@bquery/bquery 1.2.0 → 1.4.0

package/dist/sanitize-Cxvxa-DX.js

@@ -0,0 +1,283 @@
+const P = "bquery-sanitizer", N = /* @__PURE__ */ new Set([
+  "a",
+  "abbr",
+  "address",
+  "article",
+  "aside",
+  "b",
+  "bdi",
+  "bdo",
+  "blockquote",
+  "br",
+  "button",
+  "caption",
+  "cite",
+  "code",
+  "col",
+  "colgroup",
+  "data",
+  "dd",
+  "del",
+  "details",
+  "dfn",
+  "div",
+  "dl",
+  "dt",
+  "em",
+  "figcaption",
+  "figure",
+  "footer",
+  "form",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "header",
+  "hgroup",
+  "hr",
+  "i",
+  "img",
+  "input",
+  "ins",
+  "kbd",
+  "label",
+  "legend",
+  "li",
+  "main",
+  "mark",
+  "nav",
+  "ol",
+  "optgroup",
+  "option",
+  "p",
+  "picture",
+  "pre",
+  "progress",
+  "q",
+  "rp",
+  "rt",
+  "ruby",
+  "s",
+  "samp",
+  "section",
+  "select",
+  "small",
+  "source",
+  "span",
+  "strong",
+  "sub",
+  "summary",
+  "sup",
+  "table",
+  "tbody",
+  "td",
+  "textarea",
+  "tfoot",
+  "th",
+  "thead",
+  "time",
+  "tr",
+  "u",
+  "ul",
+  "var",
+  "wbr"
+]), A = /* @__PURE__ */ new Set([
+  "script",
+  "iframe",
+  "frame",
+  "frameset",
+  "object",
+  "embed",
+  "applet",
+  "link",
+  "meta",
+  "style",
+  "base",
+  "template",
+  "slot",
+  "math",
+  "svg",
+  "foreignobject",
+  "noscript"
+]), D = /* @__PURE__ */ new Set([
+  // Global objects
+  "document",
+  "window",
+  "location",
+  "top",
+  "self",
+  "parent",
+  "frames",
+  "history",
+  "navigator",
+  "screen",
+  // Dangerous functions
+  "alert",
+  "confirm",
+  "prompt",
+  "eval",
+  "function",
+  // Document properties
+  "cookie",
+  "domain",
+  "referrer",
+  "body",
+  "head",
+  "forms",
+  "images",
+  "links",
+  "scripts",
+  // DOM traversal properties
+  "children",
+  "parentnode",
+  "firstchild",
+  "lastchild",
+  // Content manipulation
+  "innerhtml",
+  "outerhtml",
+  "textcontent"
+]), F = /* @__PURE__ */ new Set([
+  "alt",
+  "class",
+  "dir",
+  "height",
+  "hidden",
+  "href",
+  "id",
+  "lang",
+  "loading",
+  "name",
+  "rel",
+  "role",
+  "src",
+  "srcset",
+  "tabindex",
+  "target",
+  "title",
+  "type",
+  "width",
+  "aria-*"
+]), O = ["on", "formaction", "xlink:", "xmlns:"], R = ["javascript:", "data:", "vbscript:", "file:"], W = (t, e, r) => {
+  const s = t.toLowerCase();
+  for (const c of O)
+    if (s.startsWith(c)) return !1;
+  return r && s.startsWith("data-") || s.startsWith("aria-") ? !0 : e.has(s);
+}, U = (t) => {
+  const e = t.toLowerCase().trim();
+  return !D.has(e);
+}, _ = (t) => t.replace(/[\u0000-\u001F\u007F]+/g, "").replace(/[\u200B-\u200D\uFEFF\u2028\u2029]+/g, "").replace(/\\u[\da-fA-F]{4}/g, "").replace(/\s+/g, "").toLowerCase(), E = (t) => {
+  const e = _(t);
+  for (const r of R)
+    if (e.startsWith(r)) return !1;
+  return !0;
+}, k = (t) => {
+  const e = t.split(",");
+  for (const r of e) {
+    const s = r.trim().split(/\s+/)[0];
+    if (s && !E(s)) return !1;
+  }
+  return !0;
+}, H = (t) => {
+  try {
+    const e = t.trim();
+    if (e.startsWith("//"))
+      return !0;
+    const r = e.toLowerCase();
+    return /^[a-z][a-z0-9+.-]*:/i.test(e) && !r.startsWith("http://") && !r.startsWith("https://") ? !0 : !r.startsWith("http://") && !r.startsWith("https://") ? !1 : typeof window > "u" || !window.location ? !0 : new URL(e, window.location.href).origin !== window.location.origin;
+  } catch {
+    return !0;
+  }
+}, z = (t) => new DOMParser().parseFromString(t, "text/html"), S = (t) => {
+  const e = (typeof t == "string" ? t : String(t ?? "")).trim(), r = document.createDocumentFragment();
+  if (e.length === 0)
+    return r;
+  if (!(e.includes("<") || e.includes(">")))
+    return r.appendChild(document.createTextNode(e)), r;
+  const l = z(e).body;
+  if (!l)
+    return r;
+  for (; l.firstChild; )
+    r.appendChild(l.firstChild);
+  return r;
+}, T = (t, e = {}) => {
+  const {
+    allowTags: r = [],
+    allowAttributes: s = [],
+    allowDataAttributes: c = !0,
+    stripAllTags: l = !1
+  } = e, y = new Set(
+    [...N, ...r.map((o) => o.toLowerCase())].filter(
+      (o) => !A.has(o)
+    )
+  ), L = /* @__PURE__ */ new Set([
+    ...F,
+    ...s.map((o) => o.toLowerCase())
+  ]), d = S(t);
+  if (l)
+    return d.textContent ?? "";
+  const p = document.createTreeWalker(d, NodeFilter.SHOW_ELEMENT), f = [];
+  for (; p.nextNode(); ) {
+    const o = p.currentNode, i = o.tagName.toLowerCase();
+    if (A.has(i)) {
+      f.push(o);
+      continue;
+    }
+    if (!y.has(i)) {
+      f.push(o);
+      continue;
+    }
+    const u = [];
+    for (const n of Array.from(o.attributes)) {
