
那么使用的时候就可以
badConfirm('你确认吗?')
.then(() => console.log('确认'))
.catch(() => console.log('取消'))
看起来很美好,直到你使用 await 的时候
(async () => {
let ok = false
try {
ok = await badConfirm('你确认吗?')
} catch (err) {}
console.log(ok ? '确定' : '取消')
})()
因为你不用 try/catch 你的程序就报错了
写一两次可能还好,当你需要反复确认的时候,只有一个感觉想死
所以我推荐返回的primise总是resolved
async function goodConfirm(msg) {
return await window.confirm(msg)
}
// OR
function goodConfirm(msg) {
return new Promise(resolve => resolve(window.confirm(msg)))
}
// OR
function goodConfirm(msg) {
return Promise.resolve(window.confirm(msg))
}
then 语法
goodConfirm('你确认吗?')
.then(ok => console.log(ok ? '确认' : '取消'))
await 语法
(async () => {
let ok = await goodConfirm('你确认吗?')
console.log(ok ? '确定' : '取消')
})()
应该不是很实用 但想了很久才搞定
关键代码:
::before {
/*
make sure content reach max-width of cell.
letter-spacing / font-size can be useful.
*/
content: "fisker is a genius.";
word-break: break-all;
display: block;
height: 0;
overflow: hidden;
}
Lodash modular utilities.
path: /tmp/git/blog/node_modules/lodash-cli/node_modules/lodash/package.json
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz
Dependency Hierarchy:
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487
Release Date: 2019-02-01
Fix Resolution: 4.17.11
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Selector_List::populate_extends in SharedPtr.hpp (used by ast.cpp and ast_selectors.cpp) may cause a Denial of Service (application crash) via a crafted sass input file.
Publish Date: 2018-12-03
URL: CVE-2018-19797
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An issue was discovered in LibSass through 3.5.4. An out-of-bounds read of a memory region was found in the function Sass::Prelexer::exactly() which could be leveraged by an attacker to disclose information or manipulated to read from unmapped memory causing a denial of service.
Publish Date: 2018-06-04
URL: CVE-2018-11697
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
使用 lodash-cli
lodash template 生成的js 文件 因为使用了 with 语句,会在严格模式下报错
可以使用 Function 来执行代码 就可以避免这个问题了
const templates = Function('return' + code /* 生成的代码 */)()
// 压缩版的js 可能需要 手动删除开头的;
参考 app.js
build 参数
lodash exports="none" \
iife="(function(){%output%;return templates})()" \
template=*.jst \
-o complied.js
🚨 You need to enable Continuous Integration on all branches of this repository. 🚨
To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.
Since we didn’t receive a CI status on the greenkeeper/initial
branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.
If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/
.
Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please delete the greenkeeper/initial
branch in this repository, and then remove and re-add this repository to the Greenkeeper App’s white list on Github. You'll find this list on your repo or organization’s settings page, under Installed GitHub Apps.
Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.
path: /tmp/git/blog/node_modules/micromatch/node_modules/braces/package.json
Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz
Dependency Hierarchy:
Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2019-02-21
URL: WS-2019-0019
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/786
Release Date: 2019-02-21
Fix Resolution: 2.3.1
Step up your Open Source Security Game with WhiteSource here
🚨 You need to enable Continuous Integration on Greenkeeper branches of this repository. 🚨
To enable Greenkeeper, you need to make sure that a commit status is reported on all branches. This is required by Greenkeeper because it uses your CI build statuses to figure out when to notify you about breaking changes.
Since we didn’t receive a CI status on the greenkeeper/initial
branch, it’s possible that you don’t have CI set up yet. We recommend using Travis CI, but Greenkeeper will work with every other CI service as well.
If you have already set up a CI for this repository, you might need to check how it’s configured. Make sure it is set to run on all new branches. If you don’t want it to run on absolutely every branch, you can whitelist branches starting with greenkeeper/
.
Once you have installed and configured CI on this repository correctly, you’ll need to re-trigger Greenkeeper’s initial pull request. To do this, please click the 'fix repo' button on account.greenkeeper.io.
