uses `new URL()` and `decodeURI()` instead of `url.parse()`
also checks that the requested file is in a subdirectory of `public/` before serving the file
fixes path traversal vulnerability GHSA-5cxq-25mp-q5f2
Mojang has disabled their legacy skins API:
https://twitter.com/MojangSupport/status/964511258601865216
With their API rate limits, it's now practially impossible
for us to support usernames.
Fixes#142. The default parameter allows using:
- UUID
- URL
- MHF_Alex
- MHF_Steve
- Alex
- Steve
Contrary to UUIDs, using alex/steve doesn't redirect
and instead provides the skin from a locally stored file.
from MDN:
JavaScript does not protect the property name hasOwnProperty; thus, if the possibility exists that an object might have a property with this name, it is necessary to use an external hasOwnProperty to get correct results
- renders are now fully isometric
- used position -0.5 and size +1 at some places to fix#32
- does not support overlay yet
- does not support left/right arms/legs
- does not support slim renders yet
- currently only renders full body, not head
human_status (response.js) defines code -2 as 'user error'. 404 is definitely a user error, so using that makes sense.
eventually we should change the whole status code thing with #120
