npm - @bquery/bquery - Versions diffs - 1.0.2 → 1.1.0 - Mend

@bquery/bquery 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

package/README.md +61 -7
package/dist/component/index.d.ts +8 -0
package/dist/component/index.d.ts.map +1 -1
package/dist/component.es.mjs +80 -53
package/dist/component.es.mjs.map +1 -1
package/dist/core/collection.d.ts +46 -0
package/dist/core/collection.d.ts.map +1 -1
package/dist/core/element.d.ts +124 -22
package/dist/core/element.d.ts.map +1 -1
package/dist/core/utils.d.ts +13 -0
package/dist/core/utils.d.ts.map +1 -1
package/dist/core.es.mjs +298 -55
package/dist/core.es.mjs.map +1 -1
package/dist/full.d.ts +2 -2
package/dist/full.d.ts.map +1 -1
package/dist/full.es.mjs +38 -33
package/dist/full.iife.js +1 -1
package/dist/full.iife.js.map +1 -1
package/dist/full.umd.js +1 -1
package/dist/full.umd.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.es.mjs +38 -33
package/dist/reactive/index.d.ts +2 -2
package/dist/reactive/index.d.ts.map +1 -1
package/dist/reactive/signal.d.ts +107 -0
package/dist/reactive/signal.d.ts.map +1 -1
package/dist/reactive.es.mjs +92 -55
package/dist/reactive.es.mjs.map +1 -1
package/dist/security/sanitize.d.ts.map +1 -1
package/dist/security.es.mjs +136 -66
package/dist/security.es.mjs.map +1 -1
package/package.json +120 -120
package/src/component/index.ts +414 -360
package/src/core/collection.ts +454 -339
package/src/core/element.ts +740 -493
package/src/core/utils.ts +444 -425
package/src/full.ts +106 -101
package/src/index.ts +27 -27
package/src/reactive/index.ts +22 -9
package/src/reactive/signal.ts +506 -347
package/src/security/sanitize.ts +553 -446

package/dist/security.es.mjs CHANGED Viewed

@@ -1,17 +1,17 @@
-const f = "bquery-sanitizer";
-let i = null;
-const _ = () => typeof window.trustedTypes < "u", y = () => {
-  if (i) return i;
-  const t = window;
-  if (!t.trustedTypes) return null;
+const h = "bquery-sanitizer";
+let l = null;
+const x = () => typeof window.trustedTypes < "u", y = () => {
+  if (l) return l;
+  const e = window;
+  if (!e.trustedTypes) return null;
   try {
-    return i = t.trustedTypes.createPolicy(f, {
-      createHTML: (e) => d(e)
-    }), i;
+    return l = e.trustedTypes.createPolicy(h, {
+      createHTML: (t) => p(t)
+    }), l;
   } catch {
-    return console.warn(`bQuery: Could not create Trusted Types policy "${f}"`), null;
+    return console.warn(`bQuery: Could not create Trusted Types policy "${h}"`), null;
   }
-}, b = /* @__PURE__ */ new Set([
+}, A = /* @__PURE__ */ new Set([
   "a",
   "abbr",
   "address",
@@ -96,7 +96,62 @@ const _ = () => typeof window.trustedTypes < "u", y = () => {
   "ul",
   "var",
   "wbr"
-]), A = /* @__PURE__ */ new Set([
+]), g = /* @__PURE__ */ new Set([
+  "script",
+  "iframe",
+  "frame",
+  "frameset",
+  "object",
+  "embed",
+  "applet",
+  "link",
+  "meta",
+  "style",
+  "base",
+  "template",
+  "slot",
+  "math",
+  "svg",
+  "foreignobject",
+  "noscript"
+]), S = /* @__PURE__ */ new Set([
+  // Global objects
+  "document",
+  "window",
+  "location",
+  "top",
+  "self",
+  "parent",
+  "frames",
+  "history",
+  "navigator",
+  "screen",
+  // Dangerous functions
+  "alert",
+  "confirm",
+  "prompt",
+  "eval",
+  "Function",
+  // Document properties
+  "cookie",
+  "domain",
+  "referrer",
+  "body",
+  "head",
+  "forms",
+  "images",
+  "links",
+  "scripts",
+  // DOM traversal properties
+  "children",
+  "parentNode",
+  "firstChild",
+  "lastChild",
+  // Content manipulation
+  "innerHTML",
+  "outerHTML",
+  "textContent"
+]), L = /* @__PURE__ */ new Set([
   "alt",
   "class",
   "dir",
@@ -116,55 +171,70 @@ const _ = () => typeof window.trustedTypes < "u", y = () => {
   "type",
   "width",
   "aria-*"
-]), L = ["on", "formaction"], S = ["javascript:", "data:", "vbscript:"], C = (t, e, o) => {
-  const n = t.toLowerCase();
-  for (const l of L)
-    if (n.startsWith(l)) return !1;
-  return o && n.startsWith("data-") || n.startsWith("aria-") ? !0 : e.has(n);
-}, E = (t) => t.replace(/[\u0000-\u001F\u007F\s]+/g, "").toLowerCase(), N = (t) => {
-  const e = E(t);
-  for (const o of S)
-    if (e.startsWith(o)) return !1;
+]), C = ["on", "formaction", "xlink:", "xmlns:"], E = ["javascript:", "data:", "vbscript:", "file:"], v = (e, t, o) => {
+  const a = e.toLowerCase();
+  for (const u of C)
+    if (a.startsWith(u)) return !1;
+  return o && a.startsWith("data-") || a.startsWith("aria-") ? !0 : t.has(a);
+}, N = (e) => {
+  const t = e.toLowerCase().trim();
+  return !S.has(t);
+}, D = (e) => e.replace(/[\u0000-\u001F\u007F]+/g, "").replace(/[\u200B-\u200D\uFEFF\u2028\u2029]+/g, "").replace(/\\u[\da-fA-F]{4}/g, "").replace(/\s+/g, "").toLowerCase(), R = (e) => {
+  const t = D(e);
+  for (const o of E)
+    if (t.startsWith(o)) return !1;
   return !0;
-}, d = (t, e = {}) => {
+}, p = (e, t = {}) => {
   const {
     allowTags: o = [],
-    allowAttributes: n = [],
-    allowDataAttributes: l = !0,
-    stripAllTags: h = !1
-  } = e, T = /* @__PURE__ */ new Set([...b, ...o.map((r) => r.toLowerCase())]), g = /* @__PURE__ */ new Set([
-    ...A,
-    ...n.map((r) => r.toLowerCase())
-  ]), a = document.createElement("template");
-  if (a.innerHTML = t, h)
-    return a.content.textContent ?? "";
-  const p = document.createTreeWalker(a.content, NodeFilter.SHOW_ELEMENT), m = [];
-  for (; p.nextNode(); ) {
-    const r = p.currentNode, w = r.tagName.toLowerCase();
-    if (!T.has(w)) {
-      m.push(r);
+    allowAttributes: a = [],
+    allowDataAttributes: u = !0,
+    stripAllTags: w = !1
+  } = t, T = new Set(
+    [...A, ...o.map((r) => r.toLowerCase())].filter(
+      (r) => !g.has(r)
+    )
+  ), b = /* @__PURE__ */ new Set([
+    ...L,
+    ...a.map((r) => r.toLowerCase())
+  ]), i = document.createElement("template");
+  if (i.innerHTML = e, w)
+    return i.content.textContent ?? "";
