Closed
Conversation
Introduce an ImageEnlarger utility: add a toggle option to the feature list and implement a modal image viewer with CSS, toolbar (zoom in/out, reset, save), keyboard shortcuts, and click-to-open behavior. Images are annotated with a preview class and the feature ignores gravatar/cravatar sources; it applies to existing and dynamically added images via a MutationObserver. Errors are logged and surface a DebugMode alert when enabled.
…rc, and MutationObserver performance Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Shan Wenxiao <seanoj_noreply@yeah.net>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Shan Wenxiao <seanoj_noreply@yeah.net>
Fix ImageEnlarger: accessibility, modal re-entry, responsive images, MutationObserver perf
Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
Fix image viewer: broken pan, missing wheel zoom, download navigates instead of saving
Add ImageEnlarger feature with modal viewer
* Update Update.json Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com> * Parse release notes from comment block (cherry picked from commit c7137ff) * Update bug.yml Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com> (cherry picked from commit 07d7590) Update feature.yml Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com> (cherry picked from commit 1a99430) Update docs.yml Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com> (cherry picked from commit 6017bcf) * Update GitHub Actions workflow to skip bot triggers Signed-off-by: Shan Wenxiao <seanoj_noreply@yeah.net> * Prevent UpdateVersion from running if last commit was by github-actions[bot] This prevents infinite loops where the bot commits version updates, which triggers the workflow again, causing another commit. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> * Allow metadata updates on edited PRs after bot version commit The last-commit-author guard now only exits for non-edited events, so PR title/body changes still update Update.json metadata even when the branch tip is a github-actions[bot] commit. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Allow metadata updates on edited PRs after bot version commit Exclude all bot actors (not just github-actions[bot]) from triggering the UpdateVersion workflow, preventing loops from AI code review bots. Allow edited events through the script-level guard so PR title/body changes still update Update.json metadata. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Fix Problem Switcher Not Update * Fix Problem Switcher Not Update * 3.3.2 * Update version info to 3.3.2 * Fix Version List (1.999999.0 -> 1.10.0) Signed-off-by: zsTree <wa2025666@gmail.com> * Update time and description of 3.3.2 * Fix Problem Switcher Null Problem Signed-off-by: zsTree <wa2025666@gmail.com> * Update time and description of 3.3.2 * Fix XSS bug Signed-off-by: zsTree <wa2025666@gmail.com> * Update time and description of 3.3.2 --------- Signed-off-by: Zhu Chenrui <boomzero_zcr@outlook.com> Signed-off-by: Shan Wenxiao <seanoj_noreply@yeah.net> Signed-off-by: zsTree <wa2025666@gmail.com> Co-authored-by: Zhu Chenrui <boomzero_zcr@outlook.com> Co-authored-by: Shan Wenxiao <seanoj_noreply@yeah.net> Co-authored-by: boomzero <thomas_rainbowfish@icloud.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: zsTree <wa2025666@gmail.com>
Signed-off-by: zsTree <wa2025666@gmail.com>
Signed-off-by: zsTree <wa2025666@gmail.com>
Signed-off-by: zsTree <wa2025666@gmail.com>
…tent Display status.php Query Content
Fixes #932. Header black/white forcing and inline style clearing on contestrank-oi.php and contestrank-correct.php now only apply when MonochromeUI is enabled. Badge ranks, color-coded cells, and auto-refresh remain unconditional as part of the base UI. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…me-gate fix: gate MonochromeUI-specific styling in contestrank pages behind flag
Reviewer's GuideRemoves the problem translate buttons to fix title centering, refactors contest problem list retrieval with a refreshable problem switcher, adds an image enlargement feature, improves status filter state handling, and gates ranklist monochrome styling behind the Monochrome UI setting while bumping script versions. Sequence diagram for refreshed contest problem list and problem switchersequenceDiagram
