@arcis/node 1.2.0 → 1.3.0

package/dist/core/index.d.mts

@@ -1,4 +1,4 @@
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-CsOFHoD9.mjs';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-BOkx5YJc.mjs';
 import 'express';
 
 /**

package/dist/core/index.d.ts

@@ -1,4 +1,4 @@
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-CsOFHoD9.js';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from '../types-BOkx5YJc.js';
 import 'express';
 
 /**

package/dist/{pii-DhNpl7M3.d.ts → encode-CrQCGlBq.d.mts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { i as SanitizeOptions, j as SanitizeResult } from './types-CsOFHoD9.js';
+import { i as SanitizeOptions, j as SanitizeResult } from './types-BOkx5YJc.mjs';
 
 /**
  * @module @arcis/node/sanitizers/sanitize
@@ -435,4 +435,50 @@ declare function scanObjectPii(obj: Record<string, unknown>, options?: PiiScanOp
  */
 declare function redactObjectPii<T extends Record<string, unknown>>(obj: T, options?: PiiRedactOptions): T;
 
-export { sanitizeString as A, sanitizeXss as B, sanitizeXxe as C, scanObjectPii as D, scanPii as E, type PiiRedactOptions as F, type PiiScanOptions as G, type PiiType as H, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, getDangerousOperators as m, getDangerousProtoKeys as n, isDangerousNoSqlKey as o, isDangerousProtoKey as p, redactPii as q, redactObjectPii as r, sanitizeCommand as s, sanitizeHeaderValue as t, sanitizeHeaders as u, sanitizeJsonpCallback as v, sanitizeObject as w, sanitizePath as x, sanitizeSql as y, sanitizeSsti as z };
+/**
+ * @module @arcis/node/sanitizers/encode
+ * Context-aware output encoding for XSS prevention.
+ *
+ * Wrong-context encoding is the #1 cause of XSS bypasses in "protected" apps.
+ * A single sanitize() is not enough when output goes to JS, CSS, or attribute contexts.
+ */
+/**
+ * Encodes for HTML body context. Entity-encodes & < > " '
+ *
+ * Use when outputting to HTML element content:
+ *   `<p>${encodeForHtml(userInput)}</p>`
+ */
+declare function encodeForHtml(value: string): string;
+/**
+ * Encodes for HTML attribute context.
+ * All non-alphanumeric characters are encoded as `&#xHH;` hex entities.
+ *
+ * Use when outputting to HTML attributes:
+ *   `<div title="${encodeForAttribute(userInput)}">`
+ */
+declare function encodeForAttribute(value: string): string;
+/**
+ * Encodes for JavaScript string context.
+ * Non-alphanumeric characters are escaped as `\xHH` (ASCII) or `\uHHHH` (Unicode).
+ *
+ * Use when embedding in JS string literals:
+ *   `var x = '${encodeForJs(userInput)}';`
+ */
+declare function encodeForJs(value: string): string;
+/**
+ * Encodes for URL parameter context. Percent-encodes all non-unreserved chars.
+ *
+ * Use when building query strings:
+ *   `?q=${encodeForUrl(userInput)}`
+ */
+declare function encodeForUrl(value: string): string;
+/**
+ * Encodes for CSS value context.
+ * Non-alphanumeric characters are hex-escaped as `\HH ` (trailing space per CSS spec).
+ *
+ * Use when embedding in CSS values:
+ *   `content: '${encodeForCss(userInput)}';`
+ */
+declare function encodeForCss(value: string): string;
+
+export { sanitizeJsonpCallback as A, sanitizeObject as B, sanitizePath as C, sanitizeSql as D, sanitizeSsti as E, sanitizeString as F, sanitizeXss as G, sanitizeXxe as H, scanObjectPii as I, scanPii as J, type PiiRedactOptions as K, type PiiScanOptions as L, type PiiType as M, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, encodeForAttribute as m, encodeForCss as n, encodeForHtml as o, encodeForJs as p, encodeForUrl as q, getDangerousOperators as r, getDangerousProtoKeys as s, isDangerousNoSqlKey as t, isDangerousProtoKey as u, redactObjectPii as v, redactPii as w, sanitizeCommand as x, sanitizeHeaderValue as y, sanitizeHeaders as z };

package/dist/{pii-CXcHMlnX.d.mts → encode-jl9sOwmA.d.ts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { i as SanitizeOptions, j as SanitizeResult } from './types-CsOFHoD9.mjs';
+import { i as SanitizeOptions, j as SanitizeResult } from './types-BOkx5YJc.js';
 