A querystring parser that supports nesting and arrays, with a depth limit
path: /tmp/git/blog/node_modules/qs/package.json
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Dependency Hierarchy:
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
Base Score Metrics:
Type: Change files
Origin: ljharb/qs@c709f6e
Release Date: 2017-03-06
Fix Resolution: Replace or update the following files: parse.js, parse.js, utils.js
Step up your Open Source Security Game with WhiteSource here
🌈 Node.js bindings to libsass
Library home page: https://github.com/sass/node-sass.git
* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
An issue was discovered in LibSass through 3.5.2. A NULL pointer dereference was found in the function Sass::Expand::operator which could be leveraged by an attacker to cause a denial of service (application crash) or possibly have unspecified other impact.
Publish Date: 2018-06-04
URL: CVE-2018-11695
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
周末折腾了下路由器,绕了很多弯路。这里记录下
其实主要原因是周末没带电脑回去,翻出台老爷机实在太卡
首先是操作系统,任意台linux即可, Ubuntu on Windows 10 不知道可不可以,甚至cygwin,如果有环境了,就不用按网上那些教程下载虚拟机了。我一开始不知道 ****的下了台俄语的 debian, 被坑的太惨了。然后我还不知道 export LANG 就会使得脚本变成其他语言,看了好久好久的俄语界面。。。
脚本 直接 curl/wget 这两个脚本中的一个即可 http://pm.freize.net/script/ ,网上的教程大多叫你下 start-99.sh, 实际上我用的就是 start-100.sh, 粗略比较 主要是 git 库不一样。另外脚本里面其实有很多无用的代码 可以删掉一些再运行。基本上 start-100.sh 的 33-80行都没什么用
然后是 ssh 的获取,直接小米网站申请的 root 密码即可,教程上非要你刷低版本的固件,如果你已经有了 root 密码,就完全是浪费时间。
toolchain 的编译,这里因为我当时是编译了,不太确定。可能也不太需要
固件的编译,DON'T 编译了也是浪费时间。因为你最后还是要刷 hiboyhiboy 的版本。直接到 http://opt.cn2qq.com/ 下载 现成的 trx文件 到 start.sh 所在的目录 trx_archive 文件夹 不知道这个文件夹的名字为什么没有人提,代码在 update/start.sh 的 约2176行 要不是我用的老爷机太卡 我就读源代码找到了,浪费了很多时间。我是看了下编译脚本 以为是在 (git-repo)/trunk/images/ 然后就下载到这个文件夹了。而且脚本也显示识别了,但就是刷不进去。
然后就是刷的过程 直接开刷即可,不用编译 firmware 里面 从archive选择一个固件即可。
补充个,我的重启失败了,然后按住 reset 再重启好像是对了。 另外刷机的脚本可能告诉你路由器新 ip 是不对的。 hiboyhiboy 的版本 ip 默认是 192.168.123.1。 节点名字也不是脚本上的 ASUS 而是 PDCN
纯粹是备忘和吐槽,不是教程
2019.3.26 update
看了下内容,发现太久,我好些已经忘记了,回忆下步骤,要看懂下面的话需要一点点 linux 知识,不懂就自己搜,如果你有足够的知识,建议遇到问题的时候多看源代码,比找教程快
wget http://pm.freize.net/script/start-100.sh
然后 ctrl+c
退出
在 http://opt.cn2qq.com/padavan/ 找到合适的 trx
cd trx_archive # 不知道默认有没有,没有就自己 mkdir trx_archive
wget http://opt.cn2qq.com/padavan/【你需要的trx】.trx
cd ..
./start.sh
然后选 "4") find-firmware
(这个就我在源代码找的,这么久我肯定不记得菜单了),就可以选择你下载的 trx 文件继续
Brace expansion as known from sh/bash
path: /tmp/git/blog/node_modules/lodash-cli/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json
Library home page: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.6.tgz
Dependency Hierarchy:
Brace-expansion is a module to support bash-like brace expansion in JavaScript.