+  const m = document.createTreeWalker(i.content, NodeFilter.SHOW_ELEMENT), d = [];
+  for (; m.nextNode(); ) {
+    const r = m.currentNode, f = r.tagName.toLowerCase();
+    if (g.has(f)) {
+      d.push(r);
+      continue;
+    }
+    if (!T.has(f)) {
+      d.push(r);
       continue;
     }
-    const u = [];
-    for (const s of Array.from(r.attributes)) {
-      const c = s.name.toLowerCase();
-      if (!C(c, g, l)) {
-        u.push(s.name);
+    const c = [];
+    for (const n of Array.from(r.attributes)) {
+      const s = n.name.toLowerCase();
+      if (!v(s, b, u)) {
+        c.push(n.name);
+        continue;
+      }
+      if ((s === "id" || s === "name") && !N(n.value)) {
+        c.push(n.name);
         continue;
       }
-      (c === "href" || c === "src" || c === "srcset") && !N(s.value) && u.push(s.name);
+      (s === "href" || s === "src" || s === "srcset") && !R(n.value) && c.push(n.name);
     }
-    for (const s of u)
-      r.removeAttribute(s);
+    for (const n of c)
+      r.removeAttribute(n);
   }
-  for (const r of m)
+  for (const r of d)
     r.remove();
-  return a.innerHTML;
-}, v = (t, e = {}) => d(t, e), H = (t) => {
-  const e = y();
-  return e ? e.createHTML(t) : v(t);
-}, O = (t) => {
-  const e = {
+  return i.innerHTML;
+}, _ = (e, t = {}) => p(e, t), F = (e) => {
+  const t = y();
+  return t ? t.createHTML(e) : _(e);
+}, H = (e) => {
+  const t = {
     "&": "&amp;",
     "<": "&lt;",
     ">": "&gt;",
@@ -172,23 +242,23 @@ const _ = () => typeof window.trustedTypes < "u", y = () => {
     "'": "&#x27;",
     "`": "&#x60;"
   };
-  return t.replace(/[&<>"'`]/g, (o) => e[o]);
-}, R = (t) => d(t, { stripAllTags: !0 }), x = (t = 16) => {
-  const e = new Uint8Array(t);
-  return crypto.getRandomValues(e), btoa(String.fromCharCode(...e)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
-}, D = (t) => {
-  const e = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
-  return e ? (e.getAttribute("content") ?? "").includes(t) : !1;
+  return e.replace(/[&<>"'`]/g, (o) => t[o]);
+}, O = (e) => p(e, { stripAllTags: !0 }), k = (e = 16) => {
+  const t = new Uint8Array(e);
+  return crypto.getRandomValues(t), btoa(String.fromCharCode(...t)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}, M = (e) => {
+  const t = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
+  return t ? (t.getAttribute("content") ?? "").includes(e) : !1;
 };
 export {
-  H as createTrustedHtml,
-  O as escapeHtml,
-  x as generateNonce,
+  F as createTrustedHtml,
+  H as escapeHtml,
+  k as generateNonce,
   y as getTrustedTypesPolicy,
-  D as hasCSPDirective,
-  _ as isTrustedTypesSupported,
-  v as sanitize,
-  v as sanitizeHtml,
-  R as stripTags
+  M as hasCSPDirective,
+  x as isTrustedTypesSupported,
+  _ as sanitize,
+  _ as sanitizeHtml,
+  O as stripTags
 };
 //# sourceMappingURL=security.es.mjs.map

package/dist/security.es.mjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"security.es.mjs","sources":["../src/security/sanitize.ts"],"sourcesContent":["/*\n Security utilities for HTML sanitization, CSP compatibility, and Trusted Types.\n * All DOM writes are sanitized by default to prevent XSS attacks.\n \n @module bquery/security\n /\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/\n Sanitizer configuration options.\n /\nexport interface SanitizeOptions {\n /* Allow these additional tags (default: none) /\n allowTags?: string[];\n /* Allow these additional attributes (default: none) /\n allowAttributes?: string[];\n /* Allow data-* attributes (default: true) /\n allowDataAttributes?: boolean;\n /* Strip all tags and return plain text (default: false) /\n stripAllTags?: boolean;\n}\n\n/\n Trusted Types policy name.\n /\nconst POLICY_NAME = 'bquery-sanitizer';\n\n// ============================================================================\n// Trusted Types Support\n// ============================================================================\n\n/* Window interface extended with Trusted Types /\ninterface TrustedTypesWindow extends Window {\n trustedTypes?: {\n createPolicy: (\n name: string,\n rules: { createHTML?: (input: string) => string }\n ) => TrustedTypePolicy;\n isHTML?: (value: unknown) => boolean;\n };\n}\n\n/* Trusted Types policy interface /\ninterface TrustedTypePolicy {\n createHTML: (input: string) => TrustedHTML;\n}\n\n/* Trusted HTML type placeholder for environments without Trusted Types /\ninterface TrustedHTML {\n toString(): string;\n}\n\n/* Cached Trusted Types policy /\nlet cachedPolicy: TrustedTypePolicy \| null = null;\n\n/\n Check if Trusted Types API is available.\n * @returns True if Trusted Types are supported\n /\nexport const isTrustedTypesSupported = (): boolean => {\n return typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined';\n};\n\n/\n Get or create the bQuery Trusted Types policy.\n * @returns The Trusted Types policy or null if unsupported\n /\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy \| null => {\n if (cachedPolicy) return cachedPolicy;\n\n const win = window as TrustedTypesWindow;\n if (!win.trustedTypes) return null;\n\n try {\n cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\n createHTML: (input: string) => sanitizeHtmlCore(input),\n });\n return cachedPolicy;\n } catch {\n // Policy may already exist or be blocked by CSP\n console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\"`);\n return null;\n }\n};\n\n// ============================================================================\n// Default Safe Lists\n// ============================================================================\n\n/\n Default allowed HTML tags considered safe.