import type { Metadata } from "next"; import { Plus_Jakarta_Sans, Spline_Sans_Mono } from "next/font/google"; import { BrandNav } from "@/components/brand-nav"; import { FrameworkProvider } from "@/components/framework-provider"; import { getIntegrations } from "@/lib/registry"; import { getRuntimeConfig } from "@/lib/runtime-config"; import "./globals.css"; /** * Serialize the runtime config for inline injection. We must * JSON.stringify-then-escape because the value lands inside a * `` tag, where three substrings would otherwise * break out of (or corrupt) the parser: * * - `<` — guards against the `` breakout (XSS). * `JSON.stringify` does NOT escape `<` by default, so a URL * containing `` (e.g. a hostile env value) would * terminate the inline script and inject HTML. Escape every * `<` to `<` so the substring `` can never appear. * - ` ` (LINE SEPARATOR) and ` ` (PARAGRAPH SEPARATOR) — * legal inside JSON strings, but a syntax error inside a JS * string literal in older engines / when the page is parsed as * `text/javascript`. Escape both. * * IMPORTANT: the regex sources below use explicit ` ` / ` ` * ECMAScript-Unicode escapes — the regex engine resolves the escape at * compile time, so `/ /` matches the actual U+2028 codepoint. * Using a literal U+2028 / U+2029 character in the regex source would * break the parser (those codepoints terminate a regex literal in * pre-ES2019 engines, and are visually invisible — easy to ship * accidentally). Reviewers MUST confirm these regexes are written with * ` ` / ` ` escapes literally. * * Canonical OWASP-recommended escape for inline JSON in HTML. */ function serializeRuntimeConfig(cfg: unknown): string { return JSON.stringify(cfg) .replace(/ i.slug); // Server-side: read live env at request time. `unstable_noStore()` // inside getRuntimeConfig opts this segment out of the static cache // so the inline