@blamejs/core 0.8.0 → 0.8.4

package/lib/crypto.js

@@ -164,7 +164,26 @@ function verify(data, signature, publicKeyPem) {
 function encrypt(plaintext, publicKeys) {
   var mlkemPubPem = typeof publicKeys === "string" ? publicKeys : publicKeys.publicKey;
   var ecPubPem = typeof publicKeys === "string" ? null : publicKeys.ecPublicKey;
-  if (!ecPubPem) return encryptMlkemOnly(plaintext, mlkemPubPem);
+  if (!ecPubPem) {
+    // Operator passed only an ML-KEM public key — silently dropping
+    // the P-384 hybrid leg means the operator's defense-in-depth
+    // posture (classical ECDH backstop on top of PQC KEM) is gone
+    // without any signal. Emit on next tick (crypto must not import
+    // audit synchronously — audit imports crypto for chain hashing).
+    // Operators who genuinely want KEM-only should call
+    // encryptMlkemOnly explicitly so this audit doesn't fire.
+    setImmediate(function () {
+      try {
+        var auditMod = require("./audit");                                          // allow:inline-require — circular-load defense (audit imports crypto)
+        auditMod.safeEmit({
+          action:   "system.crypto.hybrid_disabled",
+          outcome:  "success",
+          metadata: { reason: "no-ec-public-key", note: "encrypt() received only mlkem; ecPublicKey absent — call encryptMlkemOnly explicitly to silence" },
+        });
+      } catch (_e) { /* drop-silent — best-effort */ }
+    });
+    return encryptMlkemOnly(plaintext, mlkemPubPem);
+  }
 
   var mlkemPub = nodeCrypto.createPublicKey(mlkemPubPem);
   var kem = nodeCrypto.encapsulate(mlkemPub);
@@ -518,6 +537,65 @@ function decryptEnvelopeAsCertPeer(envelope, opts) {
 // Operator-audit accessor — exposes every supported KEM hybrid for
 // compliance audit visibility ("which envelopes does this deploy
 // accept on decrypt?").
+// ---- Certificate fingerprint helpers ----
+//
+// Operators pinning peer-cert fingerprints (mtls bootstrap, webhook
+// verification, certificate transparency cross-checks) want a stable
+// SHA3-512 hash of the DER bytes plus a colon-separated hex form that
+// matches what most operator tooling renders for X.509 fingerprints.
+// hashCertFingerprint accepts either a Buffer (DER) or a PEM string;
+// if PEM, the BEGIN/END envelope is stripped and the base64 body is
+// decoded before hashing. The hash is the framework's standard SHA3-
+// 512 (not SHA-256 — operators using OpenSSL's `-sha256` defaults can
+// keep their own SHA-256 hashes, this primitive is the framework-
+// canonical form). Returns { hex, colon } so callers can compare
+// against either rendering.
+function _pemToDer(pemOrDer) {
+  if (Buffer.isBuffer(pemOrDer)) return pemOrDer;
+  if (typeof pemOrDer !== "string") {
+    throw new TypeError("crypto.hashCertFingerprint: input must be a Buffer (DER) or a PEM-encoded string");
+  }
+  var match = pemOrDer.match(/-----BEGIN [A-Z0-9 ]+-----([\s\S]+?)-----END [A-Z0-9 ]+-----/);
+  if (!match) {
+    throw new TypeError("crypto.hashCertFingerprint: PEM input lacks BEGIN/END markers");
+  }
+  return Buffer.from(match[1].replace(/\s+/g, ""), "base64");
+}
+function hashCertFingerprint(pemOrDer) {
+  var der = _pemToDer(pemOrDer);
+  var digest = hash(der, "sha3-512");
+  var hex = digest.toString("hex");
+  // Colon-separated, uppercase — matches openssl x509 -fingerprint
+  // output style (which is SHA-1 by default, but the rendering shape
+  // operators expect is the same).
+  var colon = hex.toUpperCase().match(/.{2}/g).join(":");
+  return { hex: hex, colon: colon };
+}
+// Compares a peer's PEM/DER cert against an allowlist of pinned
+// fingerprints. Allowlist entries may be the colon form, the lower-
+// case hex form, or both — every comparison runs through
+// timingSafeEqual to avoid leaking which entry matched.
+function isCertRevoked(pemOrDer, denyList) {
+  if (!Array.isArray(denyList)) {
+    throw new TypeError("crypto.isCertRevoked: denyList must be an array of fingerprint strings");
+  }
+  var fp = hashCertFingerprint(pemOrDer);
+  var fpHex = Buffer.from(fp.hex, "hex");
+  var fpColon = Buffer.from(fp.colon);
+  for (var i = 0; i < denyList.length; i++) {
+    var entry = denyList[i];
+    if (typeof entry !== "string" || entry.length === 0) continue;
+    var normalized = entry.indexOf(":") !== -1 ? entry.toUpperCase() : entry.toLowerCase();
+    var normalizedBuf = entry.indexOf(":") !== -1 ? Buffer.from(normalized) : Buffer.from(normalized, "hex");
+    var compareBuf  = entry.indexOf(":") !== -1 ? fpColon : fpHex;
+    if (normalizedBuf.length === compareBuf.length &&
+        nodeCrypto.timingSafeEqual(normalizedBuf, compareBuf)) {
+      return true;
+    }
+  }
+  return false;
+}
+
 var SUPPORTED_KEM_ALGORITHMS = Object.freeze([
   { id: "ml-kem-1024",          envelopeId: C.KEM_IDS.ML_KEM_1024,        description: "ML-KEM-1024 KEM-only (legacy single-component)" },
   { id: "ml-kem-1024-p384",     envelopeId: C.KEM_IDS.ML_KEM_1024_P384,   description: "ML-KEM-1024 + ECDH P-384 hybrid (framework default)" },
@@ -532,6 +610,9 @@ module.exports = {
   kdf:                         kdf,
   // Comparison
   timingSafeEqual:             timingSafeEqual,
+  // Cert fingerprint helpers
+  hashCertFingerprint:         hashCertFingerprint,
+  isCertRevoked:               isCertRevoked,
   // Random
   generateBytes:               generateBytes,
   generateToken:               generateToken,