\n /\nconst DEFAULT_ALLOWED_TAGS = new Set([\n 'a',\n 'abbr',\n 'address',\n 'article',\n 'aside',\n 'b',\n 'bdi',\n 'bdo',\n 'blockquote',\n 'br',\n 'button',\n 'caption',\n 'cite',\n 'code',\n 'col',\n 'colgroup',\n 'data',\n 'dd',\n 'del',\n 'details',\n 'dfn',\n 'div',\n 'dl',\n 'dt',\n 'em',\n 'figcaption',\n 'figure',\n 'footer',\n 'form',\n 'h1',\n 'h2',\n 'h3',\n 'h4',\n 'h5',\n 'h6',\n 'header',\n 'hgroup',\n 'hr',\n 'i',\n 'img',\n 'input',\n 'ins',\n 'kbd',\n 'label',\n 'legend',\n 'li',\n 'main',\n 'mark',\n 'nav',\n 'ol',\n 'optgroup',\n 'option',\n 'p',\n 'picture',\n 'pre',\n 'progress',\n 'q',\n 'rp',\n 'rt',\n 'ruby',\n 's',\n 'samp',\n 'section',\n 'select',\n 'small',\n 'source',\n 'span',\n 'strong',\n 'sub',\n 'summary',\n 'sup',\n 'table',\n 'tbody',\n 'td',\n 'textarea',\n 'tfoot',\n 'th',\n 'thead',\n 'time',\n 'tr',\n 'u',\n 'ul',\n 'var',\n 'wbr',\n]);\n\n/\n Default allowed attributes considered safe.\n /\nconst DEFAULT_ALLOWED_ATTRIBUTES = new Set([\n 'alt',\n 'class',\n 'dir',\n 'height',\n 'hidden',\n 'href',\n 'id',\n 'lang',\n 'loading',\n 'name',\n 'role',\n 'src',\n 'srcset',\n 'style',\n 'tabindex',\n 'title',\n 'type',\n 'width',\n 'aria-',\n]);\n\n/*\n Dangerous attribute prefixes to always remove.\n /\nconst DANGEROUS_ATTR_PREFIXES = ['on', 'formaction'];\n\n/\n Dangerous URL protocols to block.\n /\nconst DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:'];\n\n// ============================================================================\n// Core Sanitization\n// ============================================================================\n\n/\n Check if an attribute name is allowed.\n /\nconst isAllowedAttribute = (\n name: string,\n allowedSet: Set<string>,\n allowDataAttrs: boolean\n): boolean => {\n const lowerName = name.toLowerCase();\n\n // Check dangerous prefixes\n for (const prefix of DANGEROUS_ATTR_PREFIXES) {\n if (lowerName.startsWith(prefix)) return false;\n }\n\n // Check data attributes\n if (allowDataAttrs && lowerName.startsWith('data-')) return true;\n\n // Check aria attributes (allowed by default)\n if (lowerName.startsWith('aria-')) return true;\n\n // Check explicit allow list\n return allowedSet.has(lowerName);\n};\n\n/\n Normalize URL by removing control characters and whitespace.\n /\nconst normalizeUrl = (value: string): string =>\n value.replace(/[\\u0000-\\u001F\\u007F\\s]+/g, '').toLowerCase();\n\n/\n Check if a URL value is safe.\n /\nconst isSafeUrl = (value: string): boolean => {\n const normalized = normalizeUrl(value);\n for (const protocol of DANGEROUS_PROTOCOLS) {\n if (normalized.startsWith(protocol)) return false;\n }\n return true;\n};\n\n/\n Core sanitization logic (without Trusted Types wrapper).\n /\nconst sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\n const {\n allowTags = [],\n allowAttributes = [],\n allowDataAttributes = true,\n stripAllTags = false,\n } = options;\n\n // Build combined allow sets\n const allowedTags = new Set([...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())]);\n const allowedAttrs = new Set([\n ...DEFAULT_ALLOWED_ATTRIBUTES,\n ...allowAttributes.map((a) => a.toLowerCase()),\n ]);\n\n // Use template for parsing\n const template = document.createElement('template');\n template.innerHTML = html;\n\n if (stripAllTags) {\n return template.content.textContent ?? '';\n }\n\n // Walk the DOM tree\n const walker = document.createTreeWalker(template.content, NodeFilter.SHOW_ELEMENT);\n\n const toRemove: Element[] = [];\n\n while (walker.nextNode()) {\n const el = walker.currentNode as Element;\n const tagName = el.tagName.toLowerCase();\n\n // Remove disallowed tags entirely\n if (!allowedTags.has(tagName)) {\n toRemove.push(el);\n continue;\n }\n\n // Process attributes\n const attrsToRemove: string[] = [];\n for (const attr of Array.from(el.attributes)) {\n const attrName = attr.name.toLowerCase();\n\n // Check if attribute is allowed\n if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\n attrsToRemove.push(attr.name);\n continue;\n }\n\n // Validate URL attributes\n if (\n (attrName === 'href' \|\| attrName === 'src' \|\| attrName === 'srcset') &&\n !isSafeUrl(attr.value)\n ) {\n attrsToRemove.push(attr.name);\n }\n }\n\n // Remove disallowed attributes\n for (const attrName of attrsToRemove) {\n el.removeAttribute(attrName);\n }\n }\n\n // Remove disallowed elements\n for (const el of toRemove) {\n el.remove();\n }\n\n return template.innerHTML;\n};\n\n// ============================================================================\n// Public API\n// ============================================================================\n\n/\n Sanitize HTML string, removing dangerous elements and attributes.\n * Uses Trusted Types when available for CSP compliance.\n \n @param html - The HTML string to sanitize\n * @param options - Sanitization options\n * @returns Sanitized HTML string\n \n @example\n * ```ts\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\n * // Returns: '<div>Hello</div>'\n * ```\n /\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): string => {\n return sanitizeHtmlCore(html, options);\n};\n\n/\n Create a Trusted HTML value for use with Trusted Types-enabled sites.\n * Falls back to regular string when Trusted Types are unavailable.\n \n @param html - The HTML string to wrap\n * @returns Trusted HTML value or sanitized string\n /\nexport const createTrustedHtml = (html: string): TrustedHTML \| string => {\n const policy = getTrustedTypesPolicy();\n if (policy) {\n return policy.createHTML(html);\n }\n return sanitizeHtml(html);\n};\n\n/\n Escape HTML entities to prevent XSS.\n * Use this for displaying user content as text.\n \n @param text - The text to escape\n * @returns Escaped HTML string\n \n @example\n * ```ts\n * escapeHtml('<script>alert(1)</script>');\n * // Returns: '<script>alert(1)</script>'\n * ```\n /\nexport const escapeHtml = (text: string): string => {\n const escapeMap: Record<string, string> = {\n '&': '&',\n '<': '<',\n '>': '>',\n '\"': '"',\n \"'\": ''',\n '`': '`',\n };\n return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\n};\n\n/\n Strip all HTML tags and return plain text.