+      const a = n.name.toLowerCase();
+      if (!W(a, L, c)) {
+        u.push(n.name);
+        continue;
+      }
+      if ((a === "id" || a === "name") && !U(n.value)) {
+        u.push(n.name);
+        continue;
+      }
+      if ((a === "href" || a === "src" || a === "action") && !E(n.value)) {
+        u.push(n.name);
+        continue;
+      }
+      a === "srcset" && !k(n.value) && u.push(n.name);
+    }
+    for (const n of u)
+      o.removeAttribute(n);
+    if (i === "a") {
+      const n = o.getAttribute("href"), C = o.getAttribute("target")?.toLowerCase() === "_blank", v = n && H(n);
+      if (C || v) {
+        const b = o.getAttribute("rel"), m = new Set(b ? b.split(/\s+/).filter(Boolean) : []);
+        m.add("noopener"), m.add("noreferrer"), o.setAttribute("rel", Array.from(m).join(" "));
+      }
+    }
+  }
+  for (const o of f)
+    o.remove();
+  const h = (o) => {
+    const i = document.createElement("div");
+    return i.appendChild(o.cloneNode(!0)), i.innerHTML;
+  }, g = h(d), x = S(g), w = h(x);
+  return g !== w ? d.textContent ?? "" : w;
+}, j = (t, e = {}) => T(t, e), G = (t) => {
+  const e = {
+    "&": "&amp;",
+    "<": "&lt;",
+    ">": "&gt;",
+    '"': "&quot;",
+    "'": "&#x27;",
+    "`": "&#x60;"
+  };
+  return t.replace(/[&<>"'`]/g, (r) => e[r]);
+}, I = (t) => T(t, { stripAllTags: !0 });
+export {
+  P,
+  I as a,
+  T as b,
+  G as e,
+  j as s
+};
+//# sourceMappingURL=sanitize-Cxvxa-DX.js.map

package/dist/sanitize-Cxvxa-DX.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-Cxvxa-DX.js","sources":["../src/security/constants.ts","../src/security/sanitize-core.ts","../src/security/sanitize.ts"],"sourcesContent":["/**\n * Security constants and safe lists.\n *\n * @module bquery/security\n */\n\n/**\n * Trusted Types policy name.\n */\nexport const POLICY_NAME = 'bquery-sanitizer';\n\n/**\n * Default allowed HTML tags considered safe.\n */\nexport const DEFAULT_ALLOWED_TAGS = new Set([\n  'a',\n  'abbr',\n  'address',\n  'article',\n  'aside',\n  'b',\n  'bdi',\n  'bdo',\n  'blockquote',\n  'br',\n  'button',\n  'caption',\n  'cite',\n  'code',\n  'col',\n  'colgroup',\n  'data',\n  'dd',\n  'del',\n  'details',\n  'dfn',\n  'div',\n  'dl',\n  'dt',\n  'em',\n  'figcaption',\n  'figure',\n  'footer',\n  'form',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'header',\n  'hgroup',\n  'hr',\n  'i',\n  'img',\n  'input',\n  'ins',\n  'kbd',\n  'label',\n  'legend',\n  'li',\n  'main',\n  'mark',\n  'nav',\n  'ol',\n  'optgroup',\n  'option',\n  'p',\n  'picture',\n  'pre',\n  'progress',\n  'q',\n  'rp',\n  'rt',\n  'ruby',\n  's',\n  'samp',\n  'section',\n  'select',\n  'small',\n  'source',\n  'span',\n  'strong',\n  'sub',\n  'summary',\n  'sup',\n  'table',\n  'tbody',\n  'td',\n  'textarea',\n  'tfoot',\n  'th',\n  'thead',\n  'time',\n  'tr',\n  'u',\n  'ul',\n  'var',\n  'wbr',\n]);\n\n/**\n * Explicitly dangerous tags that should never be allowed.\n * These are checked even if somehow added to allowTags.\n */\nexport const DANGEROUS_TAGS = new Set([\n  'script',\n  'iframe',\n  'frame',\n  'frameset',\n  'object',\n  'embed',\n  'applet',\n  'link',\n  'meta',\n  'style',\n  'base',\n  'template',\n  'slot',\n  'math',\n  'svg',\n  'foreignobject',\n  'noscript',\n]);\n\n/**\n * Reserved IDs that could cause DOM clobbering attacks.\n * These are prevented to avoid overwriting global browser objects.\n */\nexport const RESERVED_IDS = new Set([\n  // Global objects\n  'document',\n  'window',\n  'location',\n  'top',\n  'self',\n  'parent',\n  'frames',\n  'history',\n  'navigator',\n  'screen',\n  // Dangerous functions\n  'alert',\n  'confirm',\n  'prompt',\n  'eval',\n  'function',\n  // Document properties\n  'cookie',\n  'domain',\n  'referrer',\n  'body',\n  'head',\n  'forms',\n  'images',\n  'links',\n  'scripts',\n  // DOM traversal properties\n  'children',\n  'parentnode',\n  'firstchild',\n  'lastchild',\n  // Content manipulation\n  'innerhtml',\n  'outerhtml',\n  'textcontent',\n]);\n\n/**\n * Default allowed attributes considered safe.\n * Note: 'style' is excluded by default because inline CSS can be abused for:\n * - UI redressing attacks\n * - Data exfiltration via url() in CSS\n * - CSS injection vectors\n * If you need to allow inline styles, add 'style' to allowAttributes in your\n * sanitizeHtml options, but ensure you implement proper CSS value validation.\n */\nexport const DEFAULT_ALLOWED_ATTRIBUTES = new Set([\n  'alt',\n  'class',\n  'dir',\n  'height',\n  'hidden',\n  'href',\n  'id',\n  'lang',\n  'loading',\n  'name',\n  'rel',\n  'role',\n  'src',\n  'srcset',\n  'tabindex',\n  'target',\n  'title',\n  'type',\n  'width',\n  'aria-*',\n]);\n\n/**\n * Dangerous attribute prefixes to always remove.