package/lib/db.js

@@ -585,7 +585,21 @@ function decryptToTmp() {
   }
   var packed = fs.readFileSync(encPath);
   if (packed.length < 26) return; // too short to be a valid envelope
-  atomicFile.writeSync(dbPath, decryptPacked(packed, encKey));
+  // AAD binds the envelope to this deployment's data dir so two
+  // installs sharing the same operator passphrase can't swap each
+  // other's db.enc files. Backwards-compat: if the AAD-bound decrypt
+  // fails, retry without AAD for envelopes written by pre-AAD
+  // versions (one-release transition window).
+  var aad = _dbEncAad(dataDir);
+  try {
+    atomicFile.writeSync(dbPath, decryptPacked(packed, encKey, aad));
+  } catch (_e) {
+    atomicFile.writeSync(dbPath, decryptPacked(packed, encKey));
+  }
+}
+
+function _dbEncAad(dir) {
+  return Buffer.from("blamejs.db-enc.v1\0" + (dir || ""), "utf8");
 }
 
 function encryptToDisk() {
@@ -593,7 +607,7 @@ function encryptToDisk() {
   // Force WAL checkpoint so the .db file holds all committed transactions.
   try { runSql(database, "PRAGMA wal_checkpoint(TRUNCATE)"); } catch (_e) { /* best effort */ }
   if (!fs.existsSync(dbPath)) return;
-  atomicFile.writeSync(encPath, encryptPacked(fs.readFileSync(dbPath), encKey));
+  atomicFile.writeSync(encPath, encryptPacked(fs.readFileSync(dbPath), encKey, _dbEncAad(dataDir)));
 }
 
 // Remove the plaintext DB + WAL/SHM sidecar files. On Windows these can't be
@@ -691,6 +705,23 @@ async function init(opts) {
   // dominates with audit-chain emissions and cascade fan-out.
   runSql(database, "PRAGMA secure_delete=ON");
 
