From d8bc3fd8e689817f45b4244969fa63a8e7196bee Mon Sep 17 00:00:00 2001 From: OpenClaw Date: Sat, 14 Feb 2026 15:34:21 +0000 Subject: [PATCH] fix: BUG-009 setTimeout syntax, BUG-010 CORS helmet policy, BUG-011 content-type validation --- public/app.js | 2 +- src/index.ts | 2 +- src/routes/convert.ts | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/public/app.js b/public/app.js index 4040a43..ada81b1 100644 --- a/public/app.js +++ b/public/app.js @@ -67,7 +67,7 @@ function copyKey() { var key = document.getElementById('apiKeyDisplay').textContent; navigator.clipboard.writeText(key).then(function() { var btn = document.getElementById('apiKeyDisplay'); var origText = btn.textContent; btn.textContent = 'Copied!'; document.querySelector('.copy-hint').textContent = '✓ Copied!'; - setTimeout(function() { btn.textContent = origText; document.querySelector('.copy-hint').textContent = 'Click to copy'; + setTimeout(function() { btn.textContent = origText; document.querySelector('.copy-hint').textContent = 'Click to copy'; }, 2000); }); } diff --git a/src/index.ts b/src/index.ts index 7eec571..67991c2 100644 --- a/src/index.ts +++ b/src/index.ts @@ -20,7 +20,7 @@ const PORT = parseInt(process.env.PORT || "3100", 10); // Load API keys from persistent store loadKeys(); -app.use(helmet()); +app.use(helmet({ crossOriginResourcePolicy: { policy: "cross-origin" } })); // CORS — allow browser requests from the landing page app.use((req, res, next) => { diff --git a/src/routes/convert.ts b/src/routes/convert.ts index d546a3a..0ec69e1 100644 --- a/src/routes/convert.ts +++ b/src/routes/convert.ts @@ -18,6 +18,12 @@ interface ConvertBody { // POST /v1/convert/html convertRouter.post("/html", async (req: Request, res: Response) => { try { + // Reject non-JSON content types + const ct = req.headers["content-type"] || ""; + if (!ct.includes("application/json")) { + res.status(415).json({ error: "Unsupported Content-Type. Use application/json." }); + return; + } const body: ConvertBody = typeof req.body === "string" ? { html: req.body } : req.body;