@autumnsgrove/groveengine 0.1.0

package/dist/utils/sanitize.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Sanitize HTML content to prevent XSS attacks
+ * @param {string} html - Raw HTML string to sanitize
+ * @returns {string} - Sanitized HTML safe for rendering
+ */
+export function sanitizeHTML(html: string): string;
+/**
+ * Sanitize SVG content specifically (stricter rules for SVG)
+ * @param {string} svg - Raw SVG string to sanitize
+ * @returns {string} - Sanitized SVG safe for rendering
+ */
+export function sanitizeSVG(svg: string): string;
+/**
+ * Sanitize markdown-generated HTML with appropriate security rules
+ * This is a convenience wrapper for sanitizeHTML with markdown-specific settings
+ * @param {string} markdownHTML - HTML generated from markdown parsing
+ * @returns {string} - Sanitized HTML safe for rendering
+ */
+export function sanitizeMarkdown(markdownHTML: string): string;
+/**
+ * Sanitize URL to prevent dangerous protocols
+ * @param {string} url - URL to sanitize
+ * @returns {string} - Sanitized URL (returns empty string if dangerous)
+ */
+export function sanitizeURL(url: string): string;

package/dist/utils/sanitize.js

@@ -0,0 +1,127 @@
+/**
+ * Centralized sanitization utilities for XSS prevention
+ * Uses isomorphic-dompurify for both server-side and client-side sanitization
+ */
+
+import DOMPurify from 'isomorphic-dompurify';
+
+/**
+ * Sanitize HTML content to prevent XSS attacks
+ * @param {string} html - Raw HTML string to sanitize
+ * @returns {string} - Sanitized HTML safe for rendering
+ */
+export function sanitizeHTML(html) {
+	if (!html || typeof html !== 'string') {
+		return '';
+	}
+
+	const config = {
+		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'form', 'input', 'button', 'base', 'meta'],
+		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'onsubmit', 'onmouseenter', 'onmouseleave'],
+		ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+		ALLOW_DATA_ATTR: false,
+		KEEP_CONTENT: true,
+		SAFE_FOR_TEMPLATES: true
+	};
+
+	return DOMPurify.sanitize(html, config);
+}
+
+/**
+ * Sanitize SVG content specifically (stricter rules for SVG)
+ * @param {string} svg - Raw SVG string to sanitize
+ * @returns {string} - Sanitized SVG safe for rendering
+ */
+export function sanitizeSVG(svg) {
+	if (!svg || typeof svg !== 'string') {
+		return '';
+	}
+
+	return DOMPurify.sanitize(svg, {
+		USE_PROFILES: { svg: true, svgFilters: true },
+		ALLOWED_TAGS: [
+			'svg', 'g', 'path', 'circle', 'rect', 'line', 'polyline', 'polygon',
+			'ellipse', 'text', 'tspan', 'defs', 'marker', 'pattern', 'clipPath',
+			'mask', 'linearGradient', 'radialGradient', 'stop', 'use', 'symbol',
+			'title', 'desc'
+		],
+		ALLOWED_ATTR: [
+			'class', 'id', 'transform', 'fill', 'stroke', 'stroke-width',
+			'x', 'y', 'x1', 'y1', 'x2', 'y2', 'cx', 'cy', 'r', 'rx', 'ry',
+			'width', 'height', 'd', 'points', 'viewBox', 'xmlns', 'version',
+			'preserveAspectRatio', 'opacity', 'fill-opacity', 'stroke-opacity'
+		],
+		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'foreignObject', 'image', 'a'],
+		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'style', 'href', 'xlink:href'],
+		ALLOWED_URI_REGEXP: /^$/,
+		KEEP_CONTENT: false,
+		SAFE_FOR_TEMPLATES: true
+	});
+}
+
+/**
+ * Sanitize markdown-generated HTML with appropriate security rules
+ * This is a convenience wrapper for sanitizeHTML with markdown-specific settings
+ * @param {string} markdownHTML - HTML generated from markdown parsing
+ * @returns {string} - Sanitized HTML safe for rendering
+ */
+export function sanitizeMarkdown(markdownHTML) {
+	if (!markdownHTML || typeof markdownHTML !== 'string') {
+		return '';
+	}
+
+	// For markdown, we allow a broader set of tags but still sanitize
+	return DOMPurify.sanitize(markdownHTML, {
+		ALLOWED_TAGS: [
+			'a', 'abbr', 'b', 'blockquote', 'br', 'code', 'dd', 'del', 'div', 'dl', 'dt',
+			'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'hr', 'i', 'img', 'ins', 'kbd',
+			'li', 'mark', 'ol', 'p', 'pre', 'q', 's', 'samp', 'small', 'span', 'strong',
+			'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'u', 'ul',
+			'var', 'input', 'label'
+		],
+		ALLOWED_ATTR: [
+			'href', 'src', 'alt', 'title', 'class', 'id', 'target', 'rel',
+			'width', 'height', 'align', 'type', 'checked', 'disabled'
+		],
+		FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'link', 'style', 'form', 'button'],
+		FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'onsubmit', 'style'],
+		ALLOWED_URI_REGEXP: /^(?:(?:https?|mailto|tel):)/i,
+		ALLOW_DATA_ATTR: false,
+		KEEP_CONTENT: true,
+		SAFE_FOR_TEMPLATES: true
+	});
+}
+
+/**
+ * Sanitize URL to prevent dangerous protocols
+ * @param {string} url - URL to sanitize
+ * @returns {string} - Sanitized URL (returns empty string if dangerous)
+ */
+export function sanitizeURL(url) {
+	if (!url || typeof url !== 'string') {
+		return '';
+	}
+
+	// Allow relative URLs
+	if (url.startsWith('/') || url.startsWith('./') || url.startsWith('../')) {
+		return url;
+	}
+
+	// Check for dangerous protocols
+	const dangerous = /^(javascript|data|vbscript|file|about):/i;
+	if (dangerous.test(url)) {
+		return '';
+	}
+
+	// Only allow safe protocols
+	const safe = /^(https?|mailto|tel):/i;
+	if (!safe.test(url)) {
+		// If no protocol, assume relative
+		if (!url.includes(':')) {
+			return url;
+		}
+		return '';
+	}
+
+	return url;
+}