\n */\nexport const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];\n\n/**\n * Dangerous URL protocols to block.\n */\nexport const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];\n","/**\r\n * Core HTML sanitization logic.\r\n *\r\n * @module bquery/security\r\n * @internal\r\n */\r\n\r\nimport {\r\n  DANGEROUS_ATTR_PREFIXES,\r\n  DANGEROUS_PROTOCOLS,\r\n  DANGEROUS_TAGS,\r\n  DEFAULT_ALLOWED_ATTRIBUTES,\r\n  DEFAULT_ALLOWED_TAGS,\r\n  RESERVED_IDS,\r\n} from './constants';\r\nimport type { SanitizeOptions } from './types';\r\n\r\n/**\r\n * Check if an attribute name is allowed.\r\n * @internal\r\n */\r\nconst isAllowedAttribute = (\r\n  name: string,\r\n  allowedSet: Set<string>,\r\n  allowDataAttrs: boolean\r\n): boolean => {\r\n  const lowerName = name.toLowerCase();\r\n\r\n  // Check dangerous prefixes\r\n  for (const prefix of DANGEROUS_ATTR_PREFIXES) {\r\n    if (lowerName.startsWith(prefix)) return false;\r\n  }\r\n\r\n  // Check data attributes\r\n  if (allowDataAttrs && lowerName.startsWith('data-')) return true;\r\n\r\n  // Check aria attributes (allowed by default)\r\n  if (lowerName.startsWith('aria-')) return true;\r\n\r\n  // Check explicit allow list\r\n  return allowedSet.has(lowerName);\r\n};\r\n\r\n/**\r\n * Check if an ID/name value could cause DOM clobbering.\r\n * @internal\r\n */\r\nconst isSafeIdOrName = (value: string): boolean => {\r\n  const lowerValue = value.toLowerCase().trim();\r\n  return !RESERVED_IDS.has(lowerValue);\r\n};\r\n\r\n/**\r\n * Normalize URL by removing control characters, whitespace, and Unicode tricks.\r\n * Enhanced to prevent various bypass techniques.\r\n * @internal\r\n */\r\nconst normalizeUrl = (value: string): string =>\r\n  value\r\n    // Remove null bytes and control characters\r\n    .replace(/[\\u0000-\\u001F\\u007F]+/g, '')\r\n    // Remove zero-width characters that could hide malicious content\r\n    .replace(/[\\u200B-\\u200D\\uFEFF\\u2028\\u2029]+/g, '')\r\n    // Remove escaped Unicode sequences\r\n    .replace(/\\\\u[\\da-fA-F]{4}/g, '')\r\n    // Remove whitespace\r\n    .replace(/\\s+/g, '')\r\n    // Normalize case\r\n    .toLowerCase();\r\n\r\n/**\r\n * Check if a URL value is safe.\r\n * @internal\r\n */\r\nconst isSafeUrl = (value: string): boolean => {\r\n  const normalized = normalizeUrl(value);\r\n  for (const protocol of DANGEROUS_PROTOCOLS) {\r\n    if (normalized.startsWith(protocol)) return false;\r\n  }\r\n  return true;\r\n};\r\n\r\n/**\r\n * Check if a srcset attribute value is safe.\r\n * srcset contains comma-separated entries of \"url [descriptor]\".\r\n * Each individual URL must be validated.\r\n * @internal\r\n */\r\nconst isSafeSrcset = (value: string): boolean => {\r\n  const entries = value.split(',');\r\n  for (const entry of entries) {\r\n    const url = entry.trim().split(/\\s+/)[0];\r\n    if (url && !isSafeUrl(url)) return false;\r\n  }\r\n  return true;\r\n};\r\n\r\n/**\r\n * Check if a URL is external (different origin).\r\n * @internal\r\n */\r\nconst isExternalUrl = (url: string): boolean => {\r\n  try {\r\n    // Normalize URL by trimming whitespace\r\n    const trimmedUrl = url.trim();\r\n\r\n    // Protocol-relative URLs (//example.com) are always external.\r\n    // CRITICAL: This check must run before the relative-URL check below;\r\n    // otherwise, a protocol-relative URL like \"//evil.com\" would be treated\r\n    // as a non-http(s) relative URL and incorrectly classified as same-origin.\r\n    // Handling them up front guarantees correct security classification.\r\n    if (trimmedUrl.startsWith('//')) {\r\n      return true;\r\n    }\r\n\r\n    // Normalize URL for case-insensitive protocol checks\r\n    const lowerUrl = trimmedUrl.toLowerCase();\r\n\r\n    // Check for non-http(s) protocols which are considered external/special\r\n    // (mailto:, tel:, ftp:, etc.)\r\n    const hasProtocol = /^[a-z][a-z0-9+.-]*:/i.test(trimmedUrl);\r\n    if (hasProtocol && !lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\r\n      // These are special protocols, not traditional \"external\" links\r\n      // but we treat them as external for security consistency\r\n      return true;\r\n    }\r\n\r\n    // Relative URLs are not external\r\n    if (!lowerUrl.startsWith('http://') && !lowerUrl.startsWith('https://')) {\r\n      return false;\r\n    }\r\n\r\n    // In non-browser environments (e.g., Node.js), treat all absolute URLs as external\r\n    if (typeof window === 'undefined' || !window.location) {\r\n      return true;\r\n    }\r\n\r\n    const urlObj = new URL(trimmedUrl, window.location.href);\r\n    return urlObj.origin !