+  // Boot-time integrity check — refuse to boot on B-tree corruption.
+  // SQLite normally surfaces corruption only when a query stumbles on
+  // a bad page; that's a "first failure during request handling"
+  // surface, not a clean fail-closed boot. integrity_check is fast on
+  // the freshly-decrypted-into-tmpfs file (<1 second on a typical
+  // multi-MB DB) and the result is "ok" or a list of issues.
+  if (opts.skipBootIntegrityCheck !== true) {
+    var ic = database.prepare("PRAGMA integrity_check").all();
+    var icIssues = ic.map(function (r) { return r && r.integrity_check; })
+                     .filter(function (s) { return s && s !== "ok"; });
+    if (icIssues.length > 0) {
+      throw new DbError("db/integrity-check-failed",
+        "PRAGMA integrity_check at boot reported " + icIssues.length +
+        " issue(s): " + icIssues.slice(0, 3).join("; "));
+    }
+  }
+
   // PRAGMA integrity_check — refuse boot on B-tree corruption (per
   // audit-batch finding). SQLite returns "ok" for a healthy database;
   // any other result means corruption. Catching it at boot beats
@@ -1264,7 +1295,7 @@ module.exports = {
         catch (_e) { /* drop-silent */ }
         if (auditOn) {
           try { audit.safeEmit({
-            action: "system.db.integrity_ok", outcome: "ok", metadata: {},
+            action: "system.db.integrity_ok", outcome: "success", metadata: {},
           }); } catch (_e) { /* drop-silent */ }
         }
         return;
@@ -1274,7 +1305,7 @@ module.exports = {
       catch (_e) { /* drop-silent */ }
       if (auditOn) {
         try { audit.safeEmit({
-          action: "system.db.integrity_corrupt", outcome: "fail",
+          action: "system.db.integrity_corrupt", outcome: "failure",
           metadata: { issueCount: issues.length },
         }); } catch (_e) { /* drop-silent */ }
       }

package/lib/dev.js

@@ -48,13 +48,24 @@
  */
 
 var path = require("path");
-var childProcess = require("child_process");
 var fs = require("fs");
+var lazyRequire = require("./lazy-require");
 var logModule = require("./log");
 var nb = require("./numeric-bounds");
+var safeEnv = require("./parsers/safe-env");
 var validateOpts = require("./validate-opts");
 var { FrameworkError } = require("./framework-error");
 
+// child_process is required ONLY when dev.create() is actually
+// called — not at module load. The dev primitive spawns subprocesses
+// (nodemon-style restart loop) by design; isolating the dependency
+// behind lazy-load means a production process that never calls
+// b.dev.create() never loads child_process, and supply-chain scanners
+// inspecting a deployed bundle don't see it as a top-level dep of an
+// otherwise hermetic framework. Production deployments additionally
+// refuse to construct dev.create() — see _refuseInProduction below.
+var childProcess = lazyRequire(function () { return require("child_process"); });
+
 class DevError extends FrameworkError {
   constructor(code, message) {
     super(message, code);
@@ -123,9 +134,25 @@ function create(opts) {
   var env          = opts.env || process.env;
   var cwd          = opts.cwd || process.cwd();
 
-  // Test seams
+  // dev.create() is intended for development-mode use only —
+  // restarting subprocesses on file change is a feature operators
+  // run on their laptop, never in production. Refusing here means a
+  // mis-configured production deployment that accidentally wires the
+  // dev primitive crashes loudly at boot rather than spawning shells
+  // on every save. Operators with a legitimate cross-cutting need
+  // (e.g. a CI runner that uses dev() to drive end-to-end tests)
+  // explicitly opt in via opts.allowProduction with an audited reason.
+  if (safeEnv.readVar("NODE_ENV") === "production" && !opts.allowProduction) {
+    throw new DevError("dev/refused-in-production",
+      "b.dev.create: dev mode refuses to load when NODE_ENV=production. " +
+      "Set opts.allowProduction:true with an audited reason if a non-dev " +
+      "context legitimately needs subprocess spawn-on-watch behaviour.");
+  }
+
+  // Test seams. childProcess is lazily-required; calling spawn here
+  // pulls in node's child_process module on first dev.create() use.
   var spawnFn = opts._spawn || function (cmd, sargs, sopts) {
-    return childProcess.spawn(cmd, sargs, sopts);
+    return childProcess().spawn(cmd, sargs, sopts);
   };
   var watchFn = opts._watch || function (dir, wopts, listener) {
     return fs.watch(dir, wopts, listener);