 /**
  * @module @arcis/node/sanitizers/sanitize
@@ -435,4 +435,50 @@ declare function scanObjectPii(obj: Record<string, unknown>, options?: PiiScanOp
  */
 declare function redactObjectPii<T extends Record<string, unknown>>(obj: T, options?: PiiRedactOptions): T;
 
-export { sanitizeString as A, sanitizeXss as B, sanitizeXxe as C, scanObjectPii as D, scanPii as E, type PiiRedactOptions as F, type PiiScanOptions as G, type PiiType as H, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, getDangerousOperators as m, getDangerousProtoKeys as n, isDangerousNoSqlKey as o, isDangerousProtoKey as p, redactPii as q, redactObjectPii as r, sanitizeCommand as s, sanitizeHeaderValue as t, sanitizeHeaders as u, sanitizeJsonpCallback as v, sanitizeObject as w, sanitizePath as x, sanitizeSql as y, sanitizeSsti as z };
+/**
+ * @module @arcis/node/sanitizers/encode
+ * Context-aware output encoding for XSS prevention.
+ *
+ * Wrong-context encoding is the #1 cause of XSS bypasses in "protected" apps.
+ * A single sanitize() is not enough when output goes to JS, CSS, or attribute contexts.
+ */
+/**
+ * Encodes for HTML body context. Entity-encodes & < > " '
+ *
+ * Use when outputting to HTML element content:
+ *   `<p>${encodeForHtml(userInput)}</p>`
+ */
+declare function encodeForHtml(value: string): string;
+/**
+ * Encodes for HTML attribute context.
+ * All non-alphanumeric characters are encoded as `&#xHH;` hex entities.
+ *
+ * Use when outputting to HTML attributes:
+ *   `<div title="${encodeForAttribute(userInput)}">`
+ */
+declare function encodeForAttribute(value: string): string;
+/**
+ * Encodes for JavaScript string context.
+ * Non-alphanumeric characters are escaped as `\xHH` (ASCII) or `\uHHHH` (Unicode).
+ *
+ * Use when embedding in JS string literals:
+ *   `var x = '${encodeForJs(userInput)}';`
+ */
+declare function encodeForJs(value: string): string;
+/**
+ * Encodes for URL parameter context. Percent-encodes all non-unreserved chars.
+ *
+ * Use when building query strings:
+ *   `?q=${encodeForUrl(userInput)}`
+ */
+declare function encodeForUrl(value: string): string;
+/**
+ * Encodes for CSS value context.
+ * Non-alphanumeric characters are hex-escaped as `\HH ` (trailing space per CSS spec).
+ *
+ * Use when embedding in CSS values:
+ *   `content: '${encodeForCss(userInput)}';`
+ */
+declare function encodeForCss(value: string): string;
+
+export { sanitizeJsonpCallback as A, sanitizeObject as B, sanitizePath as C, sanitizeSql as D, sanitizeSsti as E, sanitizeString as F, sanitizeXss as G, sanitizeXxe as H, scanObjectPii as I, scanPii as J, type PiiRedactOptions as K, type PiiScanOptions as L, type PiiType as M, type PiiMatch as P, detectHeaderInjection as a, detectJsonpInjection as b, createSanitizer as c, detectCommandInjection as d, detectNoSqlInjection as e, detectPathTraversal as f, detectPii as g, detectPrototypePollution as h, detectSql as i, detectSsti as j, detectXss as k, detectXxe as l, encodeForAttribute as m, encodeForCss as n, encodeForHtml as o, encodeForJs as p, encodeForUrl as q, getDangerousOperators as r, getDangerousProtoKeys as s, isDangerousNoSqlKey as t, isDangerousProtoKey as u, redactObjectPii as v, redactPii as w, sanitizeCommand as x, sanitizeHeaderValue as y, sanitizeHeaders as z };

package/dist/{index-D_bdJcF0.d.ts → index-BAhgn9V2.d.ts}

@@ -1,4 +1,4 @@
-import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-CsOFHoD9.js';
+import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-BOkx5YJc.js';
 import { RequestHandler, Request, Response, NextFunction } from 'express';
 
