From 78fc607cca86f2803c4d9aff809b77cfd34ee98a Mon Sep 17 00:00:00 2001 From: btea <2356281422@qq.com> Date: Thu, 4 Jun 2026 22:43:20 +0800 Subject: [PATCH] fix: arrows are allowed as the label value parameter --- server/api/registry/badge/[type]/[...pkg].get.ts | 3 ++- test/e2e/badge.spec.ts | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/server/api/registry/badge/[type]/[...pkg].get.ts b/server/api/registry/badge/[type]/[...pkg].get.ts index f9c0836807..1466efa828 100644 --- a/server/api/registry/badge/[type]/[...pkg].get.ts +++ b/server/api/registry/badge/[type]/[...pkg].get.ts @@ -13,7 +13,8 @@ const NPM_DOWNLOADS_API = 'https://api.npmjs.org/downloads/point' const OSV_QUERY_API = 'https://api.osv.dev/v1/query' const BUNDLEPHOBIA_API = 'https://bundlephobia.com/api/size' -const SafeStringSchema = v.pipe(v.string(), v.regex(/^[^<>"&]*$/, 'Invalid characters')) +// Allow semver range operators like >= and <= while still rejecting quotes and ampersands. +const SafeStringSchema = v.pipe(v.string(), v.regex(/^[^"&]*$/, 'Invalid characters')) const SafeColorSchema = v.pipe( v.string(), v.transform(value => (value.startsWith('#') ? value : `#${value}`)), diff --git a/test/e2e/badge.spec.ts b/test/e2e/badge.spec.ts index 522e6bec61..bc07b9a8e2 100644 --- a/test/e2e/badge.spec.ts +++ b/test/e2e/badge.spec.ts @@ -188,6 +188,17 @@ test.describe('badge API', () => { expect(body).toContain(customValue) }) + test('custom value parameter supports semver range operators', async ({ page, baseURL }) => { + const customValue = '>=22.13.0' + const url = toLocalUrl( + baseURL, + `/api/registry/badge/engines/nuxt?value=${encodeURIComponent(customValue)}`, + ) + const { body } = await fetchBadge(page, url) + + expect(body).toContain(customValue) + }) + test('style=default keeps current badge renderer', async ({ page, baseURL }) => { const url = toLocalUrl(baseURL, '/api/registry/badge/version/nuxt?style=default') const { body } = await fetchBadge(page, url)