\n \n @param html - The HTML string to strip\n * @returns Plain text content\n /\nexport const stripTags = (html: string): string => {\n return sanitizeHtmlCore(html, { stripAllTags: true });\n};\n\n// ============================================================================\n// CSP Helpers\n// ============================================================================\n\n/\n Generate a nonce for inline scripts/styles.\n * Use with Content-Security-Policy nonce directives.\n \n @param length - Nonce length (default: 16)\n * @returns Cryptographically random nonce string\n /\nexport const generateNonce = (length: number = 16): string => {\n const array = new Uint8Array(length);\n crypto.getRandomValues(array);\n return btoa(String.fromCharCode(...array))\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=/g, '');\n};\n\n/\n Check if a CSP header is present with specific directive.\n * Useful for feature detection and fallback strategies.\n \n @param directive - The CSP directive to check (e.g., 'script-src')\n * @returns True if the directive appears to be enforced\n */\nexport const hasCSPDirective = (directive: string): boolean => {\n // Check meta tag\n const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n if (meta) {\n const content = meta.getAttribute('content') ?? '';\n return content.includes(directive);\n }\n return false;\n};\n"],"names":["POLICY_NAME","cachedPolicy","isTrustedTypesSupported","getTrustedTypesPolicy","win","input","sanitizeHtmlCore","DEFAULT_ALLOWED_TAGS","DEFAULT_ALLOWED_ATTRIBUTES","DANGEROUS_ATTR_PREFIXES","DANGEROUS_PROTOCOLS","isAllowedAttribute","name","allowedSet","allowDataAttrs","lowerName","prefix","normalizeUrl","value","isSafeUrl","normalized","protocol","html","options","allowTags","allowAttributes","allowDataAttributes","stripAllTags","allowedTags","t","allowedAttrs","a","template","walker","toRemove","el","tagName","attrsToRemove","attr","attrName","sanitizeHtml","createTrustedHtml","policy","escapeHtml","text","escapeMap","char","stripTags","generateNonce","length","array","hasCSPDirective","directive","meta"],"mappings":"AA4BA,MAAMA,IAAc;AA4BpB,IAAIC,IAAyC;AAMtC,MAAMC,IAA0B,MAC9B,OAAQ,OAA8B,eAAiB,KAOnDC,IAAwB,MAAgC;AACnE,MAAIF,EAAc,QAAOA;AAEzB,QAAMG,IAAM;AACZ,MAAI,CAACA,EAAI,aAAc,QAAO;AAE9B,MAAI;AACF,WAAAH,IAAeG,EAAI,aAAa,aAAaJ,GAAa;AAAA,MACxD,YAAY,CAACK,MAAkBC,EAAiBD,CAAK;AAAA,IAAA,CACtD,GACMJ;AAAA,EACT,QAAQ;AAEN,mBAAQ,KAAK,kDAAkDD,CAAW,GAAG,GACtE;AAAA,EACT;AACF,GASMO,wBAA2B,IAAI;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,wBAAiC,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,IAA0B,CAAC,MAAM,YAAY,GAK7CC,IAAsB,CAAC,eAAe,SAAS,WAAW,GAS1DC,IAAqB,CACzBC,GACAC,GACAC,MACY;AACZ,QAAMC,IAAYH,EAAK,YAAA;AAGvB,aAAWI,KAAUP;AACnB,QAAIM,EAAU,WAAWC,CAAM,EAAG,QAAO;AAO3C,SAHIF,KAAkBC,EAAU,WAAW,OAAO,KAG9CA,EAAU,WAAW,OAAO,IAAU,KAGnCF,EAAW,IAAIE,CAAS;AACjC,GAKME,IAAe,CAACC,MACpBA,EAAM,QAAQ,6BAA6B,EAAE,EAAE,YAAA,GAK3CC,IAAY,CAACD,MAA2B;AAC5C,QAAME,IAAaH,EAAaC,CAAK;AACrC,aAAWG,KAAYX;AACrB,QAAIU,EAAW,WAAWC,CAAQ,EAAG,QAAO;AAE9C,SAAO;AACT,GAKMf,IAAmB,CAACgB,GAAcC,IAA2B,OAAe;AAChF,QAAM;AAAA,IACJ,WAAAC,IAAY,CAAA;AAAA,IACZ,iBAAAC,IAAkB,CAAA;AAAA,IAClB,qBAAAC,IAAsB;AAAA,IACtB,cAAAC,IAAe;AAAA,EAAA,IACbJ,GAGEK,IAAc,oBAAI,IAAI,CAAC,GAAGrB,GAAsB,GAAGiB,EAAU,IAAI,CAACK,MAAMA,EAAE,YAAA,CAAa,CAAC,CAAC,GACzFC,wBAAmB,IAAI;AAAA,IAC3B,GAAGtB;AAAA,IACH,GAAGiB,EAAgB,IAAI,CAACM,MAAMA,EAAE,aAAa;AAAA,EAAA,CAC9C,GAGKC,IAAW,SAAS,cAAc,UAAU;AAGlD,MAFAA,EAAS,YAAYV,GAEjBK;AACF,WAAOK,EAAS,QAAQ,eAAe;AAIzC,QAAMC,IAAS,SAAS,iBAAiBD,EAAS,SAAS,WAAW,YAAY,GAE5EE,IAAsB,CAAA;AAE5B,SAAOD,EAAO,cAAY;AACxB,UAAME,IAAKF,EAAO,aACZG,IAAUD,EAAG,QAAQ,YAAA;AAG3B,QAAI,CAACP,EAAY,IAAIQ,CAAO,GAAG;AAC7B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,UAAME,IAA0B,CAAA;AAChC,eAAWC,KAAQ,MAAM,KAAKH,EAAG,UAAU,GAAG;AAC5C,YAAMI,IAAWD,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC3B,EAAmB4B,GAAUT,GAAcJ,CAAmB,GAAG;AACpE,QAAAW,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,OACGC,MAAa,UAAUA,MAAa,SAASA,MAAa,aAC3D,CAACpB,EAAUmB,EAAK,KAAK,KAErBD,EAAc,KAAKC,EAAK,IAAI;AAAA,IAEhC;AAGA,eAAWC,KAAYF;AACrB,MAAAF,EAAG,gBAAgBI,CAAQ;AAAA,EAE/B;AAGA,aAAWJ,KAAMD;AACf,IAAAC,EAAG,OAAA;AAGL,SAAOH,EAAS;AAClB,GAoBaQ,IAAe,CAAClB,GAAcC,IAA2B,OAC7DjB,EAAiBgB,GAAMC,CAAO,GAU1BkB,IAAoB,CAACnB,MAAuC;AACvE,QAAMoB,IAASvC,EAAA;AACf,SAAIuC,IACKA,EAAO,WAAWpB,CAAI,IAExBkB,EAAalB,CAAI;AAC1B,GAeaqB,IAAa,CAACC,MAAyB;AAClD,QAAMC,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EAAA;AAEP,SAAOD,EAAK,QAAQ,aAAa,CAACE,MAASD,EAAUC,CAAI,CAAC;AAC5D,GAQaC,IAAY,CAACzB,MACjBhB,EAAiBgB,GAAM,EAAE,cAAc,IAAM,GAczC0B,IAAgB,CAACC,IAAiB,OAAe;AAC5D,QAAMC,IAAQ,IAAI,WAAWD,CAAM;AACnC,gBAAO,gBAAgBC,CAAK,GACrB,KAAK,OAAO,aAAa,GAAGA,CAAK,CAAC,EACtC,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,MAAM,EAAE;AACrB,GASaC,IAAkB,CAACC,MAA+B;AAE7D,QAAMC,IAAO,SAAS,cAAc,4CAA4C;AAChF,SAAIA,KACcA,EAAK,aAAa,SAAS,KAAK,IACjC,SAASD,CAAS,IAE5B;AACT;"}
1	+ {"version":3,"file":"security.es.mjs","sources":["../src/security/sanitize.ts"],"sourcesContent":["/*\r\n Security utilities for HTML sanitization, CSP compatibility, and Trusted Types.\r\n * All DOM writes are sanitized by default to prevent XSS attacks.\r\n \r\n @module bquery/security\r\n /\r\n\r\n// ============================================================================\r\n// Types\r\n// ============================================================================\r\n\r\n/\r\n Sanitizer configuration options.\r\n /\r\nexport interface SanitizeOptions {\r\n /* Allow these additional tags (default: none) /\r\n allowTags?: string[];\r\n /* Allow these additional attributes (default: none) /\r\n allowAttributes?: string[];\r\n /* Allow data-* attributes (default: true) /\r\n allowDataAttributes?: boolean;\r\n /* Strip all tags and return plain text (default: false) /\r\n stripAllTags?: boolean;\r\n}\r\n\r\n/\r\n Trusted Types policy name.