 /**

package/dist/{index-Co5kPRZz.d.ts → index-BGNKspqH.d.ts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { n as ValidationSchema } from './types-CsOFHoD9.js';
+import { n as ValidationSchema } from './types-BOkx5YJc.js';
 
 /**
  * @module @arcis/node/validation/schema

package/dist/{index-A-m-pPeW.d.mts → index-Cd02z-0j.d.mts}

@@ -1,5 +1,5 @@
 import { RequestHandler } from 'express';
-import { n as ValidationSchema } from './types-CsOFHoD9.mjs';
+import { n as ValidationSchema } from './types-BOkx5YJc.mjs';
 
 /**
  * @module @arcis/node/validation/schema

package/dist/{index-CgK94hY_.d.mts → index-DgJtWMSj.d.mts}

@@ -1,4 +1,4 @@
-import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-CsOFHoD9.mjs';
+import { b as ArcisOptions, o as ArcisMiddlewareStack, A as ArcisFunction, e as RateLimitOptions, h as RateLimiterMiddleware, H as HeaderOptions, E as ErrorHandlerOptions } from './types-BOkx5YJc.mjs';
 import { RequestHandler, Request, Response, NextFunction } from 'express';
 
 /**

package/dist/index.d.mts

@@ -1,10 +1,10 @@
-export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-CgK94hY_.mjs';
-export { P as PiiMatch, F as PiiRedactOptions, G as PiiScanOptions, H as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from './pii-CXcHMlnX.mjs';
-export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-A-m-pPeW.mjs';
+export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-DgJtWMSj.mjs';
+export { P as PiiMatch, K as PiiRedactOptions, L as PiiScanOptions, M as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as encodeForAttribute, n as encodeForCss, o as encodeForHtml, p as encodeForJs, q as encodeForUrl, t as isDangerousNoSqlKey, u as isDangerousProtoKey, v as redactObjectPii, w as redactPii, x as sanitizeCommand, y as sanitizeHeaderValue, z as sanitizeHeaders, A as sanitizeJsonpCallback, B as sanitizeObject, C as sanitizePath, D as sanitizeSql, E as sanitizeSsti, F as sanitizeString, G as sanitizeXss, H as sanitizeXxe, I as scanObjectPii, J as scanPii } from './encode-CrQCGlBq.mjs';
+export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-Cd02z-0j.mjs';
 import { IncomingMessage } from 'http';
 export { createRedactor, createSafeLogger, safeLog } from './logging/index.mjs';
 export { MemoryStore, RedisClientLike, RedisStore, RedisStoreOptions, createRedisStore } from './stores/index.mjs';
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-CsOFHoD9.mjs';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-BOkx5YJc.mjs';
 export { ArcisError, ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, RATE_LIMIT, REDACTION, RateLimitError, SanitizationError, SecurityThreatError, VALIDATION } from './core/index.mjs';
 import 'express';
 