participant User
participant Browser
participant XMOJScript
participant XMOJServer
participant LocalStorage
Note over Browser,XMOJScript: First visit to contest problem page
XMOJScript->>LocalStorage: getItem(UserScript-Contest-cid-ProblemList)
alt ProblemList_missing
XMOJScript->>XMOJServer: GET /contest.php?cid=cid (via GetContestProblemList)
XMOJServer-->>XMOJScript: HTML problemset table
XMOJScript->>XMOJScript: Parse DOM and build problemList array
XMOJScript->>LocalStorage: setItem(UserScript-Contest-cid-ProblemList, JSON)
end
XMOJScript->>Browser: Render problemSwitcher with problem buttons
Note over User,Browser: User clicks refresh link in problem switcher
User->>Browser: Click refreshList link
Browser->>XMOJScript: Call GetContestProblemList(true)
XMOJScript->>XMOJServer: GET /contest.php?cid=cid
XMOJServer-->>XMOJScript: HTML updated problemset table
XMOJScript->>XMOJScript: Parse rows to updated problemList
XMOJScript->>LocalStorage: setItem(UserScript-Contest-cid-ProblemList, JSON)
XMOJScript->>Browser: location.reload() to rebuild switcher from cache
Sequence diagram for new image enlargement featuresequenceDiagram
participant User
participant Browser
participant XMOJScript
participant GM_xmlhttpRequest
Note over Browser,XMOJScript: Page load
XMOJScript->>Browser: Inject EnlargerStyle CSS
XMOJScript->>Browser: Create hidden xmoj-image-modal and toolbar
XMOJScript->>Browser: Scan all img elements
XMOJScript->>Browser: Add xmoj-image-preview class and click handlers
Note over User,Browser: Open image viewer
User->>Browser: Click xmoj-image-preview image
Browser->>XMOJScript: Image click handler
XMOJScript->>Browser: Collect all xmoj-image-preview sources
XMOJScript->>Browser: Set modal image src and show modal
Note over User,Browser: Navigate and zoom
User->>Browser: Click next or prev buttons
Browser->>XMOJScript: Nav button handler
XMOJScript->>Browser: Update CurrentImageIndex and modal image src
User->>Browser: Use wheel or zoom buttons
Browser->>XMOJScript: Zoom handler
XMOJScript->>Browser: Apply transform translate(x,y) scale(zoom)
Note over User,GM_xmlhttpRequest: Save current image
User->>Browser: Click Save button
Browser->>XMOJScript: Save handler
XMOJScript->>GM_xmlhttpRequest: GET current image URL as blob
GM_xmlhttpRequest-->>XMOJScript: Blob response
XMOJScript->>Browser: Create object URL and temporary download link
Browser->>User: Trigger file download
Note over User,Browser: Close viewer
User->>Browser: Click close button or background or press Escape
Browser->>XMOJScript: Close handler
XMOJScript->>Browser: Remove show class to hide modal
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
hendragon-bot
bot
added
the
user-script
Contributor
|
请向 |
Contributor
|
请向 |
1 similar comment
Contributor
|
请向 |
Member
Author
|
似乎又提交到master了( |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 3 security issues, 1 other issue, and left some high level feedback:
Security issues:
- User controlled data in methods like
innerHTML,outerHTMLordocument.writeis an anti-pattern that can lead to XSS vulnerabilities (link) - User controlled data in a
problemSwitcher.innerHTMLis an anti-pattern that can lead to XSS vulnerabilities (link) - User controlled data in methods like
innerHTML,outerHTMLordocument.writeis an anti-pattern that can lead to XSS vulnerabilities (link)
General comments:
- The version numbers are inconsistent (
@version 3.3.5inXMOJ.user.jsvs3.3.4inpackage.json); consider aligning them to avoid confusion in tooling and updates. - Instead of exposing
GetContestProblemListonunsafeWindowand calling it from an inlineonclickstring, consider wiring up the refresh click handler viaaddEventListeneron the created element to avoid global pollution and string-based handlers. - The
.refreshListstyles are defined twice in different CSS blocks; consider consolidating these into a single definition to keep the styling easier to maintain.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The version numbers are inconsistent (`@version 3.3.5` in `XMOJ.user.js` vs `3.3.4` in `package.json`); consider aligning them to avoid confusion in tooling and updates.