package/dist/utils/validation.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Validates file signature (magic bytes) to prevent MIME type spoofing
+ * @param {File} file - The file to validate
+ * @param {string} expectedType - Expected MIME type
+ * @returns {Promise<boolean>} True if file signature matches expected type
+ */
+export function validateFileSignature(file: File, expectedType: string): Promise<boolean>;
+/**
+ * Sanitizes objects to prevent prototype pollution attacks
+ * Recursively removes dangerous keys from objects
+ * @param {*} obj - Object to sanitize
+ * @returns {*} Sanitized object
+ */
+export function sanitizeObject(obj: any): any;
+/**
+ * Sanitizes filename to prevent injection attacks
+ * Removes dangerous characters and keywords
+ * @param {string} filename - Filename to sanitize
+ * @returns {string} Sanitized filename
+ */
+export function sanitizeFilename(filename: string): string;
+/**
+ * Enhanced path traversal prevention
+ * Validates that paths don't contain directory traversal attempts
+ * @param {string} path - Path to validate
+ * @returns {boolean} True if path is safe
+ */
+export function validatePath(path: string): boolean;
+/**
+ * Email validation (strengthened)
+ * @param {string} email - Email address to validate
+ * @returns {boolean} True if email is valid
+ */
+export function validateEmail(email: string): boolean;
+/**
+ * URL validation - only allows http/https protocols
+ * @param {string} url - URL to validate
+ * @returns {boolean} True if URL is valid
+ */
+export function validateURL(url: string): boolean;
+/**
+ * Slug validation - ensures URL-safe slugs
+ * @param {string} slug - Slug to validate
+ * @returns {boolean} True if slug is valid
+ */
+export function validateSlug(slug: string): boolean;

