GHJJ123/brainrotguard v1.14.1

v1.14.1 — Security Hardening + Channel Menu UI

on GitHub

Security (v1.14.1)

• Validate video_id against regex on /api/status/ endpoint (prevents DB probing with arbitrary strings)
• Bind watch heartbeat to session — only the video loaded on /watch can send heartbeats (prevents cross-video time inflation)
• Validate callback data: chan_filter/chan_page status checked against allowlist, logs_page/search_page days clamped to 1-365
• Validate video_id in thumbnail URL fallback construction (defense-in-depth for yt-dlp output)
• Separate empty-PIN logic from HMAC check for clarity and correctness
• Fix misleading status labels when allowchan/blockchan pressed on already-resolved videos

Changed (v1.14.0)

• /channel now shows Allowed/Blocked menu with summary stats and side-by-side buttons
• Filtered channel views with pagination and 📋 Channels home button
• All pagination uses consistent ◀ Back / Next ▶ buttons with disabled placeholders
• Internal: extracted _nav_row, _edit_msg, _channel_resolve_and_add, _channel_remove helpers (-68 lines)

Added (v1.13.0)

• Starter channels: ~15 curated kid-friendly YouTube channels available on first boot and via /channel starter (closes #9)
• Per-channel Import buttons with check mark feedback for already-imported channels
• Welcome message on /start and first-run explaining the bot's purpose
• /channel starter command always available for browsing and importing starter channels