package/lib/dual-control.js

@@ -186,7 +186,25 @@ function create(opts) {
     if (!approverRoles) return true;
     if (!actor || !Array.isArray(actor.roles)) return false;
     for (var i = 0; i < approverRoles.length; i++) {
-      if (actor.roles.indexOf(approverRoles[i]) !== -1) return true;
+      var required = approverRoles[i];
+      // Wildcard match — actor's "security:*" satisfies a required
+      // "security:officer" (matching the b.permissions.match
+      // semantics elsewhere in the framework). Without this, an
+      // operator with a wildcard-shaped role can't approve dual-
+      // control flows even when b.permissions would consider the
+      // role assignment satisfied.
+      for (var j = 0; j < actor.roles.length; j++) {
+        var actorRole = actor.roles[j];
+        if (actorRole === required) return true;
+        if (typeof actorRole === "string" &&
+            actorRole.length > 0 &&
+            actorRole.charAt(actorRole.length - 1) === "*") {
+          var prefix = actorRole.slice(0, -1);
+          if (typeof required === "string" && required.indexOf(prefix) === 0) {
+            return true;
+          }
+        }
+      }
     }
     return false;
   }

package/lib/external-db.js

@@ -570,6 +570,16 @@ function _buildSessionGucsStatements(sessionGucs) {
       // Postgres SET accepts on/off/true/false — render true/false.
       literal = value ? "true" : "false";
     } else if (typeof value === "string") {
+      // Cap the value length so an operator-controlled tenant_id of
+      // 100 KB doesn't hit Postgres' SET LOCAL parser with payload
+      // that bloats query logs and consumes max_stack_depth. The cap
+      // is generous for legitimate tenant identifiers but rejects
+      // amplification.
+      if (value.length > C.BYTES.kib(4)) {
+        throw _err("INVALID_SESSION_GUCS",
+          "sessionGucs['" + name + "']: value exceeds 4 KiB cap (got " +
+          value.length + " chars)", true);
+      }
       literal = "'" + value.replace(/'/g, "''") + "'";
     } else if (value === null || value === undefined) {
       throw _err("INVALID_SESSION_GUCS",

package/lib/file-upload.js

@@ -763,7 +763,7 @@ function create(opts) {
     return { paths: paths, totalBytes: totalBytes, totalHashHex: totalHashHex };
   }
 
-  function _checkAllowedFileType(firstChunkBody) {
+  function _checkAllowedFileType(firstChunkBody, claimedMime) {
     if (!allowedFileTypes || allowedFileTypes.length === 0) return;
     if (!fileType) return;   // create() guards this; defensive
     var detected = fileType.detect(firstChunkBody);
@@ -787,6 +787,30 @@ function create(opts) {
         "fileUpload.finalize: detected MIME '" + detectedMime +
         "' not in allowedFileTypes (" + allowedFileTypes.join(", ") + ")");
     }
+    // Cross-check claimed MIME (Content-Type header) against detected
+    // magic bytes. When both exist and disagree, refuse — downstream
+    // renderers / storage layers that trust metadata.contentType
+    // (CDN cache routing, MIME-sniff fallbacks, attachment-disposition
+    // decisions) will mis-handle the file. The strict-MIME check is
+    // load-bearing for image-pipelines that pass to image processors:
+    // a "image/png" claim with PDF magic bytes lands in image-rendering
+    // code-paths that will exec PDF parsers with surprising semantics.
+    if (claimedMime && typeof claimedMime === "string" && claimedMime.indexOf("/") !== -1) {
+      var claimedNormalized = claimedMime.split(";")[0].trim().toLowerCase();
+      if (claimedNormalized && claimedNormalized !== detectedMime) {
+        // Wildcard / family acceptance: "image/jpeg" claim + "image/jpg"
+        // detect (synonyms) is OK; "image/png" claim + "image/jpeg"
+        // detect is NOT.
+        var claimedFamily = claimedNormalized.split("/")[0];
+        var detectedFamily = detectedMime.split("/")[0];
+        if (claimedFamily !== detectedFamily) {
+          throw _err("MIME_CLAIM_MISMATCH",
+            "fileUpload.finalize: claimed Content-Type '" + claimedNormalized +
+            "' disagrees with detected magic-byte MIME '" + detectedMime +
+            "'. Refusing to proceed with mis-typed file.");
+        }
+      }
+    }
   }
 
   function _streamFromChunkPaths(paths /* totalBytes */) {
@@ -842,8 +866,11 @@ function create(opts) {
       firstChunk = pieces[0];
     }
 
