@bigbinary/neeto-playwright-commons 1.26.36 → 1.27.0

package/index.cjs.js

@@ -29096,9 +29096,10 @@ function requireAddressparser () {
 	 * Converts tokens for a single address into an address object
 	 *
 	 * @param {Array} tokens Tokens object
+	 * @param {Number} depth Current recursion depth for nested group protection
 	 * @return {Object} Address object
 	 */
-	function _handleAddress(tokens) {
+	function _handleAddress(tokens, depth) {
 	    let isGroup = false;
 	    let state = 'text';
 	    let address;
@@ -29179,7 +29180,7 @@ function requireAddressparser () {
 	        // Parse group members, but flatten any nested groups (RFC 5322 doesn't allow nesting)
 	        let groupMembers = [];
 	        if (data.group.length) {
-	            let parsedGroup = addressparser(data.group.join(','));
+	            let parsedGroup = addressparser(data.group.join(','), { _depth: depth + 1 });
 	            // Flatten: if any member is itself a group, extract its members into the sequence
 	            parsedGroup.forEach(member => {
 	                if (member.group) {
@@ -29389,6 +29390,13 @@ function requireAddressparser () {
 	    }
 	}
 
+	/**
+	 * Maximum recursion depth for parsing nested groups.
+	 * RFC 5322 doesn't allow nested groups, so this is a safeguard against
+	 * malicious input that could cause stack overflow.
+	 */
+	const MAX_NESTED_GROUP_DEPTH = 50;
+
 	/**
 	 * Parses structured e-mail addresses from an address field
 	 *
@@ -29401,10 +29409,18 @@ function requireAddressparser () {
 	 *     [{name: 'Name', address: 'address@domain'}]
 	 *
 	 * @param {String} str Address field
+	 * @param {Object} options Optional options object
+	 * @param {Number} options._depth Internal recursion depth counter (do not set manually)
 	 * @return {Array} An array of address objects
 	 */
 	function addressparser(str, options) {
 	    options = options || {};
+	    let depth = options._depth || 0;
+
+	    // Prevent stack overflow from deeply nested groups (DoS protection)
+	    if (depth > MAX_NESTED_GROUP_DEPTH) {
+	        return [];
+	    }
 
 	    let tokenizer = new Tokenizer(str);
 	    let tokens = tokenizer.tokenize();
@@ -29429,7 +29445,7 @@ function requireAddressparser () {
 	    }
 
 	    addresses.forEach(address => {
-	        address = _handleAddress(address);
+	        address = _handleAddress(address, depth);
 	        if (address.length) {
 	            parsedAddresses = parsedAddresses.concat(address);
 	        }
@@ -40941,6 +40957,8 @@ function requireStreams () {
 	return streams;
 }
 
+lib$a.exports;
+
 var hasRequiredLib$a;
 
 function requireLib$a () {
@@ -40952,22 +40970,21 @@ function requireLib$a () {
 
 		var bomHandling = requireBomHandling();
 		var mergeModules = requireMergeExports();
-		var iconv = module.exports;
 
 		// All codecs and aliases are kept here, keyed by encoding name/alias.
 		// They are lazy loaded in `iconv.getCodec` from `encodings/index.js`.
 		// Cannot initialize with { __proto__: null } because Boolean({ __proto__: null }) === true
-		iconv.encodings = null;
+		module.exports.encodings = null;
 
 		// Characters emitted in case of error.
-		iconv.defaultCharUnicode = "�";
-		iconv.defaultCharSingleByte = "?";
+		module.exports.defaultCharUnicode = "�";
+		module.exports.defaultCharSingleByte = "?";
 
 		// Public API.
-		iconv.encode = function encode (str, encoding, options) {
+		module.exports.encode = function encode (str, encoding, options) {
 		  str = "" + (str || ""); // Ensure string.
 