== window.location.origin;\r\n  } catch {\r\n    // If URL parsing fails, treat as potentially external for safety\r\n    return true;\r\n  }\r\n};\r\n\r\n/**\r\n * Parse an HTML string into a Document using DOMParser.\r\n * This helper is intentionally separated to make the control-flow around HTML parsing\r\n * explicit for static analysis tools. It should ONLY be called when the input is\r\n * known to contain HTML syntax (angle brackets).\r\n *\r\n * DOMParser creates an inert document where scripts don't execute, making it safe\r\n * for parsing untrusted HTML that will subsequently be sanitized.\r\n *\r\n * @param htmlContent - A string that is known to contain HTML markup (has < or >)\r\n * @returns The parsed Document\r\n * @internal\r\n */\r\nconst parseHtmlDocument = (htmlContent: string): Document => {\r\n  const parser = new DOMParser();\r\n  // Parse as a full HTML document in an inert context; scripts won't execute\r\n  return parser.parseFromString(htmlContent, 'text/html');\r\n};\r\n\r\n/**\r\n * Safely parse HTML string into a DocumentFragment using DOMParser.\r\n * DOMParser is preferred over innerHTML for security as it creates an inert document\r\n * where scripts don't execute and provides better static analysis recognition.\r\n *\r\n * This function includes input normalization to satisfy static analysis tools:\r\n * - Coerces input to string and trims whitespace\r\n * - For plain text (no HTML tags), creates a Text node directly without parsing\r\n * - Only invokes DOMParser for actual HTML-like content via parseHtmlDocument\r\n *\r\n * The separation between plain text handling and HTML parsing is intentional:\r\n * DOM text that contains no HTML syntax is never fed into an HTML parser,\r\n * preventing \"DOM text reinterpreted as HTML\" issues.\r\n *\r\n * @internal\r\n */\r\nconst parseHtmlSafely = (html: string): DocumentFragment => {\r\n  // Step 1: Normalize input - coerce to string and trim\r\n  // This defensive check handles edge cases even though TypeScript says it's a string\r\n  const normalizedHtml = (typeof html === 'string' ? html : String(html ?? '')).trim();\r\n\r\n  // Step 2: Create the fragment that will hold our result\r\n  const fragment = document.createDocumentFragment();\r\n\r\n  // Step 3: Early return for empty input\r\n  if (normalizedHtml.length === 0) {\r\n    return fragment;\r\n  }\r\n\r\n  // Step 4: If input contains no angle brackets, it's plain text - no HTML parsing needed.\r\n  // Plain text is handled as a Text node, never passed to an HTML parser.\r\n  // This explicitly prevents \"DOM text reinterpreted as HTML\" for purely textual inputs.\r\n  const containsHtmlSyntax = normalizedHtml.includes('<') || normalizedHtml.includes('>');\r\n  if (!containsHtmlSyntax) {\r\n    fragment.appendChild(document.createTextNode(normalizedHtml));\r\n    return fragment;\r\n  }\r\n\r\n  // Step 5: Input contains HTML syntax - parse it via the dedicated HTML parsing helper.\r\n  // This separation makes the data-flow explicit: only strings with HTML syntax\r\n  // are passed to DOMParser, satisfying static analysis requirements.\r\n  const doc = parseHtmlDocument(normalizedHtml);\r\n\r\n  // Move all children from the document body into the fragment.\r\n  // This avoids interpolating untrusted HTML into an outer wrapper string.\r\n  const body = doc.body;\r\n\r\n  if (!body) {\r\n    return fragment;\r\n  }\r\n\r\n  while (body.firstChild) {\r\n    fragment.appendChild(body.firstChild);\r\n  }\r\n\r\n  return fragment;\r\n};\r\n\r\n/**\r\n * Core sanitization logic (without Trusted Types wrapper).\r\n * @internal\r\n */\r\nexport const sanitizeHtmlCore = (html: string, options: SanitizeOptions = {}): string => {\r\n  const {\r\n    allowTags = [],\r\n    allowAttributes = [],\r\n    allowDataAttributes = true,\r\n    stripAllTags = false,\r\n  } = options;\r\n\r\n  // Build combined allow sets (excluding dangerous tags even if specified)\r\n  const allowedTags = new Set(\r\n    [...DEFAULT_ALLOWED_TAGS, ...allowTags.map((t) => t.toLowerCase())].filter(\r\n      (tag) => !DANGEROUS_TAGS.has(tag)\r\n    )\r\n  );\r\n  const allowedAttrs = new Set([\r\n    ...DEFAULT_ALLOWED_ATTRIBUTES,\r\n    ...allowAttributes.map((a) => a.toLowerCase()),\r\n  ]);\r\n\r\n  // Use DOMParser for safe HTML parsing (inert context, no script execution)\r\n  const fragment = parseHtmlSafely(html);\r\n\r\n  if (stripAllTags) {\r\n    return fragment.textContent ?? '';\r\n  }\r\n\r\n  // Walk the DOM tree\r\n  const walker = document.createTreeWalker(fragment, NodeFilter.SHOW_ELEMENT);\r\n\r\n  const toRemove: Element[] = [];\r\n\r\n  while (walker.nextNode()) {\r\n    const el = walker.currentNode as Element;\r\n    const tagName = el.tagName.toLowerCase();\r\n\r\n    // Remove explicitly dangerous tags even if in allow list\r\n    if (DANGEROUS_TAGS.has(tagName)) {\r\n      toRemove.push(el);\r\n      continue;\r\n    }\r\n\r\n    // Remove disallowed tags entirely\r\n    if (!allowedTags.has(tagName)) {\r\n      toRemove.push(el);\r\n      continue;\r\n    }\r\n\r\n    // Process attributes\r\n    const attrsToRemove: string[] = [];\r\n    for (const attr of Array.from(el.attributes)) {\r\n      const attrName = attr.name.toLowerCase();\r\n\r\n      // Check if attribute is allowed\r\n      if (!isAllowedAttribute(attrName, allowedAttrs, allowDataAttributes)) {\r\n        attrsToRemove.push(attr.name);\r\n        continue;\r\n      }\r\n\r\n      // Check for DOM clobbering on id and name attributes\r\n      if ((attrName === 'id' || attrName === 'name') && !isSafeIdOrName(attr.value)) {\r\n        attrsToRemove.push(attr.name);\r\n        continue;\r\n      }\r\n\r\n      // Validate URL attributes\r\n      if (\r\n        (attrName === 'href' || attrName === 'src' || attrName === 'action') &&\r\n        !isSafeUrl(attr.value)\r\n      ) {\r\n        attrsToRemove.push(attr.name);\r\n        continue;\r\n      }\r\n\r\n      // Validate srcset URLs individually\r\n      if (attrName === 'srcset' && !isSafeSrcset(attr.value)) {\r\n        attrsToRemove.push(attr.name);\r\n      }\r\n    }\r\n\r\n    // Remove disallowed attributes\r\n    for (const attrName of attrsToRemove) {\r\n      el.removeAttribute(attrName);\r\n    }\r\n\r\n    // Add rel=\"noopener noreferrer\" to external links for security\r\n    if (tagName === 'a') {\r\n      const href = el.getAttribute('href');\r\n      const target = el.getAttribute('target');\r\n      const hasTargetBlank = target?.toLowerCase() === '_blank';\r\n      const isExternal = href && isExternalUrl(href);\r\n\r\n      // Add security attributes to links opening in new window or external links\r\n      if (hasTargetBlank || isExternal) {\r\n        const existingRel = el.getAttribute('rel');\r\n        const relValues = new Set(existingRel ? existingRel.split(/\\s+/).filter(Boolean) : []);\r\n\r\n        // Add noopener and noreferrer\r\n        relValues.add('noopener');\r\n        relValues.add('noreferrer');\r\n\r\n        el.setAttribute('rel', Array.from(relValues).join(' '));\r\n      }\r\n    }\r\n  }\r\n\r\n  // Remove disallowed elements\r\n  for (const el of toRemove) {\r\n    el.remove();\r\n  }\r\n\r\n  // Serialize the sanitized fragment to HTML string.\r\n  // We use a temporary container to get the innerHTML of the fragment.\r\n  const serializeFragment = (frag: DocumentFragment): string => {\r\n    const container = document.createElement('div');\r\n    container.appendChild(frag.cloneNode(true));\r\n    return container.innerHTML;\r\n  };\r\n\r\n  // Double-parse to prevent mutation XSS (mXSS).\r\n  // Browsers may normalize HTML during serialization in ways that could create\r\n  // new dangerous content when re-parsed. By re-parsing the sanitized output\r\n  // and verifying stability, we ensure the final HTML is safe.\r\n  const firstPass = serializeFragment(fragment);\r\n\r\n  // Re-parse through DOMParser for mXSS detection.\r\n  // Using DOMParser instead of innerHTML for security.\r\n  const verifyFragment = parseHtmlSafely(firstPass);\r\n  const secondPass = serializeFragment(verifyFragment);\r\n\r\n  // Verify stability: if content mutates between parses, it indicates mXSS attempt\r\n  if (firstPass !== secondPass) {\r\n    // Content mutated during re-parse - potential mXSS detected.\r\n    // Return safely escaped text content as fallback.\r\n    return fragment.textContent ?? '';\r\n  }\r\n\r\n  return secondPass;\r\n};\r\n","/**\n * Security utilities for HTML sanitization.\n * All DOM writes are sanitized by default to prevent XSS attacks.\n *\n * @module bquery/security\n */\n\nimport { sanitizeHtmlCore } from './sanitize-core';\nimport type { SanitizeOptions } from './types';\nexport { generateNonce } from './csp';\nexport { isTrustedTypesSupported } from './trusted-types';\n\n/**\n * Sanitize HTML string, removing dangerous elements and attributes.\n * Uses Trusted Types when available for CSP compliance.