-    // MIME allowlist gate (if configured).
-    try { _checkAllowedFileType(firstChunk); }
+    // MIME allowlist gate (if configured). Pass the operator-supplied
+    // contentType from upload metadata so the cross-check can refuse
+    // claimed-vs-detected mismatches.
+    var claimedMime = (meta && meta.metadata && meta.metadata.contentType) || null;
+    try { _checkAllowedFileType(firstChunk, claimedMime); }
     catch (e) {
       _emitObs("fileUpload.mime_rejected", 1);
       _emitAudit("fileUpload.finalize", {

package/lib/flag.js

@@ -98,7 +98,7 @@ function create(opts) {
     try {
       audit().safeEmit({
         action:   "flag.evaluation.error",
-        outcome:  "fail",
+        outcome:  "failure",
         actor:    { targetingKey: ctx && ctx.targetingKey || null },
         metadata: {
           flagKey: flagKey,

package/lib/guard-all.js

@@ -116,8 +116,16 @@ var SHARED_POSTURES = Object.freeze(["hipaa", "pci-dss", "gdpr", "soc2"]);
 
 function _verifyParity() {
   var failures = [];
-  for (var i = 0; i < GUARDS.length; i += 1) {
-    var g = GUARDS[i];
+  // Walk both registries — content guards (with MIME_TYPES + EXTENSIONS)
+  // and standalone guards (filename / domain / uuid / cidr / time /
+  // mime / jwt / oauth / graphql / shell / regex / jsonpath / template /
+  // image / pdf / auth). Standalone guards skip the MIME/EXTENSION
+  // checks but every guard MUST declare the shared profile + posture
+  // vocabulary so b.guardAll.allGuards() returns a uniform surface.
+  var allGuards = GUARDS.concat(STANDALONE_GUARDS);
+  for (var i = 0; i < allGuards.length; i += 1) {
+    var g = allGuards[i];
+    var isContent = i < GUARDS.length;
     if (!g || typeof g !== "object") {
       failures.push("guard at index " + i + " is not an exported module object");
       continue;
@@ -126,11 +134,13 @@ function _verifyParity() {
       failures.push("guard at index " + i + ": missing NAME export");
       continue;
     }
-    if (!Array.isArray(g.MIME_TYPES) || g.MIME_TYPES.length === 0) {
-      failures.push(g.NAME + ": missing or empty MIME_TYPES export");
-    }
-    if (!Array.isArray(g.EXTENSIONS) || g.EXTENSIONS.length === 0) {
-      failures.push(g.NAME + ": missing or empty EXTENSIONS export");
+    if (isContent) {
+      if (!Array.isArray(g.MIME_TYPES) || g.MIME_TYPES.length === 0) {
+        failures.push(g.NAME + ": missing or empty MIME_TYPES export");
+      }
+      if (!Array.isArray(g.EXTENSIONS) || g.EXTENSIONS.length === 0) {
+        failures.push(g.NAME + ": missing or empty EXTENSIONS export");
+      }
     }
     if (typeof g.gate !== "function") {
       failures.push(g.NAME + ": missing gate(opts) function");
@@ -146,27 +156,34 @@ function _verifyParity() {
       }
     });
   }
-  // Detect duplicate NAMEs / MIME_TYPES / EXTENSIONS — would cause silent
-  // override in the aggregated gate map; surface at boot instead.
+  // Detect duplicate NAMEs across the full registry (both content +
+  // standalone) so a future guard with a NAME collision surfaces at
+  // boot instead of silently overriding _byName lookups. MIME / EXT
+  // collision detection stays scoped to content guards (standalone
+  // guards have no MIME/EXTENSIONS).
   var nameSeen = Object.create(null);
   var mimeSeen = Object.create(null);
   var extSeen  = Object.create(null);
-  for (var j = 0; j < GUARDS.length; j += 1) {
-    var gg = GUARDS[j];
+  for (var j = 0; j < allGuards.length; j += 1) {
+    var gg = allGuards[j];
     if (gg && gg.NAME) {
-      if (nameSeen[gg.NAME]) failures.push("duplicate NAME " + JSON.stringify(gg.NAME));
+      if (nameSeen[gg.NAME]) failures.push("duplicate NAME " + JSON.stringify(gg.NAME) +
+                                            " across the full guard registry");
       nameSeen[gg.NAME] = true;
     }
-    if (gg && Array.isArray(gg.MIME_TYPES)) {
-      gg.MIME_TYPES.forEach(function (m) {
+  }
+  for (var jc = 0; jc < GUARDS.length; jc += 1) {
+    var ggc = GUARDS[jc];
+    if (ggc && Array.isArray(ggc.MIME_TYPES)) {
+      ggc.MIME_TYPES.forEach(function (m) {
         var k = String(m).toLowerCase();
         if (mimeSeen[k]) failures.push("duplicate MIME_TYPE " + JSON.stringify(k) +
                                        " across multiple guards");
         mimeSeen[k] = true;
       });
     }
-    if (gg && Array.isArray(gg.EXTENSIONS)) {
-      gg.EXTENSIONS.forEach(function (e) {
+    if (ggc && Array.isArray(ggc.EXTENSIONS)) {
+      ggc.EXTENSIONS.forEach(function (e) {
         var k = String(e).toLowerCase();
         if (extSeen[k]) failures.push("duplicate EXTENSION " + JSON.stringify(k) +
                                       " across multiple guards");

