npm - @bquery/bquery - Versions diffs - 1.1.0 → 1.1.2 - Mend

@bquery/bquery 1.1.0 → 1.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +3 -0
package/dist/full.iife.js +1 -1
package/dist/full.iife.js.map +1 -1
package/dist/full.umd.js +1 -1
package/dist/full.umd.js.map +1 -1
package/dist/security/sanitize.d.ts.map +1 -1
package/dist/security.es.mjs +95 -74
package/dist/security.es.mjs.map +1 -1
package/package.json +120 -120
package/src/security/sanitize.ts +72 -0

package/src/security/sanitize.ts CHANGED Viewed

@@ -261,11 +261,13 @@ const DEFAULT_ALLOWED_ATTRIBUTES = new Set([
   'lang',
   'loading',
   'name',
+  'rel',
   'role',
   'src',
   'srcset',
   'style',
   'tabindex',
+  'target',
   'title',
   'type',
   'width',
@@ -351,6 +353,54 @@ const isSafeUrl = (value: string): boolean => {
   return true;
 };
+/**
+ * Check if a URL is external (different origin).
+ * @internal
+ */
+const isExternalUrl = (url: string): boolean => {
+  try {
+    // Normalize URL by trimming whitespace
+    const trimmedUrl = url.trim();
+    // Protocol-relative URLs (//example.com) are always external.
+    // CRITICAL: This check must run before the relative-URL check below;
+    // otherwise, a protocol-relative URL like "//evil.com" would be treated
+    // as a non-http(s) relative URL and incorrectly classified as same-origin.
+    // Handling them up front guarantees correct security classification.
+    if (trimmedUrl.startsWith('//')) {
+      return true;
+    }
+    // Normalize URL for case-insensitive protocol checks
+    const lowerUrl = trimmedUrl.toLowerCase();
+    // Check for non-http(s) protocols which are considered external/special
+    // (mailto:, tel:, ftp:, etc.)
+    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);
+    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {
+      // These are special protocols, not traditional "external" links
+      // but we treat them as external for security consistency
+      return true;
+    }
+    // Relative URLs are not external
+    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {
+      return false;
+    }
+    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external
+    if (typeof window === 'undefined' || !window.location) {
+      return true;
+    }
+    const urlObj = new URL(trimmedUrl, window.location.href);
+    return urlObj.origin !== window.location.origin;
+  } catch {
+    // If URL parsing fails, treat as potentially external for safety
+    return true;
+  }
+};
 /**
  * Core sanitization logic (without Trusted Types wrapper).
  * @internal
@@ -433,6 +483,28 @@ const sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string =
     for (const attrName of attrsToRemove) {
       el.removeAttribute(attrName);
     }
+    // Add rel="noopener noreferrer" to external links for security
+    if (tagName === 'a') {
+      const href = el.getAttribute('href');
+      const target = el.getAttribute('target');
+      const hasTargetBlank = target?.toLowerCase() === '_blank';
+      const isExternal = href && isExternalUrl(href);
+      // Add security attributes to links opening in new window or external links
+      if (hasTargetBlank || isExternal) {
+        const existingRel = el.getAttribute('rel');
+        const relValues = new Set(
+          existingRel ? existingRel.split(/\s+/).filter(Boolean) : []
+        );
+        // Add noopener and noreferrer
+        relValues.add('noopener');
+        relValues.add('noreferrer');
+        el.setAttribute('rel', Array.from(relValues).join(' '));
+      }
+    }
   }
   // Remove disallowed elements