\n *\n * @param html - The HTML string to sanitize\n * @param options - Sanitization options\n * @returns Sanitized HTML string\n *\n * @example\n * ```ts\n * const safe = sanitizeHtml('<div onclick=\"alert(1)\">Hello</div>');\n * // Returns: '<div>Hello</div>'\n * ```\n */\nexport const sanitizeHtml = (html: string, options: SanitizeOptions = {}): string => {\n  return sanitizeHtmlCore(html, options);\n};\n\n/**\n * Escape HTML entities to prevent XSS.\n * Use this for displaying user content as text.\n *\n * @param text - The text to escape\n * @returns Escaped HTML string\n *\n * @example\n * ```ts\n * escapeHtml('<script>alert(1)</script>');\n * // Returns: '&lt;script&gt;alert(1)&lt;/script&gt;'\n * ```\n */\nexport const escapeHtml = (text: string): string => {\n  const escapeMap: Record<string, string> = {\n    '&': '&amp;',\n    '<': '&lt;',\n    '>': '&gt;',\n    '\"': '&quot;',\n    \"'\": '&#x27;',\n    '`': '&#x60;',\n  };\n  return text.replace(/[&<>\"'`]/g, (char) => escapeMap[char]);\n};\n\n/**\n * Strip all HTML tags and return plain text.\n *\n * @param html - The HTML string to strip\n * @returns Plain text content\n */\nexport const stripTags = (html: string): string => {\n  return sanitizeHtmlCore(html, { stripAllTags: true });\n};\n\nexport type { SanitizeOptions } from './types';\n"],"names":["POLICY_NAME","DEFAULT_ALLOWED_TAGS","DANGEROUS_TAGS","RESERVED_IDS","DEFAULT_ALLOWED_ATTRIBUTES","DANGEROUS_ATTR_PREFIXES","DANGEROUS_PROTOCOLS","isAllowedAttribute","name","allowedSet","allowDataAttrs","lowerName","prefix","isSafeIdOrName","value","lowerValue","normalizeUrl","isSafeUrl","normalized","protocol","isSafeSrcset","entries","entry","url","isExternalUrl","trimmedUrl","lowerUrl","parseHtmlDocument","htmlContent","parseHtmlSafely","html","normalizedHtml","fragment","body","sanitizeHtmlCore","options","allowTags","allowAttributes","allowDataAttributes","stripAllTags","allowedTags","t","tag","allowedAttrs","a","walker","toRemove","el","tagName","attrsToRemove","attr","attrName","href","hasTargetBlank","isExternal","existingRel","relValues","serializeFragment","frag","container","firstPass","verifyFragment","secondPass","sanitizeHtml","escapeHtml","text","escapeMap","char","stripTags"],"mappings":"AASO,MAAMA,IAAc,oBAKdC,wBAA2B,IAAI;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMYC,wBAAqB,IAAI;AAAA,EACpC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAMYC,wBAAmB,IAAI;AAAA;AAAA,EAElC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA;AAAA,EAEA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAWYC,wBAAiC,IAAI;AAAA,EAChD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC,GAKYC,IAA0B,CAAC,MAAM,cAAc,UAAU,QAAQ,GAKjEC,IAAsB,CAAC,eAAe,SAAS,aAAa,OAAO,GC3L1EC,IAAqB,CACzBC,GACAC,GACAC,MACY;AACZ,QAAMC,IAAYH,EAAK,YAAA;AAGvB,aAAWI,KAAUP;AACnB,QAAIM,EAAU,WAAWC,CAAM,EAAG,QAAO;AAO3C,SAHIF,KAAkBC,EAAU,WAAW,OAAO,KAG9CA,EAAU,WAAW,OAAO,IAAU,KAGnCF,EAAW,IAAIE,CAAS;AACjC,GAMME,IAAiB,CAACC,MAA2B;AACjD,QAAMC,IAAaD,EAAM,YAAA,EAAc,KAAA;AACvC,SAAO,CAACX,EAAa,IAAIY,CAAU;AACrC,GAOMC,IAAe,CAACF,MACpBA,EAEG,QAAQ,2BAA2B,EAAE,EAErC,QAAQ,uCAAuC,EAAE,EAEjD,QAAQ,qBAAqB,EAAE,EAE/B,QAAQ,QAAQ,EAAE,EAElB,YAAA,GAMCG,IAAY,CAACH,MAA2B;AAC5C,QAAMI,IAAaF,EAAaF,CAAK;AACrC,aAAWK,KAAYb;AACrB,QAAIY,EAAW,WAAWC,CAAQ,EAAG,QAAO;AAE9C,SAAO;AACT,GAQMC,IAAe,CAACN,MAA2B;AAC/C,QAAMO,IAAUP,EAAM,MAAM,GAAG;AAC/B,aAAWQ,KAASD,GAAS;AAC3B,UAAME,IAAMD,EAAM,KAAA,EAAO,MAAM,KAAK,EAAE,CAAC;AACvC,QAAIC,KAAO,CAACN,EAAUM,CAAG,EAAG,QAAO;AAAA,EACrC;AACA,SAAO;AACT,GAMMC,IAAgB,CAACD,MAAyB;AAC9C,MAAI;AAEF,UAAME,IAAaF,EAAI,KAAA;AAOvB,QAAIE,EAAW,WAAW,IAAI;AAC5B,aAAO;AAIT,UAAMC,IAAWD,EAAW,YAAA;AAK5B,WADoB,uBAAuB,KAAKA,CAAU,KACvC,CAACC,EAAS,WAAW,SAAS,KAAK,CAACA,EAAS,WAAW,UAAU,IAG5E,KAIL,CAACA,EAAS,WAAW,SAAS,KAAK,CAACA,EAAS,WAAW,UAAU,IAC7D,KAIL,OAAO,SAAW,OAAe,CAAC,OAAO,WACpC,KAGM,IAAI,IAAID,GAAY,OAAO,SAAS,IAAI,EACzC,WAAW,OAAO,SAAS;AAAA,EAC3C,QAAQ;AAEN,WAAO;AAAA,EACT;AACF,GAeME,IAAoB,CAACC,MACV,IAAI,UAAA,EAEL,gBAAgBA,GAAa,WAAW,GAmBlDC,IAAkB,CAACC,MAAmC;AAG1D,QAAMC,KAAkB,OAAOD,KAAS,WAAWA,IAAO,OAAOA,KAAQ,EAAE,GAAG,KAAA,GAGxEE,IAAW,SAAS,uBAAA;AAG1B,MAAID,EAAe,WAAW;AAC5B,WAAOC;AAOT,MAAI,EADuBD,EAAe,SAAS,GAAG,KAAKA,EAAe,SAAS,GAAG;AAEpF,WAAAC,EAAS,YAAY,SAAS,eAAeD,CAAc,CAAC,GACrDC;AAUT,QAAMC,IAJMN,EAAkBI,CAAc,EAI3B;AAEjB,MAAI,CAACE;AACH,WAAOD;AAGT,SAAOC,EAAK;AACV,IAAAD,EAAS,YAAYC,EAAK,UAAU;AAGtC,SAAOD;AACT,GAMaE,IAAmB,CAACJ,GAAcK,IAA2B,OAAe;AACvF,QAAM;AAAA,IACJ,WAAAC,IAAY,CAAA;AAAA,IACZ,iBAAAC,IAAkB,CAAA;AAAA,IAClB,qBAAAC,IAAsB;AAAA,IACtB,cAAAC,IAAe;AAAA,EAAA,IACbJ,GAGEK,IAAc,IAAI;AAAA,IACtB,CAAC,GAAGvC,GAAsB,GAAGmC,EAAU,IAAI,CAACK,MAAMA,EAAE,aAAa,CAAC,EAAE;AAAA,MAClE,CAACC,MAAQ,CAACxC,EAAe,IAAIwC,CAAG;AAAA,IAAA;AAAA,EAClC,GAEIC,wBAAmB,IAAI;AAAA,IAC3B,GAAGvC;AAAA,IACH,GAAGiC,EAAgB,IAAI,CAACO,MAAMA,EAAE,aAAa;AAAA,EAAA,CAC9C,GAGKZ,IAAWH,EAAgBC,CAAI;AAErC,MAAIS;AACF,WAAOP,EAAS,eAAe;AAIjC,QAAMa,IAAS,SAAS,iBAAiBb,GAAU,WAAW,YAAY,GAEpEc,IAAsB,CAAA;AAE5B,SAAOD,EAAO,cAAY;AACxB,UAAME,IAAKF,EAAO,aACZG,IAAUD,EAAG,QAAQ,YAAA;AAG3B,QAAI7C,EAAe,IAAI8C,CAAO,GAAG;AAC/B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,QAAI,CAACP,EAAY,IAAIQ,CAAO,GAAG;AAC7B,MAAAF,EAAS,KAAKC,CAAE;AAChB;AAAA,IACF;AAGA,UAAME,IAA0B,CAAA;AAChC,eAAWC,KAAQ,MAAM,KAAKH,EAAG,UAAU,GAAG;AAC5C,YAAMI,IAAWD,EAAK,KAAK,YAAA;AAG3B,UAAI,CAAC3C,EAAmB4C,GAAUR,GAAcL,CAAmB,GAAG;AACpE,QAAAW,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,WAAKC,MAAa,QAAQA,MAAa,WAAW,CAACtC,EAAeqC,EAAK,KAAK,GAAG;AAC7E,QAAAD,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,WACGC,MAAa,UAAUA,MAAa,SAASA,MAAa,aAC3D,CAAClC,EAAUiC,EAAK,KAAK,GACrB;AACA,QAAAD,EAAc,KAAKC,EAAK,IAAI;AAC5B;AAAA,MACF;AAGA,MAAIC,MAAa,YAAY,CAAC/B,EAAa8B,EAAK,KAAK,KACnDD,EAAc,KAAKC,EAAK,IAAI;AAAA,IAEhC;AAGA,eAAWC,KAAYF;AACrB,MAAAF,EAAG,gBAAgBI,CAAQ;AAI7B,QAAIH,MAAY,KAAK;AACnB,YAAMI,IAAOL,EAAG,aAAa,MAAM,GAE7BM,IADSN,EAAG,aAAa,QAAQ,GACR,YAAA,MAAkB,UAC3CO,IAAaF,KAAQ5B,EAAc4B,CAAI;AAG7C,UAAIC,KAAkBC,GAAY;AAChC,cAAMC,IAAcR,EAAG,aAAa,KAAK,GACnCS,IAAY,IAAI,IAAID,IAAcA,EAAY,MAAM,KAAK,EAAE,OAAO,OAAO,IAAI,CAAA,CAAE;AAGrF,QAAAC,EAAU,IAAI,UAAU,GACxBA,EAAU,IAAI,YAAY,GAE1BT,EAAG,aAAa,OAAO,MAAM,KAAKS,CAAS,EAAE,KAAK,GAAG,CAAC;AAAA,MACxD;AAAA,IACF;AAAA,EACF;AAGA,aAAWT,KAAMD;AACf,IAAAC,EAAG,OAAA;AAKL,QAAMU,IAAoB,CAACC,MAAmC;AAC5D,UAAMC,IAAY,SAAS,cAAc,KAAK;AAC9C,WAAAA,EAAU,YAAYD,EAAK,UAAU,EAAI,CAAC,GACnCC,EAAU;AAAA,EACnB,GAMMC,IAAYH,EAAkBzB,CAAQ,GAItC6B,IAAiBhC,EAAgB+B,CAAS,GAC1CE,IAAaL,EAAkBI,CAAc;AAGnD,SAAID,MAAcE,IAGT9B,EAAS,eAAe,KAG1B8B;AACT,GCjVaC,IAAe,CAACjC,GAAcK,IAA2B,OAC7DD,EAAiBJ,GAAMK,CAAO,GAgB1B6B,IAAa,CAACC,MAAyB;AAClD,QAAMC,IAAoC;AAAA,IACxC,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,EAAA;AAEP,SAAOD,EAAK,QAAQ,aAAa,CAACE,MAASD,EAAUC,CAAI,CAAC;AAC5D,GAQaC,IAAY,CAACtC,MACjBI,EAAiBJ,GAAM,EAAE,cAAc,IAAM;"}

package/dist/security/constants.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Security constants and safe lists.
+ *
+ * @module bquery/security
+ */
+/**
+ * Trusted Types policy name.
+ */
+export declare const POLICY_NAME = "bquery-sanitizer";
+/**
+ * Default allowed HTML tags considered safe.
+ */
+export declare const DEFAULT_ALLOWED_TAGS: Set<string>;
+/**
+ * Explicitly dangerous tags that should never be allowed.
+ * These are checked even if somehow added to allowTags.
+ */
+export declare const DANGEROUS_TAGS: Set<string>;
+/**
+ * Reserved IDs that could cause DOM clobbering attacks.
+ * These are prevented to avoid overwriting global browser objects.
+ */
+export declare const RESERVED_IDS: Set<string>;
+/**
+ * Default allowed attributes considered safe.
+ * Note: 'style' is excluded by default because inline CSS can be abused for:
+ * - UI redressing attacks
+ * - Data exfiltration via url() in CSS
+ * - CSS injection vectors
+ * If you need to allow inline styles, add 'style' to allowAttributes in your
+ * sanitizeHtml options, but ensure you implement proper CSS value validation.
+ */
+export declare const DEFAULT_ALLOWED_ATTRIBUTES: Set<string>;
+/**
+ * Dangerous attribute prefixes to always remove.
+ */
+export declare const DANGEROUS_ATTR_PREFIXES: string[];
+/**
+ * Dangerous URL protocols to block.
+ */
+export declare const DANGEROUS_PROTOCOLS: string[];
+//# sourceMappingURL=constants.d.ts.map

package/dist/security/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../src/security/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,eAAO,MAAM,WAAW,qBAAqB,CAAC;AAE9C;;GAEG;AACH,eAAO,MAAM,oBAAoB,aAqF/B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,cAAc,aAkBzB,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,YAAY,aAqCvB,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,aAqBrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,uBAAuB,UAA2C,CAAC;AAEhF;;GAEG;AACH,eAAO,MAAM,mBAAmB,UAAiD,CAAC"}

package/dist/security/csp.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Content Security Policy helpers.
+ *
+ * @module bquery/security
+ */
+/**
+ * Generate a nonce for inline scripts/styles.
+ * Use with Content-Security-Policy nonce directives.
+ *
+ * @param length - Nonce length in bytes (default: 16, max: 1024)
+ * @returns Cryptographically random nonce string
+ * @throws {Error} If crypto.getRandomValues or btoa are not available
+ * @throws {RangeError} If length is invalid (negative, non-integer, or exceeds maximum)
+ */
+export declare const generateNonce: (length?: number) => string;
+/**
+ * Check if a CSP header is present with specific directive.
+ * Useful for feature detection and fallback strategies.
