meno-core 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -13,7 +13,7 @@ import {
13
13
  resolveLinkMapping,
14
14
  resolveStyleMapping,
15
15
  skipEmptyTemplateAttributes
16
- } from "../../chunks/chunk-7ZLF4NE5.js";
16
+ } from "../../chunks/chunk-3JXK2QFU.js";
17
17
  import {
18
18
  filterCSSProperties
19
19
  } from "../../chunks/chunk-XTKNX4FW.js";
@@ -72,7 +72,7 @@ import {
72
72
  sortClassesByPropertyOrder,
73
73
  toFriendlyError,
74
74
  validatePageData
75
- } from "../../chunks/chunk-J4IPTP5X.js";
75
+ } from "../../chunks/chunk-LOZL5HOF.js";
76
76
  import {
77
77
  DEFAULT_I18N_CONFIG,
78
78
  isI18nValue,
@@ -33,7 +33,7 @@ import {
33
33
  processStructure,
34
34
  resolveHtmlMapping,
35
35
  skipEmptyTemplateAttributes
36
- } from "../../chunks/chunk-7ZLF4NE5.js";
36
+ } from "../../chunks/chunk-3JXK2QFU.js";
37
37
  import {
38
38
  DEFAULT_BREAKPOINTS,
39
39
  DEFAULT_FLUID_RANGE,
@@ -92,7 +92,7 @@ import {
92
92
  validateCMSDraftItem,
93
93
  validateCMSItem,
94
94
  validateComponentDefinition
95
- } from "../../chunks/chunk-J4IPTP5X.js";
95
+ } from "../../chunks/chunk-LOZL5HOF.js";
96
96
  import {
97
97
  DEFAULT_I18N_CONFIG,
98
98
  buildLocalizedPath,
@@ -284,7 +284,7 @@ init_constants();
284
284
  // lib/server/middleware/cors.ts
285
285
  var DEFAULT_OPTIONS = {
286
286
  origin: "*",
287
- methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
287
+ methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
288
288
  allowedHeaders: ["Content-Type", "Authorization"],
289
289
  credentials: false
290
290
  };
@@ -2950,7 +2950,7 @@ async function handleFunctionsRoute(req, url) {
2950
2950
  const response = await handler(context);
2951
2951
  const headers = new Headers(response.headers);
2952
2952
  headers.set("Access-Control-Allow-Origin", "*");
2953
- headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
2953
+ headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS");
2954
2954
  headers.set("Access-Control-Allow-Headers", "Content-Type");
2955
2955
  return new Response(response.body, {
2956
2956
  status: response.status,
@@ -2976,7 +2976,7 @@ function handleFunctionsPreflight(req, url) {
2976
2976
  status: 204,
2977
2977
  headers: {
2978
2978
  "Access-Control-Allow-Origin": "*",
2979
- "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
2979
+ "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
2980
2980
  "Access-Control-Allow-Headers": "Content-Type",
2981
2981
  "Access-Control-Max-Age": "86400"
2982
2982
  }
@@ -5279,7 +5279,23 @@ var formHandlerScript = `
5279
5279
  // Find all forms with fetch handler
5280
5280
  const forms = document.querySelectorAll('form[data-submit-handler="fetch"]');
5281
5281
 
5282
+ // Spam protection (server-enforced at /api/send-email): inject a hidden honeypot
5283
+ // field bots fill but humans never see, and stamp a clock-skew-free dwell time on
5284
+ // submit. Fields named with a leading "_" are control/meta and are not emailed.
5285
+ const loadedAt = Date.now();
5286
+
5282
5287
  forms.forEach(function(form) {
5288
+ if (!form.querySelector('input[name="_honey"]')) {
5289
+ const hp = document.createElement('input');
5290
+ hp.type = 'text';
5291
+ hp.name = '_honey';
5292
+ hp.tabIndex = -1;
5293
+ hp.setAttribute('autocomplete', 'off');
5294
+ hp.setAttribute('aria-hidden', 'true');
5295
+ hp.style.cssText = 'position:absolute;left:-9999px;width:1px;height:1px;opacity:0';
5296
+ form.appendChild(hp);
5297
+ }
5298
+
5283
5299
  form.addEventListener('submit', async function(e) {
5284
5300
  e.preventDefault();
5285
5301
 
@@ -5314,6 +5330,7 @@ var formHandlerScript = `
5314
5330
 
5315
5331
  try {
5316
5332
  const formData = new FormData(form);
5333
+ formData.append('_elapsed', String(Date.now() - loadedAt));
5317
5334
 
5318
5335
  const response = await fetch(action, {
5319
5336
  method: method.toUpperCase(),