For example,{1,2,3,4} would expand to 1 2 3 4. brace expansion versions before 1.1.7 are vulnerable to Regular Expression Denial of Service attacks.
Publish Date: 2017-04-25
URL: WS-2017-0206
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/338
Release Date: 2017-01-31
Fix Resolution: 1.1.7
Step up your Open Source Security Game with WhiteSource here
前几天想写个匹配颜色的正则,开始写的时候才发现,这个正则太长了
先了解下 css 中颜色的定义
参考 https://developer.mozilla.org/en-US/docs/Web/CSS/color_value
black, silver, gray, white, maroon, red, purple, fuchsia, green, lime, olive, yellow, navy, blue, teal, aqua
orange
aliceblue, antiquewhite, aquamarine, azure, beige, bisque, blanchedalmond, blueviolet, brown, burlywood, cadetblue, chartreuse, chocolate, coral, cornflowerblue, cornsilk, crimson, cyan, darkblue, darkcyan, darkgoldenrod, darkgray, darkgreen, darkgrey, darkkhaki, darkmagenta, darkolivegreen, darkorange, darkorchid, darkred, darksalmon, darkseagreen, darkslateblue, darkslategray, darkslategrey, darkturquoise, darkviolet, deeppink, deepskyblue, dimgray, dimgrey, dodgerblue, firebrick, floralwhite, forestgreen, gainsboro, ghostwhite, gold, goldenrod, greenyellow, grey, honeydew, hotpink, indianred, indigo, ivory, khaki, lavender, lavenderblush, lawngreen, lemonchiffon, lightblue, lightcoral, lightcyan, lightgoldenrodyellow, lightgray, lightgreen, lightgrey, lightpink, lightsalmon, lightseagreen, lightskyblue, lightslategray, lightslategrey, lightsteelblue, lightyellow, limegreen, linen, magenta, mediumaquamarine, mediumblue, mediumorchid, mediumpurple, mediumseagreen, mediumslateblue, mediumspringgreen, mediumturquoise, mediumvioletred, midnightblue, mintcream, mistyrose, moccasin, navajowhite, oldlace, olivedrab, orangered, orchid, palegoldenrod, palegreen, paleturquoise, palevioletred, papayawhip, peachpuff, peru, pink, plum, powderblue, rosybrown, royalblue, saddlebrown, salmon, sandybrown, seagreen, seashell, sienna, skyblue, slateblue, slategray, slategrey, snow, springgreen, steelblue, tan, thistle, tomato, turquoise, violet, wheat, whitesmoke, yellowgreen
rebeccapurple
transparent 和 currentColor
以#
开头长度有 3, 4, 6, 8 共4种长度
一般我们常用 rgb(255, 255, 255) 或者 rgba(0, 0, 0, 0)
但实际上 百分比也是可以的, 甚至还可以浮点数, 参数列表的逗号甚至也可以省略,
一般我们常用 hsl(0, 100%, 50%) 或者 hsl(0, 100%, 50%, 1),这里函数也和rgb一样,非常多的格式
尝试写出这个正则,先整理下思路
// 关键词 很简单,直接列出来就行了
var keywords = 'black|silver|...'