\r\n /\r\nconst POLICY_NAME = 'bquery-sanitizer';\r\n\r\n// ============================================================================\r\n// Trusted Types Support\r\n// ============================================================================\r\n\r\n/* Window interface extended with Trusted Types /\r\ninterface TrustedTypesWindow extends Window {\r\n trustedTypes?: {\r\n createPolicy: (\r\n name: string,\r\n rules: { createHTML?: (input: string) => string }\r\n ) => TrustedTypePolicy;\r\n isHTML?: (value: unknown) => boolean;\r\n };\r\n}\r\n\r\n/* Trusted Types policy interface /\r\ninterface TrustedTypePolicy {\r\n createHTML: (input: string) => TrustedHTML;\r\n}\r\n\r\n/* Trusted HTML type placeholder for environments without Trusted Types /\r\ninterface TrustedHTML {\r\n toString(): string;\r\n}\r\n\r\n/* Cached Trusted Types policy /\r\nlet cachedPolicy: TrustedTypePolicy \| null = null;\r\n\r\n/\r\n Check if Trusted Types API is available.\r\n * @returns True if Trusted Types are supported\r\n /\r\nexport const isTrustedTypesSupported = (): boolean => {\r\n return typeof (window as TrustedTypesWindow).trustedTypes !== 'undefined';\r\n};\r\n\r\n/\r\n Get or create the bQuery Trusted Types policy.\r\n * @returns The Trusted Types policy or null if unsupported\r\n /\r\nexport const getTrustedTypesPolicy = (): TrustedTypePolicy \| null => {\r\n if (cachedPolicy) return cachedPolicy;\r\n\r\n const win = window as TrustedTypesWindow;\r\n if (!win.trustedTypes) return null;\r\n\r\n try {\r\n cachedPolicy = win.trustedTypes.createPolicy(POLICY_NAME, {\r\n createHTML: (input: string) => sanitizeHtmlCore(input),\r\n });\r\n return cachedPolicy;\r\n } catch {\r\n // Policy may already exist or be blocked by CSP\r\n console.warn(`bQuery: Could not create Trusted Types policy \"${POLICY_NAME}\"`);\r\n return null;\r\n }\r\n};\r\n\r\n// ============================================================================\r\n// Default Safe Lists\r\n// ============================================================================\r\n\r\n/\r\n Default allowed HTML tags considered safe.\r\n /\r\nconst DEFAULT_ALLOWED_TAGS = new Set([\r\n 'a',\r\n 'abbr',\r\n 'address',\r\n 'article',\r\n 'aside',\r\n 'b',\r\n 'bdi',\r\n 'bdo',\r\n 'blockquote',\r\n 'br',\r\n 'button',\r\n 'caption',\r\n 'cite',\r\n 'code',\r\n 'col',\r\n 'colgroup',\r\n 'data',\r\n 'dd',\r\n 'del',\r\n 'details',\r\n 'dfn',\r\n 'div',\r\n 'dl',\r\n 'dt',\r\n 'em',\r\n 'figcaption',\r\n 'figure',\r\n 'footer',\r\n 'form',\r\n 'h1',\r\n 'h2',\r\n 'h3',\r\n 'h4',\r\n 'h5',\r\n 'h6',\r\n 'header',\r\n 'hgroup',\r\n 'hr',\r\n 'i',\r\n 'img',\r\n 'input',\r\n 'ins',\r\n 'kbd',\r\n 'label',\r\n 'legend',\r\n 'li',\r\n 'main',\r\n 'mark',\r\n 'nav',\r\n 'ol',\r\n 'optgroup',\r\n 'option',\r\n 'p',\r\n 'picture',\r\n 'pre',\r\n 'progress',\r\n 'q',\r\n 'rp',\r\n 'rt',\r\n 'ruby',\r\n 's',\r\n 'samp',\r\n 'section',\r\n 'select',\r\n 'small',\r\n 'source',\r\n 'span',\r\n 'strong',\r\n 'sub',\r\n 'summary',\r\n 'sup',\r\n 'table',\r\n 'tbody',\r\n 'td',\r\n 'textarea',\r\n 'tfoot',\r\n 'th',\r\n 'thead',\r\n 'time',\r\n 'tr',\r\n 'u',\r\n 'ul',\r\n 'var',\r\n 'wbr',\r\n]);\r\n\r\n/\r\n Explicitly dangerous tags that should never be allowed.\r\n * These are checked even if somehow added to allowTags.\r\n /\r\nconst DANGEROUS_TAGS = new Set([\r\n 'script',\r\n 'iframe',\r\n 'frame',\r\n 'frameset',\r\n 'object',\r\n 'embed',\r\n 'applet',\r\n 'link',\r\n 'meta',\r\n 'style',\r\n 'base',\r\n 'template',\r\n 'slot',\r\n 'math',\r\n 'svg',\r\n 'foreignobject',\r\n 'noscript',\r\n]);\r\n\r\n/\r\n Reserved IDs that could cause DOM clobbering attacks.\r\n * These are prevented to avoid overwriting global browser objects.\r\n /\r\nconst RESERVED_IDS = new Set([\r\n // Global objects\r\n 'document',\r\n 'window',\r\n 'location',\r\n 'top',\r\n 'self',\r\n 'parent',\r\n 'frames',\r\n 'history',\r\n 'navigator',\r\n 'screen',\r\n // Dangerous functions\r\n 'alert',\r\n 'confirm',\r\n 'prompt',\r\n 'eval',\r\n 'Function',\r\n // Document properties\r\n 'cookie',\r\n 'domain',\r\n 'referrer',\r\n 'body',\r\n 'head',\r\n 'forms',\r\n 'images',\r\n 'links',\r\n 'scripts',\r\n // DOM traversal properties\r\n 'children',\r\n 'parentNode',\r\n 'firstChild',\r\n 'lastChild',\r\n // Content manipulation\r\n 'innerHTML',\r\n 'outerHTML',\r\n 'textContent',\r\n]);\r\n\r\n/\r\n Default allowed attributes considered safe.\r\n /\r\nconst DEFAULT_ALLOWED_ATTRIBUTES = new Set([\r\n 'alt',\r\n 'class',\r\n 'dir',\r\n 'height',\r\n 'hidden',\r\n 'href',\r\n 'id',\r\n 'lang',\r\n 'loading',\r\n 'name',\r\n 'role',\r\n 'src',\r\n 'srcset',\r\n 'style',\r\n 'tabindex',\r\n 'title',\r\n 'type',\r\n 'width',\r\n 'aria-',\r\n]);\r\n\r\n/*\r\n Dangerous attribute prefixes to always remove.\r\n /\r\nconst DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\r\n\r\n/\r\n Dangerous URL protocols to block.\r\n /\r\nconst DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\r\n\r\n// ============================================================================\r\n// Core Sanitization\r\n// ============================================================================\r\n\r\n/\r\n Check if an attribute name is allowed.\r\n * @internal\r\n /\r\nconst isAllowedAttribute = (\r\n name: string,\r\n allowedSet: Set<string>,\r\n allowDataAttrs: boolean\r\n): boolean => {\r\n const lowerName = name.toLowerCase();\r\n\r\n // Check dangerous prefixes\r\n for (const prefix of DANGEROUS_ATTR_PREFIXES) {\r\n if (lowerName.startsWith(prefix)) return false;\r\n }\r\n\r\n // Check data attributes\r\n if (allowDataAttrs && lowerName.startsWith('data-')) return true;\r\n\r\n // Check aria attributes (allowed by default)\r\n if (lowerName.startsWith('aria-')) return true;\r\n\r\n // Check explicit allow list\r\n return allowedSet.has(lowerName);\r\n};\r\n\r\n/\r\n Check if an ID/name value could cause DOM clobbering.