@01.software/sdk 0.5.3 → 0.5.4

package/dist/ui/flow.js

@@ -420,6 +420,7 @@ function ensureQuickJSLoaded() {
     _notify();
   }).catch(() => {
     _state = { status: "failed", module: null };
+    _notify();
   });
 }
 function useQuickJS() {
@@ -564,7 +565,11 @@ function sanitizeStyle(style) {
   for (const [k, v] of Object.entries(style)) {
     if (BLOCKED_STYLE_PROPS.has(k)) continue;
     if (typeof v === "string" && /url\s*\(/i.test(v)) continue;
-    if (k === "position" && typeof v === "string" && /fixed|absolute/i.test(v)) continue;
+    if (k === "position" && typeof v === "string" && /fixed|sticky/i.test(v)) continue;
+    if (k === "zIndex") {
+      const n = typeof v === "number" ? v : parseInt(String(v), 10);
+      if (isNaN(n) || n > 9998) continue;
+    }
     safe[k] = v;
   }
   return safe;
@@ -660,10 +665,10 @@ function compileTemplate(code, slug) {
   if (!qjs) return null;
   const cacheKey = `${slug}:${code.length}:${hashCode(code)}`;
   if (rendererCache.has(cacheKey)) {
-    const renderer2 = rendererCache.get(cacheKey);
+    const entry = rendererCache.get(cacheKey);
     rendererCache.delete(cacheKey);
-    rendererCache.set(cacheKey, renderer2);
-    return makeReactFC(renderer2, qjs);
+    rendererCache.set(cacheKey, entry);
+    return entry.fc;
   }
   let jsCode;
   try {
@@ -678,12 +683,13 @@ function compileTemplate(code, slug) {
     return null;
   }
   const renderer = makeRenderer(jsCode);
+  const fc = makeReactFC(renderer, qjs);
   if (rendererCache.size >= MAX_CACHE_SIZE) {
     const oldest = rendererCache.keys().next().value;
     if (oldest) rendererCache.delete(oldest);
   }
-  rendererCache.set(cacheKey, renderer);
-  return makeReactFC(renderer, qjs);
+  rendererCache.set(cacheKey, { renderer, fc });
+  return fc;
 }
 function clearTemplateCache() {
   rendererCache.clear();
@@ -880,6 +886,11 @@ import postcss from "postcss";
 var ALLOWED_AT_RULES = /* @__PURE__ */ new Set(["keyframes", "media", "supports", "container", "layer"]);
 var BLOCKED_VALUE_PATTERNS = [/url\s*\(/i, /expression\s*\(/i, /paint\s*\(/i, /-moz-binding/i];
 var DANGEROUS_SELECTOR = /(?:^|[\s,])(?::root|html|body)\b/;
+var BLOCKED_PROPERTY_VALUES = {
+  // absolute is allowed — contained by nearest positioned ancestor (node wrapper)
+  position: /fixed|sticky/i
+};
+var Z_INDEX_MAX = 9998;
 function sanitizeCSS(css, scopeClass) {
   let root;
   try {
@@ -887,14 +898,66 @@ function sanitizeCSS(css, scopeClass) {
   } catch (e) {
     return "";
   }
+  const safeScopeClass = scopeClass ? scopeClass.replace(/[{}()[\];,'"\\<>\s]/g, "") : "";
+  const keyframeNameMap = /* @__PURE__ */ new Map();
+  if (safeScopeClass) {
+    root.walkAtRules(/^keyframes$/i, (node) => {
+      const rawName = node.params.trim().replace(/^['"]|['"]$/g, "");
+      const originalName = rawName;
+      const scopedName = `${safeScopeClass}__${rawName.replace(/\s+/g, "_")}`;
+      keyframeNameMap.set(originalName, scopedName);
+      node.params = scopedName;
+    });
+  }
+  if (safeScopeClass && keyframeNameMap.size > 0) {
+    const ANIM_KEYWORDS = /* @__PURE__ */ new Set(["none", "initial", "inherit", "unset", "revert"]);
+    const replaceAnimName = (token) => {
+      var _a;
+      const t = token.trim().replace(/^['"]|['"]$/g, "");
+      return ANIM_KEYWORDS.has(t) ? token : (_a = keyframeNameMap.get(t)) != null ? _a : token;
+    };
+    root.walkDecls(/^animation-name$/i, (node) => {
+      node.value = node.value.split(",").map(replaceAnimName).join(", ");
+    });
+    root.walkDecls(/^animation$/i, (node) => {
+      node.value = node.value.split(",").map(
+        (anim) => anim.split(/(\s+)/).map((token) => /\s/.test(token) ? token : replaceAnimName(token)).join("")
+      ).join(",");
+    });
+  }
   root.walkAtRules((node) => {
     if (!ALLOWED_AT_RULES.has(node.name.toLowerCase())) {
       node.remove();
     }
   });
   root.walkDecls((node) => {
-    if (BLOCKED_VALUE_PATTERNS.some((p) => p.test(node.value))) {
+    const normalizedValue = node.value.replace(/\/\*[\s\S]*?\*\//g, "");
+    if (BLOCKED_VALUE_PATTERNS.some((p) => p.test(normalizedValue))) {
       node.remove();
+      return;
+    }
+    const propLower = node.prop.toLowerCase();
+    const blockedValuePattern = BLOCKED_PROPERTY_VALUES[propLower];
+    if (blockedValuePattern) {
+      const deescaped = normalizedValue.replace(
+        /\\([0-9a-fA-F]{1,6})\s?/g,
+        (_, hex) => String.fromCodePoint(parseInt(hex, 16))
+      );
+      if (blockedValuePattern.test(deescaped)) {
+        node.remove();
+        return;
+      }
+    }
+    if (propLower === "z-index") {
+      const zv = node.value.trim();
+      if (zv === "auto" || zv === "initial" || zv === "inherit" || zv === "unset" || zv === "revert") {
+      } else {
+        const val = parseInt(zv, 10);
+        if (isNaN(val) || String(val) !== zv || val > Z_INDEX_MAX) {
+          node.remove();
+          return;
+        }
+      }
     }
   });
   root.walkRules((rule) => {
@@ -904,7 +967,6 @@ function sanitizeCSS(css, scopeClass) {
       return;
     }
     if (scopeClass) {
-      const safeScopeClass = scopeClass.replace(/[{}()[\];,'"\\<>]/g, "");
       if (!safeScopeClass) {
         rule.remove();
         return;