package/dist/index.d.ts

@@ -1,10 +1,10 @@
-export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-D_bdJcF0.js';
-export { P as PiiMatch, F as PiiRedactOptions, G as PiiScanOptions, H as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, o as isDangerousNoSqlKey, p as isDangerousProtoKey, r as redactObjectPii, q as redactPii, s as sanitizeCommand, t as sanitizeHeaderValue, u as sanitizeHeaders, v as sanitizeJsonpCallback, w as sanitizeObject, x as sanitizePath, y as sanitizeSql, z as sanitizeSsti, A as sanitizeString, B as sanitizeXss, C as sanitizeXxe, D as scanObjectPii, E as scanPii } from './pii-DhNpl7M3.js';
-export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-Co5kPRZz.js';
+export { B as BotCategory, a as BotDetectionResult, b as BotProtectionOptions, C as CorsOptions, c as CsrfOptions, S as SecureCookieOptions, d as SlidingWindowMiddleware, e as SlidingWindowOptions, T as TokenBucketMiddleware, f as TokenBucketOptions, g as arcis, h as arcisFunction, i as botProtection, j as createCors, k as createCsrf, l as createErrorHandler, m as createHeaders, n as createRateLimiter, o as createSecureCookies, p as createSlidingWindowLimiter, q as createTokenBucketLimiter, r as csrfProtection, h as default, s as detectBot, t as enforceSecureCookie, u as errorHandler, v as generateCsrfToken, w as rateLimit, x as safeCors, y as secureCookieDefaults, z as securityHeaders, A as validateCsrfToken } from './index-BAhgn9V2.js';
+export { P as PiiMatch, K as PiiRedactOptions, L as PiiScanOptions, M as PiiType, c as createSanitizer, d as detectCommandInjection, a as detectHeaderInjection, b as detectJsonpInjection, e as detectNoSqlInjection, f as detectPathTraversal, g as detectPii, h as detectPrototypePollution, i as detectSql, j as detectSsti, k as detectXss, l as detectXxe, m as encodeForAttribute, n as encodeForCss, o as encodeForHtml, p as encodeForJs, q as encodeForUrl, t as isDangerousNoSqlKey, u as isDangerousProtoKey, v as redactObjectPii, w as redactPii, x as sanitizeCommand, y as sanitizeHeaderValue, z as sanitizeHeaders, A as sanitizeJsonpCallback, B as sanitizeObject, C as sanitizePath, D as sanitizeSql, E as sanitizeSsti, F as sanitizeString, G as sanitizeXss, H as sanitizeXxe, I as scanObjectPii, J as scanPii } from './encode-jl9sOwmA.js';
+export { E as EmailValidationOptions, a as EmailValidationResult, F as FileInput, V as ValidateFileOptions, b as ValidateFileResult, c as ValidateRedirectOptions, d as ValidateRedirectResult, e as ValidateUrlOptions, f as ValidateUrlResult, g as createValidator, i as isDangerousExtension, h as isRedirectSafe, j as isUrlSafe, k as isValidEmailSyntax, s as sanitizeFilename, v as validate, l as validateEmail, m as validateFile, n as validateRedirect, o as validateUrl, p as verifyEmailMx } from './index-BGNKspqH.js';
 import { IncomingMessage } from 'http';
 export { createRedactor, createSafeLogger, safeLog } from './logging/index.js';
 export { MemoryStore, RedisClientLike, RedisStore, RedisStoreOptions, createRedisStore } from './stores/index.js';
-export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-CsOFHoD9.js';
+export { A as ArcisFunction, a as ArcisMiddleware, b as ArcisOptions, E as ErrorHandlerOptions, F as FieldValidator, H as HeaderOptions, c as HstsOptions, d as HttpError, L as LogOptions, R as RateLimitEntry, e as RateLimitOptions, f as RateLimitResult, g as RateLimitStore, h as RateLimiterMiddleware, S as SafeLogger, i as SanitizeOptions, j as SanitizeResult, T as ThreatInfo, k as ThreatType, V as ValidationConfig, l as ValidationError, m as ValidationResult, n as ValidationSchema } from './types-BOkx5YJc.js';
 export { ArcisError, ArcisValidationError, BLOCKED, ERRORS, HEADERS, INPUT, InputTooLargeError, RATE_LIMIT, REDACTION, RateLimitError, SanitizationError, SecurityThreatError, VALIDATION } from './core/index.js';
 import 'express';
 