\r\n * @internal\r\n /\r\nconst isSafeIdOrName = (value: string): boolean => {\r\n const lowerValue = value.toLowerCase().trim();\r\n return !RESERVED_IDS.has(lowerValue);\r\n};\r\n\r\n/\r\n Normalize URL by removing control characters, whitespace, and Unicode tricks.\r\n * Enhanced to prevent various bypass techniques.\r\n * @internal\r\n /\r\nconst normalizeUrl = (value: string): string =>\r\n value\r\n // Remove null bytes and control characters\r\n .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\r\n // Remove zero-width characters that could hide malicious content\r\n .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\r\n // Remove escaped Unicode sequences\r\n .replace(/\\\\u[\\da-fA-F]{4}/g, '')\r\n // Remove whitespace\r\n .replace(/\\s+/g, '')\r\n // Normalize case\r\n .toLowerCase();\r\n\r\n/\r\n Check if a URL value is safe.\r\n * @internal\r\n /\r\nconst isSafeUrl = (value: string): boolean => {\r\n const normalized = normalizeUrl(value);\r\n for (const protocol of DANGEROUS_PROTOCOLS) {\r\n if (normalized.startsWith(protocol)) return false;\r\n }\r\n return true;\r\n};\r\n\r\n/\r\n Core sanitization logic (without Trusted Types wrapper).\r\n * @internal\r\n /\r\nconst sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\r\n const {\r\n allowTags = [],\r\n allowAttributes = [],\r\n allowDataAttributes = true,\r\n stripAllTags = false,\r\n } = options;\r\n\r\n // Build combined allow sets (excluding dangerous tags even if specified)\r\n const allowedTags = new Set(\r\n [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\r\n (tag) => !DANGEROUS_TAGS.has(tag)\r\n )\r\n );\r\n const allowedAttrs = new Set([\r\n ...DEFAULT_ALLOWED_ATTRIBUTES,\r\n ...allowAttributes.map((a) => a.toLowerCase()),\r\n ]);\r\n\r\n // Use template for parsing\r\n const template = document.createElement('template');\r\n template.innerHTML = html;\r\n\r\n if (stripAllTags) {\r\n return template.content.textContent ?? '';\r\n }\r\n\r\n // Walk the DOM tree\r\n const walker = document.createTreeWalker(template.content, NodeFilter.SHOW_ELEMENT);\r\n\r\n const toRemove: Element[] = [];\r\n\r\n while (walker.nextNode()) {\r\n const el = walker.currentNode as Element;\r\n const tagName = el.tagName.toLowerCase();\r\n\r\n // Remove explicitly dangerous tags even if in allow list\r\n if (DANGEROUS_TAGS.has(tagName)) {\r\n toRemove.push(el);\r\n continue;\r\n }\r\n\r\n // Remove disallowed tags entirely\r\n if (!allowedTags.has(tagName)) {\r\n toRemove.push(el);\r\n continue;\r\n }\r\n\r\n // Process attributes\r\n const attrsToRemove: string[] = [];\r\n for (const attr of Array.from(el.attributes)) {\r\n const attrName = attr.name.toLowerCase();\r\n\r\n // Check if attribute is allowed\r\n if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\r\n attrsToRemove.push(attr.name);\r\n continue;\r\n }\r\n\r\n // Check for DOM clobbering on id and name attributes\r\n if ((attrName === 'id' \|\| attrName === 'name') && !isSafeIdOrName(attr.value)) {\r\n attrsToRemove.push(attr.name);\r\n continue;\r\n }\r\n\r\n // Validate URL attributes\r\n if (\r\n (attrName === 'href' \|\| attrName === 'src' \|\| attrName === 'srcset') &&\r\n !isSafeUrl(attr.value)\r\n ) {\r\n attrsToRemove.push(attr.name);\r\n }\r\n }\r\n\r\n // Remove disallowed attributes\r\n for (const attrName of attrsToRemove) {\r\n el.removeAttribute(attrName);\r\n }\r\n }\r\n\r\n // Remove disallowed elements\r\n for (const el of toRemove) {\r\n el.remove();\r\n }\r\n\r\n return template.innerHTML;\r\n};\r\n\r\n// ============================================================================\r\n// Public API\r\n// ============================================================================\r\n\r\n/\r\n Sanitize HTML string, removing dangerous elements and attributes.\r\n * Uses Trusted Types when available for CSP compliance.\r\n \r\n @param html - The HTML string to sanitize\r\n * @param options - Sanitization options\r\n * @returns Sanitized HTML string\r\n \r\n @example\r\n * ```ts\r\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\r\n * // Returns: '<div>Hello</div>'\r\n * ```\r\n /\r\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): string => {\r\n return sanitizeHtmlCore(html, options);\r\n};\r\n\r\n/\r\n Create a Trusted HTML value for use with Trusted Types-enabled sites.\r\n * Falls back to regular string when Trusted Types are unavailable.\r\n \r\n @param html - The HTML string to wrap\r\n * @returns Trusted HTML value or sanitized string\r\n /\r\nexport const createTrustedHtml = (html: string): TrustedHTML \| string => {\r\n const policy = getTrustedTypesPolicy();\r\n if (policy) {\r\n return policy.createHTML(html);\r\n }\r\n return sanitizeHtml(html);\r\n};\r\n\r\n/\r\n Escape HTML entities to prevent XSS.\r\n * Use this for displaying user content as text.\r\n \r\n @param text - The text to escape\r\n * @returns Escaped HTML string\r\n \r\n @example\r\n * ```ts\r\n * escapeHtml('<script>alert(1)</script>');\r\n * // Returns: '<script>alert(1)</script>'\r\n * ```\r\n /\r\nexport const escapeHtml = (text: string): string => {\r\n const escapeMap: Record<string, string> = {\r\n '&': '&',\r\n '<': '<',\r\n '>': '>',\r\n '\"': '"',\r\n \"'\": ''',\r\n '`': '`',\r\n };\r\n return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\r\n};\r\n\r\n/\r\n Strip all HTML tags and return plain text.\r\n \r\n @param html - The HTML string to strip\r\n * @returns Plain text content\r\n /\r\nexport const stripTags = (html: string): string => {\r\n return sanitizeHtmlCore(html, { stripAllTags: true });\r\n};\r\n\r\n// ============================================================================\r\n// CSP Helpers\r\n// ============================================================================\r\n\r\n/\r\n Generate a nonce for inline scripts/styles.