Skip to content

Commit adddd5a

Browse files
harlan-zwharlan-zw
committed
fix(devtools): don't warn about devtool props
1 parent 29b68f1 commit adddd5a

File tree

2 files changed

+28
-2
lines changed

2 files changed

+28
-2
lines changed

CHANGELOG.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,29 @@
11
# Changelog
22

33

4+
## v6.2.4...main
5+
6+
[compare changes](https://github.com/nuxt-modules/og-image/compare/v6.2.4...main)
7+
8+
### 🩹 Fixes
9+
10+
- Hydration-issue warning due to SSR generated DateTime value ([#535](https://github.com/nuxt-modules/og-image/pull/535))
11+
- Sanitize component props ([#543](https://github.com/nuxt-modules/og-image/pull/543))
12+
- Harden security defaults ([#540](https://github.com/nuxt-modules/og-image/pull/540))
13+
- Whitelist component props to prevent cache key DoS ([#544](https://github.com/nuxt-modules/og-image/pull/544))
14+
15+
### 🏡 Chore
16+
17+
- Bump deps ([a8a65b66](https://github.com/nuxt-modules/og-image/commit/a8a65b66))
18+
- Bump deps ([bcad7915](https://github.com/nuxt-modules/og-image/commit/bcad7915))
19+
- Artifact ([284540a7](https://github.com/nuxt-modules/og-image/commit/284540a7))
20+
- Sync ([e7deb1f7](https://github.com/nuxt-modules/og-image/commit/e7deb1f7))
21+
22+
### ❤️ Contributors
23+
24+
- Harlan Wilton ([@harlan-zw](https://github.com/harlan-zw))
25+
- Loïs Bégué ([@khatastroffik](https://github.com/khatastroffik))
26+
427
## v6.2.2...main
528

629
[compare changes](https://github.com/nuxt-modules/og-image/compare/v6.2.2...main)

src/runtime/server/og-image/context.ts

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,16 +174,19 @@ export async function resolveContext(e: H3Event): Promise<H3Error | OgImageRende
174174
// Whitelist props: only allow props declared in the component's defineProps.
175175
// Components without defineProps accept no props. Prevents cache key inflation
176176
// from arbitrary query params (DoS vector).
177+
// colorMode and timestamp are always allowed: colorMode is used by the renderer
178+
// (styleDirectives, html template) and timestamp is a devtools cache-buster.
177179
if (normalised.component && normalised.options.props && typeof normalised.options.props === 'object') {
180+
const builtinProps = new Set(['colorMode', 'timestamp'])
178181
const allowedProps = normalised.component.propNames || []
179182
const allowedSet = new Set(allowedProps)
180183
const raw = normalised.options.props as Record<string, any>
181184
const filtered: Record<string, any> = {}
182185
for (const key of Object.keys(raw)) {
183-
if (allowedSet.has(key))
186+
if (allowedSet.has(key) || builtinProps.has(key))
184187
filtered[key] = raw[key]
185188
else if (import.meta.dev)
186-
logger.warn(`[Nuxt OG Image] Prop "${key}" is not declared by component "${normalised.component.pascalName}" and was dropped. Declared props: ${allowedProps.join(', ')}`)
189+
logger.warn(`[Nuxt OG Image] Prop "${key}" is not declared by component "${normalised.component.pascalName}". Declared props: ${allowedProps.join(', ')}`)
187190
}
188191
normalised.options.props = filtered
189192
}

0 commit comments

Comments
 (0)