-		  var encoder = iconv.getEncoder(encoding, options);
+		  var encoder = module.exports.getEncoder(encoding, options);
 
 		  var res = encoder.write(str);
 		  var trail = encoder.end();
@@ -40975,17 +40992,17 @@ function requireLib$a () {
 		  return (trail && trail.length > 0) ? Buffer.concat([res, trail]) : res
 		};
 
-		iconv.decode = function decode (buf, encoding, options) {
+		module.exports.decode = function decode (buf, encoding, options) {
 		  if (typeof buf === "string") {
-		    if (!iconv.skipDecodeWarning) {
+		    if (!module.exports.skipDecodeWarning) {
 		      console.error("Iconv-lite warning: decode()-ing strings is deprecated. Refer to https://github.com/ashtuchkin/iconv-lite/wiki/Use-Buffers-when-decoding");
-		      iconv.skipDecodeWarning = true;
+		      module.exports.skipDecodeWarning = true;
 		    }
 
 		    buf = Buffer.from("" + (buf || ""), "binary"); // Ensure buffer.
 		  }
 
-		  var decoder = iconv.getDecoder(encoding, options);
+		  var decoder = module.exports.getDecoder(encoding, options);
 
 		  var res = decoder.write(buf);
 		  var trail = decoder.end();
@@ -40993,9 +41010,9 @@ function requireLib$a () {
 		  return trail ? (res + trail) : res
 		};
 
-		iconv.encodingExists = function encodingExists (enc) {
+		module.exports.encodingExists = function encodingExists (enc) {
 		  try {
-		    iconv.getCodec(enc);
+		    module.exports.getCodec(enc);
 		    return true
 		  } catch (e) {
 		    return false
@@ -41003,31 +41020,31 @@ function requireLib$a () {
 		};
 
 		// Legacy aliases to convert functions
-		iconv.toEncoding = iconv.encode;
-		iconv.fromEncoding = iconv.decode;
+		module.exports.toEncoding = module.exports.encode;
+		module.exports.fromEncoding = module.exports.decode;
 
 		// Search for a codec in iconv.encodings. Cache codec data in iconv._codecDataCache.
-		iconv._codecDataCache = { __proto__: null };
+		module.exports._codecDataCache = { __proto__: null };
 
-		iconv.getCodec = function getCodec (encoding) {
-		  if (!iconv.encodings) {
+		module.exports.getCodec = function getCodec (encoding) {
+		  if (!module.exports.encodings) {
 		    var raw = requireEncodings();
 		    // TODO: In future versions when old nodejs support is removed can use object.assign
-		    iconv.encodings = { __proto__: null }; // Initialize as empty object.
-		    mergeModules(iconv.encodings, raw);
+		    module.exports.encodings = { __proto__: null }; // Initialize as empty object.
+		    mergeModules(module.exports.encodings, raw);
 		  }
 
 		  // Canonicalize encoding name: strip all non-alphanumeric chars and appended year.
-		  var enc = iconv._canonicalizeEncoding(encoding);
+		  var enc = module.exports._canonicalizeEncoding(encoding);
 
 		  // Traverse iconv.encodings to find actual codec.
 		  var codecOptions = {};
 		  while (true) {
-		    var codec = iconv._codecDataCache[enc];
+		    var codec = module.exports._codecDataCache[enc];
 
 		    if (codec) { return codec }
 
-		    var codecDef = iconv.encodings[enc];
+		    var codecDef = module.exports.encodings[enc];
 
 		    switch (typeof codecDef) {
 		      case "string": // Direct alias to other encoding.
@@ -41048,9 +41065,9 @@ function requireLib$a () {
 		        // The codec function must load all tables and return object with .encoder and .decoder methods.
 		        // It'll be called only once (for each different options object).
 		        //
-		        codec = new codecDef(codecOptions, iconv);
+		        codec = new codecDef(codecOptions, module.exports);
 
-		        iconv._codecDataCache[codecOptions.encodingName] = codec; // Save it to be reused later.
+		        module.exports._codecDataCache[codecOptions.encodingName] = codec; // Save it to be reused later.
 		        return codec
 
 		      default:
@@ -41059,13 +41076,13 @@ function requireLib$a () {
 		  }
 		};
 
-		iconv._canonicalizeEncoding = function (encoding) {
+		module.exports._canonicalizeEncoding = function (encoding) {
 		  // Canonicalize encoding name: strip all non-alphanumeric chars and appended year.
 		  return ("" + encoding).toLowerCase().replace(/:\d{4}$|[^0-9a-z]/g, "")
 		};
 
