Mimi

This package is now pure ESM

I agree that include_code should only encompass files within the Hexo workspace. Otherwise, malicious attackers might manipulate users into revealing sensitive files from the disk through relative paths.

For example, `hexo.render.render` is called in line 403 to 418 of `/lib/hexo/post.js`: https://github.com/hexojs/hexo/blob/00bcce521678ca168b3565ed2a7d0512be07a2ed/lib/hexo/post.js#L403-L418 However, the processing of code blocks and tag plugins are as follows, from line 362 to 425:...

This issue is quite tricky. Hexo provides a well-encapsulated `warehouse Query` object, but indeed, many themes make use of the private `data` attribute.

There will be an edge case: `--path 0x100` will become string `'256'`, not `'0x100'`. You can try to change the code here: https://github.com/hexojs/hexo-cli/blob/5c5fc8fe2fc781a557a30f1bf2043502825f173c/lib/hexo.ts#L18 ```js minimist(process.argv.slice(2), { string: ['_', 'p', 'path']...

@uiolee I have made the modification, and indeed, I haven't found a more elegant solution. In the future, we can consider adding this path replacement inside `url_for`. The WHATWG URL...

See also https://github.com/hexojs/hexo-cli/pull/200

@D-Sketon Yes, the slug should also have a string type You can add other test cases like https://github.com/hexojs/hexo/pull/4363

I think we can introduce a new convention: In the database models used by Hexo (including Asset, Page, Post, etc.), the `source` attribute is used to specify the file system...

Database model `Asset` also contains an `_id` attribute (instead of using the UUID automatically assigned by warehouse), which by default is the file's relative path. I have found that when...