From c8bc81f96161a0eb26d1c1a5fd9f9f21569fa19f Mon Sep 17 00:00:00 2001
From: lkddi <lkddi@163.com>
Date: Sat, 25 Apr 2026 10:10:47 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E5=85=85=E5=89=8D=E7=AB=AF=E7=8A=B6?=
 =?UTF-8?q?=E6=80=81=E5=92=8C=E5=AE=89=E5=85=A8=E8=BE=B9=E7=95=8C=E6=B3=A8?=
 =?UTF-8?q?=E9=87=8A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 resources/js/chat-room/baccarat-loss-cover-admin.js | 1 +
 resources/js/chat-room/bank-modal.js                | 1 +
 resources/js/chat-room/friend-panel.js              | 2 ++
 resources/js/chat-room/mobile-drawer.js             | 2 ++
 resources/js/chat-room/preferences-status.js        | 1 +
 5 files changed, 7 insertions(+)

diff --git a/resources/js/chat-room/baccarat-loss-cover-admin.js b/resources/js/chat-room/baccarat-loss-cover-admin.js
index 8746d55..ae74d75 100644
--- a/resources/js/chat-room/baccarat-loss-cover-admin.js
+++ b/resources/js/chat-room/baccarat-loss-cover-admin.js
@@ -182,6 +182,7 @@ export async function submitBaccaratLossCoverEvent(event) {
         return;
     }
 
+    // 前端只收集表单字段；权限、时间范围和字段合法性仍以后端校验为准。
     const payload = {
         title: document.getElementById("blc-admin-title")?.value || "",
         description: document.getElementById("blc-admin-description")?.value || "",
diff --git a/resources/js/chat-room/bank-modal.js b/resources/js/chat-room/bank-modal.js
index 2792eb6..9b5cc3d 100644
--- a/resources/js/chat-room/bank-modal.js
+++ b/resources/js/chat-room/bank-modal.js
@@ -211,6 +211,7 @@ export function bankShowMsg(message, success) {
     element.style.border = success ? "1px solid #bbf7d0" : "1px solid #fecaca";
     element.style.color = success ? "#16a34a" : "#ef4444";
     element.style.display = "block";
+    // 连续存取款时清理上一次隐藏任务，避免旧 timer 把新提示提前隐藏。
     clearTimeout(element._t);
     element._t = setTimeout(() => {
         element.style.display = "none";
diff --git a/resources/js/chat-room/friend-panel.js b/resources/js/chat-room/friend-panel.js
index 5011b70..26c65c4 100644
--- a/resources/js/chat-room/friend-panel.js
+++ b/resources/js/chat-room/friend-panel.js
@@ -254,6 +254,7 @@ async function friendAction(action, username, button) {
     setNotice("");
 
     try {
+        // 用户名进入 URL path 前必须编码，避免特殊字符破坏路径或请求目标。
         const response = await fetch(`/friend/${encodeURIComponent(username)}/${action}`, {
             method: action === "remove" ? "DELETE" : "POST",
             headers: {
@@ -311,6 +312,7 @@ export async function friendSearch() {
     setNotice("正在添加…");
 
     try {
+        // 搜索输入的用户名同样先做 path 编码，再交由后端做存在性与权限校验。
         const response = await fetch(`/friend/${encodeURIComponent(username)}/add`, {
             method: "POST",
             headers: {
diff --git a/resources/js/chat-room/mobile-drawer.js b/resources/js/chat-room/mobile-drawer.js
index 797f928..ddfdc1f 100644
--- a/resources/js/chat-room/mobile-drawer.js
+++ b/resources/js/chat-room/mobile-drawer.js
@@ -4,6 +4,7 @@ import { escapeHtml } from "./html.js";
 import { renderRoomsOnlineStatusToContainer } from "./rooms.js";
 
 let mobileDrawerEventsBound = false;
+// 模块级状态用于维持抽屉互斥、搜索 RAF 节流和房间列表短缓存。
 let mobileDrawerOpen = null;
 let mobileUserListRenderTimer = null;
 let mobileRoomsOnlineStatusCache = null;
@@ -226,6 +227,7 @@ export async function loadMobileRoomList() {
     }
 
     if (mobileRoomsOnlineStatusCache && Date.now() - mobileRoomsOnlineStatusCacheAt < MOBILE_ROOMS_ONLINE_STATUS_CACHE_TTL) {
+        // 切换手机房间 tab 可能高频触发，10 秒短缓存用来减少接口压力，允许轻微延迟。
         renderMobileRoomList(mobileRoomsOnlineStatusCache, container);
         return;
     }
diff --git a/resources/js/chat-room/preferences-status.js b/resources/js/chat-room/preferences-status.js
index b1d44cc..1b45e16 100644
--- a/resources/js/chat-room/preferences-status.js
+++ b/resources/js/chat-room/preferences-status.js
@@ -84,6 +84,7 @@ export function normalizeDailyStatus(raw, nowTimestamp = Date.now()) {
  */
 export function loadBlockedSystemSenders(blockableSystemSenders = BLOCKABLE_SYSTEM_SENDERS) {
     try {
+        // 旧 localStorage 可能损坏或被手动篡改，读取后只保留当前允许屏蔽的发送者。
         const saved = JSON.parse(localStorage.getItem(BLOCKED_SYSTEM_SENDERS_STORAGE_KEY) || "[]");
 
         if (!Array.isArray(saved)) {