package/dist/utils/validation.js

@@ -0,0 +1,169 @@
+/**
+ * Security validation utilities for file uploads and input sanitization
+ * @module lib/utils/validation
+ */
+
+// File signature database for magic byte validation
+const FILE_SIGNATURES = {
+  'image/jpeg': [
+    [0xFF, 0xD8, 0xFF, 0xE0], // JPEG/JFIF
+    [0xFF, 0xD8, 0xFF, 0xE1], // JPEG/Exif
+    [0xFF, 0xD8, 0xFF, 0xE8]  // JPEG/SPIFF
+  ],
+  'image/png': [[0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A]],
+  'image/gif': [
+    [0x47, 0x49, 0x46, 0x38, 0x37, 0x61], // GIF87a
+    [0x47, 0x49, 0x46, 0x38, 0x39, 0x61]  // GIF89a
+  ],
+  'image/webp': [[0x52, 0x49, 0x46, 0x46]] // RIFF (WebP container)
+};
+
+/**
+ * Validates file signature (magic bytes) to prevent MIME type spoofing
+ * @param {File} file - The file to validate
+ * @param {string} expectedType - Expected MIME type
+ * @returns {Promise<boolean>} True if file signature matches expected type
+ */
+export async function validateFileSignature(file, expectedType) {
+  const buffer = new Uint8Array(await file.arrayBuffer());
+  const signatures = FILE_SIGNATURES[expectedType];
+
+  if (!signatures) return false;
+
+  return signatures.some(sig =>
+    sig.every((byte, i) => buffer[i] === byte)
+  );
+}
+
+// Dangerous object keys that can lead to prototype pollution
+const DANGEROUS_KEYS = ['__proto__', 'constructor', 'prototype'];
+
+/**
+ * Sanitizes objects to prevent prototype pollution attacks
+ * Recursively removes dangerous keys from objects
+ * @param {*} obj - Object to sanitize
+ * @returns {*} Sanitized object
+ */
+export function sanitizeObject(obj) {
+  if (typeof obj !== 'object' || obj === null) return obj;
+
+  // Handle arrays specially to preserve array type
+  if (Array.isArray(obj)) {
+    return Object.freeze(obj.map(item =>
+      typeof item === 'object' && item !== null ? sanitizeObject(item) : item
+    ));
+  }
+
+  const sanitized = {};
+
+  for (const [key, value] of Object.entries(obj)) {
+    // Check for dangerous keys (case-insensitive and with brackets)
+    const lowerKey = key.toLowerCase();
+    if (DANGEROUS_KEYS.includes(key) ||
+        DANGEROUS_KEYS.includes(lowerKey) ||
+        key.includes('[') ||
+        key.includes(']')) {
+      continue;
+    }
+
+    sanitized[key] = typeof value === 'object' && value !== null
+      ? sanitizeObject(value)
+      : value;
+  }
+
+  return Object.freeze(sanitized);
+}
+
+/**
+ * Sanitizes filename to prevent injection attacks
+ * Removes dangerous characters and keywords
+ * @param {string} filename - Filename to sanitize
+ * @returns {string} Sanitized filename
+ */
+export function sanitizeFilename(filename) {
+  if (!filename || typeof filename !== 'string') return '';
+
+  // Remove or replace dangerous characters
+  let clean = filename
+    .replace(/[<>:"\\|?*\x00-\x1F]/g, '') // Remove special chars
+    .replace(/\.\./g, '_') // Replace .. with _
+    .replace(/script/gi, '') // Remove 'script' (case-insensitive)
+    .replace(/javascript/gi, '') // Remove 'javascript'
+    .replace(/eval/gi, '') // Remove 'eval'
+    .replace(/\s+/g, '_') // Replace spaces with underscores
+    .replace(/^\.+/, '') // Remove leading dots
+    .trim();
+
+  // Ensure filename is not empty and has reasonable length
+  if (clean.length === 0) clean = 'file';
+  if (clean.length > 255) clean = clean.substring(0, 255);
+
+  return clean;
+}
+
+/**
+ * Enhanced path traversal prevention
+ * Validates that paths don't contain directory traversal attempts
+ * @param {string} path - Path to validate
+ * @returns {boolean} True if path is safe
+ */
+export function validatePath(path) {
+  if (!path || typeof path !== 'string') return false;
+
+  // Prevent path traversal with various encoding tricks
+  const normalized = path.toLowerCase().replace(/\\/g, '/');
+
+  // Check for directory traversal patterns
+  if (normalized.includes('..') ||
+      normalized.includes('//') ||
+      normalized.includes('%2e%2e') || // URL encoded ..
+      normalized.includes('..%2f') ||
+      normalized.includes('%2f..') ||
+      normalized.includes('0x2e0x2e') || // Hex encoded ..
+      normalized.match(/\.\.[\\/]/) ||
+      normalized.match(/[\\/]\.\./) ||
+      path.startsWith('/') || // Absolute paths
+      path.startsWith('\\')) {
+    return false;
+  }
+
+  // Only allow alphanumeric, dash, underscore, slash, dot (for extensions)
+  if (!/^[a-zA-Z0-9/_.-]+$/.test(path)) {
+    return false;
+  }
+
+  return true;
+}
+
+/**
+ * Email validation (strengthened)
+ * @param {string} email - Email address to validate
+ * @returns {boolean} True if email is valid
+ */
+export function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email) && email.length < 255;
+}
+
+/**
+ * URL validation - only allows http/https protocols
+ * @param {string} url - URL to validate
+ * @returns {boolean} True if URL is valid
+ */
+export function validateURL(url) {
+  try {
+    const parsed = new URL(url);
+    return ['http:', 'https:'].includes(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Slug validation - ensures URL-safe slugs
+ * @param {string} slug - Slug to validate
+ * @returns {boolean} True if slug is valid
+ */
+export function validateSlug(slug) {
+  return /^[a-z0-9-]+$/.test(slug) && slug.length > 0 && slug.length < 200;
+}

package/dist/utils.d.ts

@@ -0,0 +1,5 @@
+import { type ClassValue } from "clsx";
+export declare function cn(...inputs: ClassValue[]): string;
+export type WithElementRef<T> = T & {
+    ref?: any;
+};