// 16进制 这个也很简单 4种长度都列出来就行了
var hex = '#(?:[0-9a-f]{3}|[0-9a-f]{4}|[0-9a-f]{6}|[0-9a-f]{8})'
// rgb, 这里我只考虑常用的,其他的太复杂,也不常用,而且兼容性也没有很好
var rgb = 'rgb\\(\\s*\\d+\\s*,\\s*\\d+\\s*,\\s*\\d+\\s*\)'
// rgb开头一对括号里面3个允许有空格的整数
// 后面还有 rgba, hsl, hsla 都是类似的 所以我定义了一个函数来生成这个
function getFunctionalStringRe(func, args) {
return func + '\\(' + args.map(function(arg) {
return '\\s*' + arg + '\\s*'
}).join(',') + '\\)'
}
var rgb = getFunctionalStringRe('rgb', ['\\d+', '\\d+', '\\d+'])
var rgba = getFunctionalStringRe('rgba', ['\\d+', '\\d+', '\\d+', '[.\\d]+'])
var hsl = getFunctionalStringRe('hsl', ['\\d+', '[.\\d]+%', '[.\\d]+%'])
var hsla = getFunctionalStringRe('hsla', ['\\d+', '[.\\d]+%', '[.\\d]+%', '[.\\d]+'])
// 最后把这些合并起来就行了
var str = '^' +
'(?:' + [keywords, hex, rgb, rgba, hsl, hsla].join('|') + ')'
+ '$'
var re = new RegExp(str, 'i')
完整代码
const colorRe = (function() {
function getFunctionalStringRe(func, args) {
return func + '\\(' + args.map(function(arg) {
return '\\s*' + arg + '\\s*'
}).join(',') + '\\)'
}
const keywords = 'black|silver|gray|white|maroon|red|purple|fuchsia|green|lime|olive|yellow|navy|blue|teal|aqua|orange|aliceblue|antiquewhite|aquamarine|azure|beige|bisque|blanchedalmond|blueviolet|brown|burlywood|cadetblue|chartreuse|chocolate|coral|cornflowerblue|cornsilk|crimson|cyan|darkblue|darkcyan|darkgoldenrod|darkgray|darkgreen|darkgrey|darkkhaki|darkmagenta|darkolivegreen|darkorange|darkorchid|darkred|darksalmon|darkseagreen|darkslateblue|darkslategray|darkslategrey|darkturquoise|darkviolet|deeppink|deepskyblue|dimgray|dimgrey|dodgerblue|firebrick|floralwhite|forestgreen|gainsboro|ghostwhite|gold|goldenrod|greenyellow|grey|honeydew|hotpink|indianred|indigo|ivory|khaki|lavender|lavenderblush|lawngreen|lemonchiffon|lightblue|lightcoral|lightcyan|lightgoldenrodyellow|lightgray|lightgreen|lightgrey|lightpink|lightsalmon|lightseagreen|lightskyblue|lightslategray|lightslategrey|lightsteelblue|lightyellow|limegreen|linen|magenta|mediumaquamarine|mediumblue|mediumorchid|mediumpurple|mediumseagreen|mediumslateblue|mediumspringgreen|mediumturquoise|mediumvioletred|midnightblue|mintcream|mistyrose|moccasin|navajowhite|oldlace|olivedrab|orangered|orchid|palegoldenrod|palegreen|paleturquoise|palevioletred|papayawhip|peachpuff|peru|pink|plum|powderblue|rosybrown|royalblue|saddlebrown|salmon|sandybrown|seagreen|seashell|sienna|skyblue|slateblue|slategray|slategrey|snow|springgreen|steelblue|tan|thistle|tomato|turquoise|violet|wheat|whitesmoke|yellowgreen|rebeccapurple|transparent|currentColor'
const hex = '#(?:[0-9a-f]{3}|[0-9a-f]{4}|[0-9a-f]{6}|[0-9a-f]{8})'
const rgb = getFunctionalStringRe('rgb', ['\\d+', '\\d+', '\\d+'])
const rgba = getFunctionalStringRe('rgba', ['\\d+', '\\d+', '\\d+', '[.\\d]+'])
const hsl = getFunctionalStringRe('hsl', ['\\d+', '[\\d]+%', '[.\\d]+%'])
const hsla = getFunctionalStringRe('hsla', ['\\d+', '[.\\d]+%', '[.\\d]+%', '[.\\d]+'])
return new RegExp('^' +
'(?:' + [keywords, hex, rgb, rgba, hsl, hsla].join('|') + ')'
+ '$', 'i')
})()
console.log(colorRe)
除去关键词,仍然有200多个字符,算是比较复杂的一个正则了。
http://fiddle.jshell.net/fisker/bpqa4trc/14/show/light
如代码的注释所言,还有很多合法的颜色值没有被通过,可以再尝试改进
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.