- Instead of exposing `GetContestProblemList` on `unsafeWindow` and calling it from an inline `onclick` string, consider wiring up the refresh click handler via `addEventListener` on the created element to avoid global pollution and string-based handlers.
- The `.refreshList` styles are defined twice in different CSS blocks; consider consolidating these into a single definition to keep the styling easier to maintain.
## Individual Comments
### Comment 1
<location path="XMOJ.user.js" line_range="2282-2283" />
<code_context>
} else if (location.pathname == "/problem.php") {
+ let transZhEn = document.getElementById("lang_cn_to_en");
+ let transEnZh = document.getElementById("lang_en_to_cn");
+ if (transZhEn !== null) await transZhEn.remove();
+ if (transEnZh !== null) await transEnZh.remove();
+
await RenderMathJax();
</code_context>
<issue_to_address>
**nitpick:** `await` on synchronous `remove()` calls is unnecessary.
`Element.prototype.remove()` is synchronous and not Promise-based, so `await` is a no-op here. Please remove `await` from both `transZhEn.remove()` and `transEnZh.remove()`.
</issue_to_address>
### Comment 2
<location path="XMOJ.user.js" line_range="2335" />
<code_context>
problemSwitcher.innerHTML += `<a onclick="GetContestProblemList(true)" title="刷新列表" class="refreshList mb-2" style="text-align: center;" active>刷新</a>`;
</code_context>
<issue_to_address>
**security (javascript.browser.security.insecure-document-method):** User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities
*Source: opengrep*
</issue_to_address>
### Comment 3
<location path="XMOJ.user.js" line_range="2335" />
<code_context>
problemSwitcher.innerHTML += `<a onclick="GetContestProblemList(true)" title="刷新列表" class="refreshList mb-2" style="text-align: center;" active>刷新</a>`;
</code_context>
<issue_to_address>
**security (javascript.browser.security.insecure-innerhtml):** User controlled data in a `problemSwitcher.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities
*Source: opengrep*
</issue_to_address>
### Comment 4
<location path="XMOJ.user.js" line_range="2548-2550" />
<code_context>
document.querySelector("#simform").outerHTML = `<form id="simform" class="justify-content-center form-inline row g-2" action="status.php" method="get" style="padding-bottom: 7px;">
<input class="form-control" type="text" size="4" name="user_id" value="${CurrentUsername} "style="display: none;">
<div class="col-md-1">
<label for="problem_id" class="form-label">题目编号</label>
<input type="text" class="form-control" id="problem_id" name="problem_id" size="4">
</div>
<div class="col-md-1">
<label for="language" class="form-label">语言</label>
<select id="language" name="language" class="form-select">
<option value="-1">全部</option>
<option value="0">C</option>
<option value="1">C++</option>
<option value="2">Pascal</option>
</select>
</div><div class="col-md-1">
<label for="jresult" class="form-label">结果</label>
<select id="jresult" name="jresult" class="form-select">
<option value="-1">全部</option>
<option value="4">正确</option>
<option value="5">格式错误</option>
<option value="6">答案错误</option>
<option value="7">时间超限</option>
<option value="8">内存超限</option>
<option value="9">输出超限</option>
<option value="10">运行错误</option>
<option value="11">编译错误</option>
<option value="0">等待</option>
<option value="1">等待重判</option>
<option value="2">编译中</option>
<option value="3">运行并评判</option>
</select>
</div>
<div class="col-md-1">
<button type="submit" class="btn btn-primary">查找</button>
</div><div id="csrf"></div></form>`;
</code_context>
<issue_to_address>
**security (javascript.browser.security.insecure-document-method):** User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+2282
to
+2283
| if (transZhEn !== null) await transZhEn.remove(); | ||
| if (transEnZh !== null) await transEnZh.remove(); |
There was a problem hiding this comment.
nitpick: await on synchronous remove() calls is unnecessary.