package/dist/index.js

@@ -307,7 +307,12 @@ function createHeaders(options = {}) {
     hsts = true,
     referrerPolicy = HEADERS.REFERRER_POLICY,
     permissionsPolicy = HEADERS.PERMISSIONS_POLICY,
-    cacheControl = true
+    cacheControl = true,
+    crossOriginOpenerPolicy = "same-origin",
+    crossOriginResourcePolicy = "same-origin",
+    crossOriginEmbedderPolicy = "require-corp",
+    originAgentCluster = true,
+    dnsPrefetchControl = true
   } = options;
   return (req, res, next) => {
     if (contentSecurityPolicy) {
@@ -315,7 +320,7 @@ function createHeaders(options = {}) {
       res.setHeader("Content-Security-Policy", csp);
     }
     if (xssFilter) {
-      res.setHeader("X-XSS-Protection", "1; mode=block");
+      res.setHeader("X-XSS-Protection", "0");
     }
     if (noSniff) {
       res.setHeader("X-Content-Type-Options", HEADERS.CONTENT_TYPE_OPTIONS);
@@ -342,6 +347,21 @@ function createHeaders(options = {}) {
     if (permissionsPolicy) {
       res.setHeader("Permissions-Policy", permissionsPolicy);
     }
+    if (crossOriginOpenerPolicy) {
+      res.setHeader("Cross-Origin-Opener-Policy", crossOriginOpenerPolicy);
+    }
+    if (crossOriginResourcePolicy) {
+      res.setHeader("Cross-Origin-Resource-Policy", crossOriginResourcePolicy);
+    }
+    if (crossOriginEmbedderPolicy) {
+      res.setHeader("Cross-Origin-Embedder-Policy", crossOriginEmbedderPolicy);
+    }
+    if (originAgentCluster) {
+      res.setHeader("Origin-Agent-Cluster", "?1");
+    }
+    if (dnsPrefetchControl) {
+      res.setHeader("X-DNS-Prefetch-Control", "off");
+    }
     res.setHeader("X-Permitted-Cross-Domain-Policies", "none");
     if (cacheControl) {
       const cacheControlValue = typeof cacheControl === "string" ? cacheControl : HEADERS.CACHE_CONTROL;
@@ -1249,6 +1269,73 @@ function redactObjectPii(obj, options = {}) {
   return result;
 }
 
+// src/sanitizers/encode.ts
+var HTML_ENTITIES = {
+  "&": "&",
+  "<": "&lt;",
+  ">": "&gt;",
+  '"': "&quot;",
+  "'": "&#x27;"
+};
+var HTML_ENCODE_RE = /[&<>"']/g;
+function encodeForHtml(value) {
+  if (!value) return "";
+  return value.replace(HTML_ENCODE_RE, (ch) => HTML_ENTITIES[ch]);
+}
+function encodeForAttribute(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `&#x${ch.toString(16).toUpperCase()};`;
+    }
+  }
+  return result;
+}
+function encodeForJs(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else if (ch < 256) {
+      result += `\\x${ch.toString(16).toUpperCase().padStart(2, "0")}`;
+    } else {
+      result += `\\u${ch.toString(16).toUpperCase().padStart(4, "0")}`;
+    }
+  }
+  return result;
+}
+function encodeForUrl(value) {
+  if (!value) return "";
+  return encodeURIComponent(value).replace(/[!'()*]/g, (ch) => {
+    return `%${ch.charCodeAt(0).toString(16).toUpperCase()}`;
+  });
+}
+function encodeForCss(value) {
+  if (!value) return "";
+  let result = "";
+  for (let i = 0; i < value.length; i++) {
+    const ch = value.charCodeAt(i);
+    if (ch >= 48 && ch <= 57 || // 0-9
+    ch >= 65 && ch <= 90 || // A-Z
+    ch >= 97 && ch <= 122) {
+      result += value[i];
+    } else {
+      result += `\\${ch.toString(16).toUpperCase()} `;
+    }
+  }
+  return result;
+}
+
 // src/validation/schema.ts
 function validate(schema, source = "body") {
   return (req, res, next) => {
@@ -3145,6 +3232,11 @@ exports.detectSql = detectSql;
 exports.detectSsti = detectSsti;
 exports.detectXss = detectXss;
 exports.detectXxe = detectXxe;
+exports.encodeForAttribute = encodeForAttribute;
+exports.encodeForCss = encodeForCss;
+exports.encodeForHtml = encodeForHtml;
+exports.encodeForJs = encodeForJs;
+exports.encodeForUrl = encodeForUrl;
 exports.enforceSecureCookie = enforceSecureCookie;
 exports.errorHandler = errorHandler;
 exports.fingerprint = fingerprint;