Security hardening:
- Validate repo format with strict regex (reject .. traversal)
- Validate filename rejects path separators and ..
- Validate relative_path rejects absolute paths and ..
- Verify model_root is within configured scanner roots using
realpath + os.sep guard to prevent prefix-match bypass
- Add realpath-based escape detection for final dest_path
Bug fixes:
- Fix WebSocket leak in _downloadHfSingle: wrap ws.close() in
try/finally so it closes even if downloadHfModel() throws
- Same fix for batch HF download per-file WebSocket loop
Frontend hardening:
- Tighten HF repo regex: require huggingface.co for full URLs,
reject bare .. patterns
- Add 12 unit tests for detectUrlType() covering HF resolve,
HF repo, CivitAI, CivArchive, direct HTTP, edge cases
- Update CSP whitelist to use wildcard *.civitai.com for all CDN subdomains
- Fix hostname parsing to use parsed.hostname instead of parsed.netloc (handles ports)
- Update rewrite_preview_url() to support all CivitAI CDN subdomains
- Update rewriteCivitaiUrl() frontend function to support subdomains
- Add comprehensive tests for edge cases (ports, subdomains, invalid URLs)
- Add security note explaining wildcard CSP design decision
Fixes CSP blocking of images from image-b2.civitai.com and other CDN subdomains
Add new setting 'mature_blur_level' with options PG13/R/X/XXX to control
which NSFW rating level triggers blur filtering when NSFW blur is enabled.
- Backend: update preview selection logic to respect threshold
- Frontend: update UI components to use configurable threshold
- Settings: add validation and normalization for mature_blur_level
- Tests: add coverage for new threshold behavior
- Translations: add keys for all supported languages
Fixes#867
- Add CivitAI URL utility with optimization strategies for showcase and thumbnail modes
- Replace /original=true with /optimized=true for showcase videos to reduce bandwidth
- Remove redundant crossorigin and referrerpolicy attributes from video elements
- Use media type detection to apply appropriate optimization (image vs video)
- Integrate URL optimization into showcase rendering for improved loading times
- Pass modelType parameter to setupTagEditMode function
- Implement model type aware priority tag suggestions
- Add model type normalization and resolution logic
- Handle suggestion state reset when model type changes
- Maintain backward compatibility with existing functionality
The changes enable context-aware tag suggestions based on model type, improving tag relevance and user experience when editing tags for different model types.