Element.prototype.remove() is synchronous and not Promise-based, so await is a no-op here. Please remove await from both transZhEn.remove() and transEnZh.remove().
| problemSwitcher.style.flexDirection = "column"; | ||
|
|
||
| let problemList = JSON.parse(ContestProblemList); | ||
| problemSwitcher.innerHTML += `<a onclick="GetContestProblemList(true)" title="刷新列表" class="refreshList mb-2" style="text-align: center;" active>刷新</a>`; |
There was a problem hiding this comment.
security (javascript.browser.security.insecure-document-method): User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
Source: opengrep
| problemSwitcher.style.flexDirection = "column"; | ||
|
|
||
| let problemList = JSON.parse(ContestProblemList); | ||
| problemSwitcher.innerHTML += `<a onclick="GetContestProblemList(true)" title="刷新列表" class="refreshList mb-2" style="text-align: center;" active>刷新</a>`; |
There was a problem hiding this comment.
security (javascript.browser.security.insecure-innerhtml): User controlled data in a problemSwitcher.innerHTML is an anti-pattern that can lead to XSS vulnerabilities
Source: opengrep
Comment on lines
2548
to
2550
| document.querySelector("#simform").outerHTML = `<form id="simform" class="justify-content-center form-inline row g-2" action="status.php" method="get" style="padding-bottom: 7px;"> | ||
| <input class="form-control" type="text" size="4" name="user_id" value="${CurrentUsername} "style="display: none;"> | ||
| <div class="col-md-1"> |
There was a problem hiding this comment.
security (javascript.browser.security.insecure-document-method): User controlled data in methods like innerHTML, outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
Source: opengrep
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 3 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="Update.json">
<violation number="1" location="Update.json:3459">
P1: Update.json still stops at 3.3.4 even though the userscript version is already 3.3.5, so the version/release scripts will reject this state.</violation>
</file>
<file name="package.json">
<violation number="1" location="package.json:3">
P1: Do not manually bump `package.json` here; this repository's version is generated by automation and must stay in sync with `XMOJ.user.js` and `Update.json`. A package-only bump leaves version metadata inconsistent.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| ], | ||
| "Notes": "Display status.php query content." | ||
| }, | ||
| "3.3.4": { |
There was a problem hiding this comment.
P1: Update.json still stops at 3.3.4 even though the userscript version is already 3.3.5, so the version/release scripts will reject this state.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At Update.json, line 3459:
<comment>Update.json still stops at 3.3.4 even though the userscript version is already 3.3.5, so the version/release scripts will reject this state.</comment>
<file context>
@@ -3422,6 +3422,50 @@
+ ],
+ "Notes": "Display status.php query content."
+ },
+ "3.3.4": {
+ "UpdateDate": 1773559861504,
+ "Prerelease": true,
</file context>
| { | ||
| "name": "xmoj-script", | ||
| "version": "3.3.0", | ||
| "version": "3.3.4", |
There was a problem hiding this comment.
P1: Do not manually bump package.json here; this repository's version is generated by automation and must stay in sync with XMOJ.user.js and Update.json. A package-only bump leaves version metadata inconsistent.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 3:
<comment>Do not manually bump `package.json` here; this repository's version is generated by automation and must stay in sync with `XMOJ.user.js` and `Update.json`. A package-only bump leaves version metadata inconsistent.</comment>
<file context>
@@ -1,6 +1,6 @@
{
"name": "xmoj-script",
- "version": "3.3.0",
+ "version": "3.3.4",
"description": "an improvement script for xmoj.tech",
"main": "AddonScript.js",
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR aim to accomplish?
Fix the title of the problem is not centered.
How does this PR accomplish the above?
Remove problem translate button.
By submitting this pull request, I confirm the following:
git rebase)Summary by Sourcery
Remove problem translation controls, add optional image enlargement and contest problem list refresh capabilities, and refine several UI behaviors and texts.
New Features:
Bug Fixes:
Enhancements:
Build:
Summary by cubic
Removed the translate buttons on problem pages to fix the off‑center problem title and simplify the header. Also adds an optional image viewer and small UX improvements.
New Features
Bug Fixes
#lang_cn_to_enand#lang_en_to_cnon problem pages to keep the title centered.Written for commit e509bb5. Summary will update on new commits.