Skip to content

WARNING! Don't merge is just for test (new embedeable version) #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
erseco wants to merge 32 commits into
base: main
Choose a base branch
from
Open

WARNING! Don't merge is just for test (new embedeable version) #18

erseco wants to merge 32 commits into from

Conversation

@erseco
Copy link

@erseco erseco commented Jan 11, 2026

No description provided.

erseco and others added 29 commits January 8, 2026 20:37
@erseco
add index
711063c
@erseco
Merge branch 'main' of github.com:exelearning/exelearning into 918-li…
4917694 
…nk-to-elpx-is-not-working
@erseco
Add files to allow merge
cb3a92e
@erseco
Add files to allow merge
d4e340e
@erseco
Fix elp: links, user themes, themes css and idevice css issues
e5c4539
@erseco
First approach for embeddable version
98bd924
@erseco
First approach for embeddable version
619f7bc
@erseco
First approach for embeddable version
4e6f274
@erseco
First approach for embeddable version
634348b
@erseco
First approach for embeddable version
09dfd28
@erseco
First approach for embeddable version
fe5ffbf
@erseco
First approach for embeddable version
b574d13
@erseco
First approach for embeddable version
3c3fd69
@erseco
First approach for embeddable version
5796779
@erseco
First approach for embeddable version
6fe99ad
@erseco
First approach for embeddable version
f28daa3
@erseco
First approach for embeddable version
ece2fc4
@erseco
First approach for embeddable version
672a5ed
@erseco
First approach for embeddable version
fde702e
@erseco
First approach for embeddable version
99400b3
@erseco
First approach for embeddable version
d16d9d5
@erseco
First approach for embeddable version
606d74e
@erseco
First approach for embeddable version
c1af3fc
@erseco @claude
Merge branch '918-link-to-elpx-is-not-working' into release/3.1-embed…
f47cfb8 
…able-version-refactor

Integrates user theme management changes (CSS/JS handling for ELPX-imported themes)
with static mode refactoring (subdirectory deployment support).

Key changes merged:
- User theme CSS/JS inline loading for preview
- Static mode path handling for blob URL contexts
- ResourceFetcher user theme methods (setUserThemeFiles, getUserTheme, getUserThemeAsync)
- Static mode bundle URL generation

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@erseco
Increase coverage
5bd4afe
@erseco
Merge remote-tracking branch 'origin/918-link-to-elpx-is-not-working'…
29ca805 
… into release/3.1-embedable-version-refactor
@erseco
Increase coverage
4651f95
@erseco
Merge remote-tracking branch 'origin/918-link-to-elpx-is-not-working'…
a0f56a9 
… into release/3.1-embedable-version-refactor
@erseco
Unified embed and online version
ec576e4
@github-actions
Copy link

github-actions bot commented Jan 11, 2026
edited
Loading

PR Preview Action v1.8.0

QR code for preview link

🚀 View preview at
https://ateeducacion.github.io/exelearning/pr-preview/pr-18/

Built to branch gh-pages at 2026-01-11 22:22 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 11, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ec576e4a31

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

main.js
Comment on lines +490 to +493
// Security: ensure the path is within staticDir
const normalizedPath = path.normalize(fullPath);
if (!normalizedPath.startsWith(staticDir)) {
return new Response('Forbidden', { status: 403 });
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Harden exe:// path containment check

The containment check normalizedPath.startsWith(staticDir) is a string-prefix test, so a crafted request like exe://../static-assets/secret normalizes to a sibling directory whose path still starts with the static prefix (e.g., /resources/static-assets/...) and will be served by net.fetch. This means any rendered content that can issue exe:// requests (user HTML, previews, etc.) can read files outside the intended static directory if a sibling directory shares the prefix. Use a path-based check such as path.relative(staticDir, normalizedPath) and ensure it doesn’t start with .. (or compare against staticDir + path.sep) to enforce true containment.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@erseco