package/lib/guard-csv.js

@@ -360,7 +360,20 @@ function _detectIssues(text, opts) {
   }
 
   if (opts.formulaInjectionPolicy !== "audit-only" && opts.formulaInjectionPolicy !== "allow") {
-    var formulaMatch = _firstMatch(text, FORMULA_SCAN_RE);
+    // Strip ZWSP / RTLO / LRM / RLM / BOM at cell-start before the
+    // formula scan. Without this, a cell beginning with U+200B (zero-
+    // width space), U+202E (RTLO), U+200E/F (LTR/RTL marks), or U+FEFF
+    // (BOM) followed by `=` slips past the start-anchor check (the `^`
+    // sits before the codepoint, not after) and the formula reaches
+    // the spreadsheet evaluator. Browsers + Excel + Sheets all strip
+    // these silently — operator users see "=SUM(...)" rendered, the
+    // file shipped a hidden bidi prefix that bypassed the scanner.
+    // U+200B-200F (ZWSP / ZWNJ / ZWJ / LRM / RLM) +
+    // U+202A-202E (LRE / RLE / PDF / LRO / RLO) +
+    // U+2066-2069 (LRI / RLI / FSI / PDI) +
+    // U+FEFF (BOM)                                                     // allow:dynamic-regex — explicit codepoints, no operator input
+    var stripped = text.replace(new RegExp("^[\\u200B-\\u200F\\u202A-\\u202E\\u2066-\\u2069\\uFEFF]+"), "");
+    var formulaMatch = _firstMatch(stripped, FORMULA_SCAN_RE);
     if (formulaMatch) {
       issues.push({
         kind: "formula-prefix-cell", severity: "critical",
@@ -368,7 +381,8 @@ function _detectIssues(text, opts) {
         location: formulaMatch.index,
         snippet: "cell beginning with formula trigger " +
                  JSON.stringify(formulaMatch.char.slice(-1)) +
-                 " at byte " + formulaMatch.index,
+                 " at byte " + formulaMatch.index +
+                 (stripped.length !== text.length ? " (after stripping leading bidi/zero-width prefix)" : ""),
       });
     }
   }