\r\n * Use with Content-Security-Policy nonce directives.\r\n \r\n @param length - Nonce length (default: 16)\r\n * @returns Cryptographically random nonce string\r\n /\r\nexport const generateNonce = (length: number = 16): string => {\r\n const array = new Uint8Array(length);\r\n crypto.getRandomValues(array);\r\n return btoa(String.fromCharCode(...array))\r\n .replace(/\\+/g, '-')\r\n .replace(/\\//g, '_')\r\n .replace(/=/g, '');\r\n};\r\n\r\n/\r\n Check if a CSP header is present with specific directive.\r\n * Useful for feature detection and fallback strategies.\r\n \r\n @param directive - The CSP directive to check (e.g., 'script-src')\r\n * @returns True if the directive appears to be enforced\r\n */\r\nexport const hasCSPDirective = (directive: string): boolean => {\r\n // Check meta tag\r\n const meta = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\r\n if (meta) {\r\n const content = meta.getAttribute('content') ?? '';\r\n return content.includes(directive);\r\n }\r\n return false;\r\n};\r\n"],"names":["POLICY_NAME","cachedPolicy","isTrustedTypesSupported","getTrustedTypesPolicy","win","input","sanitizeHtmlCore","DEFAULT_ALLOWED_TAGS","DANGEROUS_TAGS","RESERVED_IDS","DEFAULT_ALLOWED_ATTRIBUTES","DANGEROUS_ATTR_PREFIXES","DANGEROUS_PROTOCOLS","isAllowedAttribute","name","allowedSet","allowDataAttrs","lowerName","prefix","isSafeIdOrName","value","lowerValue","normalizeUrl","isSafeUrl","normalized","protocol","html","options","allowTags","allowAttributes","allowDataAttributes","stripAllTags","allowedTags","t","tag","allowedAttrs","a","template","walker","toRemove","el","tagName","attrsToRemove","attr","attrName","sanitizeHtml","createTrustedHtml","policy","escapeHtml","text","escapeMap","char","stripTags","generateNonce","length","array","hasCSPDirective","directive","meta"],"mappings":"AA4BA,MAAMA,IAAc;AA4BpB,IAAIC,IAAyC;AAMtC,MAAMC,IAA0B,MAC9B,OAAQ,OAA8B,eAAiB,KAOnDC,IAAwB,MAAgC;AACnE,MAAIF,EAAc,QAAOA;AAEzB,QAAMG,IAAM;AACZ,MAAI,CAACA,EAAI,aAAc,QAAO;AAE9B,MAAI;AACF,WAAAH,IAAeG,EAAI,aAAa,aAAaJ,GAAa;AAAA,MACxD,YAAY,CAACK,MAAkBC,EAAiBD,CAAK;AAAA,IAAA,CACtD,GACMJ;AAAA,EACT,QAAQ;AAEN,mBAAQ,KAAK,kDAAkDD,CAAW,GAAG,GACtE;AAAA,EACT;AACF,GASMO,wBAA2B,IAAI;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMKC,wBAAqB,IAAI;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMKC,wBAAmB,IAAI;AAAA;AAAA,EAE3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,wBAAiC,IAAI;AAAA,EACzC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKKC,IAA0B,CAAC,MAAM,cAAc,UAAU,QAAQ,GAKjEC,IAAsB,CAAC,eAAe,SAAS,aAAa,OAAO,GAUnEC,IAAqB,CACzBC,GACAC,GACAC,MACY;AACZ,QAAMC,IAAYH,EAAK,YAAA;AAGvB,aAAWI,KAAUP;AACnB,QAAIM,EAAU,WAAWC,CAAM,EAAG,QAAO;AAO3C,SAHIF,KAAkBC,EAAU,WAAW,OAAO,KAG9CA,EAAU,WAAW,OAAO,IAAU,KAGnCF,EAAW,IAAIE,CAAS;AACjC,GAMME,IAAiB,CAACC,MAA2B;AACjD,QAAMC,IAAaD,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAACX,EAAa,IAAIY,CAAU;AACrC,GAOMC,IAAe,CAACF,MACpBA,EAEG,QAAQ,2BAA2B,EAAE,EAErC,QAAQ,uCAAuC,EAAE,EAEjD,QAAQ,qBAAqB,EAAE,EAE/B,QAAQ,QAAQ,EAAE,EAElB,YAAA,GAMCG,IAAY,CAACH,MAA2B;AAC5C,QAAMI,IAAaF,EAAaF,CAAK;AACrC,aAAWK,KAAYb;AACrB,QAAIY,EAAW,WAAWC,CAAQ,EAAG,QAAO;AAE9C,SAAO;AACT,GAMMnB,IAAmB,CAACoB,GAAcC,IAA2B,OAAe;AAChF,QAAM;AAAA,IACJ,WAAAC,IAAY,CAAA;AAAA,IACZ,iBAAAC,IAAkB,CAAA;AAAA,IAClB,qBAAAC,IAAsB;AAAA,IACtB,cAAAC,IAAe;AAAA,EAAA,IACbJ,GAGEK,IAAc,IAAI;AAAA,IACtB,CAAC,GAAGzB,GAAsB,GAAGqB,EAAU,IAAI,CAACK,MAAMA,EAAE,aAAa,CAAC,EAAE;AAAA,MAClE,CAACC,MAAQ,CAAC1B,EAAe,IAAI0B,CAAG;AAAA,IAAA;AAAA,EAClC,GAEIC,wBAAmB,IAAI;AAAA,IAC3B,GAAGzB;AAAA,IACH,GAAGmB,EAAgB,IAAI,CAACO,MAAMA,EAAE,aAAa;AAAA,EAAA,CAC9C,GAGKC,IAAW,SAAS,cAAc,UAAU;AAGlD,MAFAA,EAAS,YAAYX,GAEjBK;AACF,WAAOM,EAAS,QAAQ,eAAe;AAIzC,QAAMC,IAAS,SAAS,iBAAiBD,EAAS,SAAS,WAAW,YAAY,GAE5EE,IAAsB,CAAA;AAE5B,SAAOD,EAAO,cAAY;AACxB,UAAME,IAAKF,EAAO,aACZG,IAAUD,EAAG,QAAQ,YAAA;AAG3B,QAAIhC,EAAe,IAAIiC,CAAO,GAAG;AAC/B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,QAAI,CAACR,EAAY,IAAIS,CAAO,GAAG;AAC7B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,UAAME,IAA0B,CAAA;AAChC,eAAWC,KAAQ,MAAM,KAAKH,EAAG,UAAU,GAAG;AAC5C,YAAMI,IAAWD,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC9B,EAAmB+B,GAAUT,GAAcL,CAAmB,GAAG;AACpE,QAAAY,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,WAAKC,MAAa,QAAQA,MAAa,WAAW,CAACzB,EAAewB,EAAK,KAAK,GAAG;AAC7E,QAAAD,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,OACGC,MAAa,UAAUA,MAAa,SAASA,MAAa,aAC3D,CAACrB,EAAUoB,EAAK,KAAK,KAErBD,EAAc,KAAKC,EAAK,IAAI;AAAA,IAEhC;AAGA,eAAWC,KAAYF;AACrB,MAAAF,EAAG,gBAAgBI,CAAQ;AAAA,EAE/B;AAGA,aAAWJ,KAAMD;AACf,IAAAC,EAAG,OAAA;AAGL,SAAOH,EAAS;AAClB,GAoBaQ,IAAe,CAACnB,GAAcC,IAA2B,OAC7DrB,EAAiBoB,GAAMC,CAAO,GAU1BmB,IAAoB,CAACpB,MAAuC;AACvE,QAAMqB,IAAS5C,EAAA;AACf,SAAI4C,IACKA,EAAO,WAAWrB,CAAI,IAExBmB,EAAanB,CAAI;AAC1B,GAeasB,IAAa,CAACC,MAAyB;AAClD,QAAMC,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EAAA;AAEP,SAAOD,EAAK,QAAQ,aAAa,CAACE,MAASD,EAAUC,CAAI,CAAC;AAC5D,GAQaC,IAAY,CAAC1B,MACjBpB,EAAiBoB,GAAM,EAAE,cAAc,IAAM,GAczC2B,IAAgB,CAACC,IAAiB,OAAe;AAC5D,QAAMC,IAAQ,IAAI,WAAWD,CAAM;AACnC,gBAAO,gBAAgBC,CAAK,GACrB,KAAK,OAAO,aAAa,GAAGA,CAAK,CAAC,EACtC,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,MAAM,EAAE;AACrB,GASaC,IAAkB,CAACC,MAA+B;AAE7D,QAAMC,IAAO,SAAS,cAAc,4CAA4C;AAChF,SAAIA,KACcA,EAAK,aAAa,SAAS,KAAK,IACjC,SAASD,CAAS,IAE5B;AACT;"}

package/package.json CHANGED Viewed

@@ -1,120 +1,120 @@
-{
-  "name": "@bquery/bquery",
-  "version": "1.0.2",
-  "description": "The jQuery for the Modern Web Platform - Zero build, TypeScript-first library with reactivity, components, and motion",
-  "type": "module",
-  "main": "./dist/full.umd.js",
-  "module": "./dist/index.es.mjs",
-  "types": "./dist/index.d.ts",
-  "unpkg": "./dist/full.umd.js",
-  "jsdelivr": "./dist/full.umd.js",
-  "exports": {
-    ".": {
-      "import": "./dist/index.es.mjs",
-      "require": "./dist/full.umd.js",
-      "types": "./dist/index.d.ts"
-    },
-    "./full": {