-		iconv.getEncoder = function getEncoder (encoding, options) {
-		  var codec = iconv.getCodec(encoding);
+		module.exports.getEncoder = function getEncoder (encoding, options) {
+		  var codec = module.exports.getCodec(encoding);
 		  var encoder = new codec.encoder(options, codec);
 
 		  if (codec.bomAware && options && options.addBOM) { encoder = new bomHandling.PrependBOM(encoder, options); }
@@ -41073,8 +41090,8 @@ function requireLib$a () {
 		  return encoder
 		};
 
-		iconv.getDecoder = function getDecoder (encoding, options) {
-		  var codec = iconv.getCodec(encoding);
+		module.exports.getDecoder = function getDecoder (encoding, options) {
+		  var codec = module.exports.getCodec(encoding);
 		  var decoder = new codec.decoder(options, codec);
 
 		  if (codec.bomAware && !(options && options.stripBOM === false)) { decoder = new bomHandling.StripBOM(decoder, options); }
@@ -41087,26 +41104,26 @@ function requireLib$a () {
 		// up to 100Kb to the output bundle. To avoid unnecessary code bloat, we don't enable Streaming API in browser by default.
 		// If you would like to enable it explicitly, please add the following code to your app:
 		// > iconv.enableStreamingAPI(require('stream'));
-		iconv.enableStreamingAPI = function enableStreamingAPI (streamModule) {
-		  if (iconv.supportsStreams) { return }
+		module.exports.enableStreamingAPI = function enableStreamingAPI (streamModule) {
+		  if (module.exports.supportsStreams) { return }
 
 		  // Dependency-inject stream module to create IconvLite stream classes.
 		  var streams = requireStreams()(streamModule);
 
 		  // Not public API yet, but expose the stream classes.
-		  iconv.IconvLiteEncoderStream = streams.IconvLiteEncoderStream;
-		  iconv.IconvLiteDecoderStream = streams.IconvLiteDecoderStream;
+		  module.exports.IconvLiteEncoderStream = streams.IconvLiteEncoderStream;
+		  module.exports.IconvLiteDecoderStream = streams.IconvLiteDecoderStream;
 
 		  // Streaming API.
-		  iconv.encodeStream = function encodeStream (encoding, options) {
-		    return new iconv.IconvLiteEncoderStream(iconv.getEncoder(encoding, options), options)
+		  module.exports.encodeStream = function encodeStream (encoding, options) {
+		    return new module.exports.IconvLiteEncoderStream(module.exports.getEncoder(encoding, options), options)
 		  };
 
-		  iconv.decodeStream = function decodeStream (encoding, options) {
-		    return new iconv.IconvLiteDecoderStream(iconv.getDecoder(encoding, options), options)
+		  module.exports.decodeStream = function decodeStream (encoding, options) {
+		    return new module.exports.IconvLiteDecoderStream(module.exports.getDecoder(encoding, options), options)
 		  };
 
-		  iconv.supportsStreams = true;
+		  module.exports.supportsStreams = true;
 		};
 
 		// Enable Streaming API automatically if 'stream' module is available and non-empty (the majority of environments).
@@ -41116,10 +41133,10 @@ function requireLib$a () {
 		} catch (e) {}
 
 		if (streamModule && streamModule.Transform) {
-		  iconv.enableStreamingAPI(streamModule);
+		  module.exports.enableStreamingAPI(streamModule);
 		} else {
 		  // In rare cases where 'stream' module is not available by default, throw a helpful exception.
-		  iconv.encodeStream = iconv.decodeStream = function () {
+		  module.exports.encodeStream = module.exports.decodeStream = function () {
 		    throw new Error("iconv-lite Streaming API is not enabled. Use iconv.enableStreamingAPI(require('stream')); to enable it.")
 		  };
 		}
@@ -51196,7 +51213,6 @@ var require$$11 = [
 	"drive",
 	"dtv",
 	"dubai",
-	"dunlop",
 	"dupont",
 	"durban",
 	"dvag",
@@ -53428,7 +53444,11 @@ function requireMailParser () {
 	                            result.push(textPart);
 	                        }
 
-	                        result.push(`<a href="${link.url}">${link.text}</a>`);
+	                        // Escape quotes in URL to prevent XSS
+	                        let safeUrl = link.url.replace(/"/g, '&quot;');
+	                        // Escape HTML entities in link text
+	                        let safeText = he.encode(link.text, { useNamedReferences: true });
+	                        result.push(`<a href="${safeUrl}">${safeText}</a>`);
 
 	                        last = link.lastIndex;
 	                    });