package/lib/guard-html.js

@@ -402,6 +402,30 @@ function escapeAttr(value) {
     .replace(/=/g, "=");
 }
 
+// HTML5 named entities that decode to ASCII codepoints — focused on
+// the entries browsers honor inside URL contexts (whitespace, control
+// chars, scheme-significant punctuation). The full WHATWG named-
+// character-reference table is ~2,231 entries; this is the
+// security-load-bearing subset documented in scheme-bypass writeups
+// (CVE-2026-30838 class). High-codepoint named entities (e.g. mathematical
+// symbols) don't affect URL scheme parsing, so they're omitted.
+var NAMED_ENTITY_ASCII = {
+  // Whitespace + control chars browsers strip inside URL schemes
+  Tab: "\t", NewLine: "\n",
+  // Scheme-significant punctuation
+  colon: ":", semi: ";", period: ".", sol: "/", bsol: "\\",
+  num: "#", excl: "!", quest: "?", lpar: "(", rpar: ")",
+  lsqb: "[", rsqb: "]", lcub: "{", rcub: "}",
+  // Quotes / brackets
+  quot: "\"", apos: "'", lt: "<", gt: ">",
+  // Misc ASCII
+  amp: "&", commat: "@", dollar: "$", percnt: "%",
+  ast: "*", plus: "+", lowbar: "_", hyphen: "-",
+  // Whitespace markers (codepoints in the ASCII / Latin-1 range that
+  // browsers treat as URL-strippable)
+  nbsp: " ",
+};
+
 // _normalizeUrl — peel off entity-encoded leading whitespace and
 // HTML/URL-encoded scheme prefix tricks, then return the lowercased
 // scheme. Returns "" if no scheme.
@@ -415,6 +439,17 @@ function _extractScheme(rawUrl) {
   s = s.replace(/&#(\d+);/g, function (_m, d) {
     return String.fromCharCode(parseInt(d, 10));
   });
+  // Decode HTML5 named entities that browsers honor inside URL
+  // contexts. Without this, payloads like `java&Tab;script:alert(1)`
+  // bypass the scheme allowlist (the literal `&Tab;` between `java`
+  // and `script:` doesn't match any denied scheme; the browser then
+  // decodes the entity, strips the tab, and executes javascript:).
+  s = s.replace(/&([A-Za-z][A-Za-z0-9]+);/g, function (m, name) {
+    if (Object.prototype.hasOwnProperty.call(NAMED_ENTITY_ASCII, name)) {
+      return NAMED_ENTITY_ASCII[name];
+    }
+    return m;
+  });
   // Strip embedded whitespace + control chars + zero-widths the
   // URL parser would tolerate.
   s = s.replace(C0_CTRL_RE_G, "").replace(ZW_RE_G, "");

package/lib/guard-svg.js

@@ -352,6 +352,20 @@ function _resolveOpts(opts) {
   });
 }
 
+// HTML5 named-entity ASCII subset — same shape as guard-html.
+// Browsers honor these inside URL contexts; without decoding them,
+// `java	script:` and friends bypass the scheme allowlist.
+var SVG_NAMED_ENTITY_ASCII = {
+  Tab: "\t", NewLine: "\n",
+  colon: ":", semi: ";", period: ".", sol: "/", bsol: "\\",
+  num: "#", excl: "!", quest: "?", lpar: "(", rpar: ")",
+  lsqb: "[", rsqb: "]", lcub: "{", rcub: "}",
+  quot: "\"", apos: "'", lt: "<", gt: ">",
+  amp: "&", commat: "@", dollar: "$", percnt: "%",
+  ast: "*", plus: "+", lowbar: "_", hyphen: "-",
+  nbsp: " ",
+};
+
 function _extractScheme(rawUrl) {
   var s = String(rawUrl || "").trim();
   s = s.replace(/&#x([0-9a-f]+);/gi, function (_m, h) {
@@ -360,6 +374,12 @@ function _extractScheme(rawUrl) {
   s = s.replace(/&#(\d+);/g, function (_m, d) {
     return String.fromCharCode(parseInt(d, 10));
   });
+  s = s.replace(/&([A-Za-z][A-Za-z0-9]+);/g, function (m, name) {
+    if (Object.prototype.hasOwnProperty.call(SVG_NAMED_ENTITY_ASCII, name)) {
+      return SVG_NAMED_ENTITY_ASCII[name];
+    }
+    return m;
+  });
   s = s.replace(C0_CTRL_RE_G, "").replace(ZW_RE_G, "");
   var m = s.match(/^([A-Za-z][A-Za-z0-9+.-]*):/);
   return m ? m[1].toLowerCase() : "";