-      "import": "./dist/full.es.mjs",
-      "require": "./dist/full.umd.js",
-      "types": "./dist/full.d.ts"
-    },
-    "./core": {
-      "import": "./dist/core.es.mjs",
-      "types": "./dist/core/index.d.ts"
-    },
-    "./reactive": {
-      "import": "./dist/reactive.es.mjs",
-      "types": "./dist/reactive/index.d.ts"
-    },
-    "./component": {
-      "import": "./dist/component.es.mjs",
-      "types": "./dist/component/index.d.ts"
-    },
-    "./motion": {
-      "import": "./dist/motion.es.mjs",
-      "types": "./dist/motion/index.d.ts"
-    },
-    "./security": {
-      "import": "./dist/security.es.mjs",
-      "types": "./dist/security/index.d.ts"
-    },
-    "./platform": {
-      "import": "./dist/platform.es.mjs",
-      "types": "./dist/platform/index.d.ts"
-    }
-  },
-  "files": [
-    "dist",
-    "src",
-    "README.md",
-    "LICENSE.md"
-  ],
-  "sideEffects": false,
-  "scripts": {
-    "dev": "vitepress dev docs",
-    "build:docs": "vitepress build docs",
-    "preview": "vitepress preview docs",
-    "playground": "vite dev playground",
-    "build": "bun run build:lib && bun run build:umd && bun run build:types",
-    "build:lib": "vite build",
-    "build:umd": "vite build --config vite.umd.config.ts",
-    "build:types": "tsc --emitDeclarationOnly --outDir dist",
-    "test": "bun test",
-    "test:watch": "bun test --watch",
-    "lint": "eslint . --fix",
-    "lint:types": "tsc --noEmit",
-    "format": "prettier --write .",
-    "format:check": "prettier --check .",
-    "docs:api": "typedoc",
-    "clean": "rimraf dist",
-    "prepublishOnly": "bun run clean && bun run build && bun test"
-  },
-  "keywords": [
-    "dom",
-    "manipulation",
-    "jquery",
-    "modern",
-    "typescript",
-    "signals",
-    "reactive",
-    "components",
-    "web-components",
-    "animation",
-    "motion",
-    "zero-build",
-    "cdn"
-  ],
-  "author": "Jonas Pfalzgraf <support@josunlp.de>",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/bquery/bquery.git"
-  },
-  "homepage": "https://bquery.flausch-code.de",
-  "bugs": {
-    "url": "https://github.com/bquery/bquery/issues"
-  },
-  "publishConfig": {
-    "access": "public",
-    "registry": "https://registry.npmjs.org/"
-  },
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "devDependencies": {
-    "@typescript-eslint/eslint-plugin": "^8.18.0",
-    "@typescript-eslint/parser": "^8.18.0",
-    "bun-types": "^1.1.26",
-    "eslint": "^9.8.0",
-    "eslint-config-prettier": "^9.1.0",
-    "globals": "^15.9.0",
-    "happy-dom": "^20.3.4",
-    "prettier": "^3.3.3",
-    "rimraf": "^5.0.5",
-    "typedoc": "^0.25.13",
-    "typescript": "^5.5.4",
-    "vite": "^5.4.3",
-    "vitepress": "^1.3.1"
-  }
-}
+{
+  "name": "@bquery/bquery",
+  "version": "1.1.0",
+  "description": "The jQuery for the Modern Web Platform - Zero build, TypeScript-first library with reactivity, components, and motion",
+  "type": "module",
+  "main": "./dist/full.umd.js",
+  "module": "./dist/index.es.mjs",
+  "types": "./dist/index.d.ts",
+  "unpkg": "./dist/full.umd.js",
+  "jsdelivr": "./dist/full.umd.js",
+  "exports": {
+    ".": {
+      "import": "./dist/index.es.mjs",
+      "require": "./dist/full.umd.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./full": {
+      "import": "./dist/full.es.mjs",
+      "require": "./dist/full.umd.js",
+      "types": "./dist/full.d.ts"
+    },
+    "./core": {
+      "import": "./dist/core.es.mjs",
+      "types": "./dist/core/index.d.ts"
+    },
+    "./reactive": {
+      "import": "./dist/reactive.es.mjs",
+      "types": "./dist/reactive/index.d.ts"
+    },
+    "./component": {
+      "import": "./dist/component.es.mjs",
+      "types": "./dist/component/index.d.ts"
+    },
+    "./motion": {
+      "import": "./dist/motion.es.mjs",
+      "types": "./dist/motion/index.d.ts"
+    },
+    "./security": {
+      "import": "./dist/security.es.mjs",
+      "types": "./dist/security/index.d.ts"
+    },
+    "./platform": {
+      "import": "./dist/platform.es.mjs",
+      "types": "./dist/platform/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "README.md",
+    "LICENSE.md"
+  ],
+  "sideEffects": false,
+  "scripts": {
+    "dev": "vitepress dev docs",
+    "build:docs": "vitepress build docs",
+    "preview": "vitepress preview docs",
+    "playground": "vite dev playground",
+    "build": "bun run build:lib && bun run build:umd && bun run build:types",
+    "build:lib": "vite build",
+    "build:umd": "vite build --config vite.umd.config.ts",
+    "build:types": "tsc --emitDeclarationOnly --outDir dist",
+    "test": "bun test",
+    "test:watch": "bun test --watch",
+    "lint": "eslint . --fix",
+    "lint:types": "tsc --noEmit",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "docs:api": "typedoc",
+    "clean": "rimraf dist",
+    "prepublishOnly": "bun run clean && bun run build && bun test"
+  },
+  "keywords": [
+    "dom",
+    "manipulation",
+    "jquery",
+    "modern",
+    "typescript",
+    "signals",
+    "reactive",
+    "components",
+    "web-components",
+    "animation",
+    "motion",
+    "zero-build",
+    "cdn"
+  ],
+  "author": "Jonas Pfalzgraf <support@josunlp.de>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/bQuery/bQuery.git"
+  },
+  "homepage": "https://bQuery.flausch-code.de",
+  "bugs": {
+    "url": "https://github.com/bQuery/bQuery/issues"
+  },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@typescript-eslint/eslint-plugin": "^8.53.1",
+    "@typescript-eslint/parser": "^8.53.1",
+    "bun-types": "^1.3.6",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^9.1.2",
+    "globals": "^15.15.0",
+    "happy-dom": "^20.3.7",
+    "prettier": "^3.8.1",
+    "rimraf": "^5.0.10",
+    "typedoc": "^0.25.13",
+    "typescript": "^5.9.3",
+    "vite": "^5.4.21",
+    "vitepress": "^1.6.4"
+  }
+}