package/dist/utils.js

@@ -0,0 +1,5 @@
+import { clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+export function cn(...inputs) {
+    return twMerge(clsx(inputs));
+}

package/package.json

@@ -0,0 +1,129 @@
+{
+  "name": "@autumnsgrove/groveengine",
+  "version": "0.1.0",
+  "description": "Multi-tenant blog engine for Grove Platform. Features gutter annotations, markdown editing, magic code auth, and Cloudflare Workers deployment.",
+  "author": "AutumnsGrove",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/AutumnsGrove/GroveEngine.git",
+    "directory": "packages/engine"
+  },
+  "keywords": [
+    "blog",
+    "cms",
+    "sveltekit",
+    "cloudflare",
+    "multi-tenant"
+  ],
+  "type": "module",
+  "svelte": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "svelte": "./dist/index.js",
+      "default": "./dist/index.js"
+    },
+    "./components/custom/*": {
+      "types": "./dist/components/custom/*.svelte.d.ts",
+      "svelte": "./dist/components/custom/*.svelte"
+    },
+    "./components/admin/*": {
+      "types": "./dist/components/admin/*.svelte.d.ts",
+      "svelte": "./dist/components/admin/*.svelte"
+    },
+    "./components/gallery/*": {
+      "types": "./dist/components/gallery/*.svelte.d.ts",
+      "svelte": "./dist/components/gallery/*.svelte"
+    },
+    "./components/ui": {
+      "types": "./dist/components/ui/index.d.ts",
+      "svelte": "./dist/components/ui/index.js"
+    },
+    "./utils/*": {
+      "types": "./dist/utils/*.d.ts",
+      "default": "./dist/utils/*.js"
+    },
+    "./auth/*": {
+      "types": "./dist/auth/*.d.ts",
+      "default": "./dist/auth/*.js"
+    },
+    "./server/*": {
+      "types": "./dist/server/*.d.ts",
+      "default": "./dist/server/*.js"
+    },
+    "./payments": {
+      "types": "./dist/payments/index.d.ts",
+      "default": "./dist/payments/index.js"
+    },
+    "./payments/*": {
+      "types": "./dist/payments/*.d.ts",
+      "default": "./dist/payments/*.js"
+    }
+  },
+  "files": [
+    "dist",
+    "!dist/**/*.test.*"
+  ],
+  "scripts": {
+    "dev": "vite dev",
+    "dev:wrangler": "wrangler pages dev -- vite dev",
+    "build": "vite build",
+    "build:package": "svelte-kit sync && svelte-package -o dist",
+    "package": "svelte-kit sync && svelte-package -o dist",
+    "prepublishOnly": "npm run package",
+    "preview": "vite preview",
+    "audit": "npm audit --audit-level=moderate",
+    "audit:fix": "npm audit fix",
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json",
+    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+    "test": "vitest",
+    "test:ui": "vitest --ui",
+    "test:run": "vitest run",
+    "test:security": "vitest run tests/security",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest watch"
+  },
+  "peerDependencies": {
+    "svelte": "^5.0.0",
+    "@sveltejs/kit": "^2.0.0",
+    "tailwindcss": "^3.4.0"
+  },
+  "devDependencies": {
+    "@lucide/svelte": "^0.482.0",
+    "@sveltejs/adapter-cloudflare": "^7.2.4",
+    "@sveltejs/kit": "^2.5.28",
+    "@sveltejs/package": "^2.3.0",
+    "@sveltejs/vite-plugin-svelte": "^4.0.0",
+    "@tailwindcss/typography": "^0.5.19",
+    "@testing-library/jest-dom": "^6.9.1",
+    "@testing-library/svelte": "^5.2.9",
+    "@vitest/ui": "^4.0.14",
+    "autoprefixer": "^10.4.22",
+    "bits-ui": "^1.8.0",
+    "happy-dom": "^20.0.11",
+    "jsdom": "^27.2.0",
+    "postcss": "^8.5.6",
+    "svelte": "^5.1.9",
+    "svelte-check": "^4.0.0",
+    "tailwind-variants": "^0.2.1",
+    "tailwindcss": "^3.4.18",
+    "typescript": "^5.6.0",
+    "vite": "^5.4.10",
+    "vitest": "^4.0.14"
+  },
+  "dependencies": {
+    "@types/dompurify": "^3.0.5",
+    "chart.js": "^4.5.1",
+    "clsx": "^2.1.1",
+    "dompurify": "^3.3.0",
+    "gray-matter": "^4.0.3",
+    "isomorphic-dompurify": "^2.33.0",
+    "lucide-svelte": "^0.554.0",
+    "marked": "^17.0.1",
+    "mermaid": "^11.12.1",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.4.0"
+  }
+}