+ *
+ * @param directive - The CSP directive to check (e.g., 'script-src')
+ * @returns True if the directive appears to be enforced
+ */
+export declare const hasCSPDirective: (directive: string) => boolean;
+//# sourceMappingURL=csp.d.ts.map

package/dist/security/csp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"csp.d.ts","sourceRoot":"","sources":["../../src/security/csp.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAQH;;;;;;;;GAQG;AACH,eAAO,MAAM,aAAa,GAAI,SAAQ,MAAW,KAAG,MAiCnD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,WAAW,MAAM,KAAG,OAanD,CAAC"}

package/dist/security/index.d.ts

@@ -3,6 +3,8 @@
  *
  * @module bquery/security
  */
-export { createTrustedHtml, escapeHtml, generateNonce, getTrustedTypesPolicy, hasCSPDirective, isTrustedTypesSupported, sanitizeHtml as sanitize, sanitizeHtml, stripTags, } from './sanitize';
-export type { SanitizeOptions } from './sanitize';
+export { generateNonce, hasCSPDirective } from './csp';
+export { escapeHtml, sanitizeHtml as sanitize, sanitizeHtml, stripTags } from './sanitize';
+export { createTrustedHtml, getTrustedTypesPolicy, isTrustedTypesSupported } from './trusted-types';
+export type { SanitizeOptions } from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,qBAAqB,EACrB,eAAe,EACf,uBAAuB,EACvB,YAAY,IAAI,QAAQ,EACxB,YAAY,EACZ,SAAS,GACV,MAAM,YAAY,CAAC;AACpB,YAAY,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/security/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,OAAO,CAAC;AACvD,OAAO,EAAE,UAAU,EAAE,YAAY,IAAI,QAAQ,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAC3F,OAAO,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AACpG,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/security/sanitize-core.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Core HTML sanitization logic.
+ *
+ * @module bquery/security
+ * @internal
+ */
+import type { SanitizeOptions } from './types';
+/**
+ * Core sanitization logic (without Trusted Types wrapper).
+ * @internal
+ */
+export declare const sanitizeHtmlCore: (html: string, options?: SanitizeOptions) => string;
+//# sourceMappingURL=sanitize-core.d.ts.map

package/dist/security/sanitize-core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sanitize-core.d.ts","sourceRoot":"","sources":["../../src/security/sanitize-core.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAUH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AA+M/C;;;GAGG;AACH,eAAO,MAAM,gBAAgB,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAyI9E,CAAC"}

package/dist/security/sanitize.d.ts

@@ -1,40 +1,12 @@
 /**
- * Security utilities for HTML sanitization, CSP compatibility, and Trusted Types.
+ * Security utilities for HTML sanitization.
  * All DOM writes are sanitized by default to prevent XSS attacks.
  *
  * @module bquery/security
  */
-/**
- * Sanitizer configuration options.
- */
-export interface SanitizeOptions {
-    /** Allow these additional tags (default: none) */
-    allowTags?: string[];
-    /** Allow these additional attributes (default: none) */
-    allowAttributes?: string[];
-    /** Allow data-* attributes (default: true) */
-    allowDataAttributes?: boolean;
-    /** Strip all tags and return plain text (default: false) */
-    stripAllTags?: boolean;
-}
-/** Trusted Types policy interface */
-interface TrustedTypePolicy {
-    createHTML: (input: string) => TrustedHTML;
-}
-/** Trusted HTML type placeholder for environments without Trusted Types */
-interface TrustedHTML {
-    toString(): string;
-}
-/**
- * Check if Trusted Types API is available.
- * @returns True if Trusted Types are supported
- */
-export declare const isTrustedTypesSupported: () => boolean;
-/**
- * Get or create the bQuery Trusted Types policy.
- * @returns The Trusted Types policy or null if unsupported
- */
-export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
+import type { SanitizeOptions } from './types';
+export { generateNonce } from './csp';
+export { isTrustedTypesSupported } from './trusted-types';
 /**
  * Sanitize HTML string, removing dangerous elements and attributes.
  * Uses Trusted Types when available for CSP compliance.
@@ -50,14 +22,6 @@ export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
  * ```
  */
 export declare const sanitizeHtml: (html: string, options?: SanitizeOptions) => string;
-/**
- * Create a Trusted HTML value for use with Trusted Types-enabled sites.
- * Falls back to regular string when Trusted Types are unavailable.
- *
- * @param html - The HTML string to wrap
- * @returns Trusted HTML value or sanitized string
- */
-export declare const createTrustedHtml: (html: string) => TrustedHTML | string;
 /**
  * Escape HTML entities to prevent XSS.
  * Use this for displaying user content as text.
@@ -79,21 +43,5 @@ export declare const escapeHtml: (text: string) => string;
  * @returns Plain text content
  */
 export declare const stripTags: (html: string) => string;
-/**
- * Generate a nonce for inline scripts/styles.
- * Use with Content-Security-Policy nonce directives.
- *
- * @param length - Nonce length (default: 16)
- * @returns Cryptographically random nonce string
- */
-export declare const generateNonce: (length?: number) => string;
-/**
- * Check if a CSP header is present with specific directive.
- * Useful for feature detection and fallback strategies.
- *
- * @param directive - The CSP directive to check (e.g., 'script-src')
- * @returns True if the directive appears to be enforced
- */
-export declare const hasCSPDirective: (directive: string) => boolean;
-export {};
+export type { SanitizeOptions } from './types';
 //# sourceMappingURL=sanitize.d.ts.map

package/dist/security/sanitize.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,8CAA8C;IAC9C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4DAA4D;IAC5D,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAsBD,qCAAqC;AACrC,UAAU,iBAAiB;IACzB,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;CAC5C;AAED,2EAA2E;AAC3E,UAAU,WAAW;IACnB,QAAQ,IAAI,MAAM,CAAC;CACpB;AAKD;;;GAGG;AACH,eAAO,MAAM,uBAAuB,QAAO,OAE1C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAO,iBAAiB,GAAG,IAgB5D,CAAC;AAmbF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAE1E,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,WAAW,GAAG,MAM9D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAMF;;;;;;GAMG;AACH,eAAO,MAAM,aAAa,GAAI,SAAQ,MAAW,KAAG,MAOnD,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,WAAW,MAAM,KAAG,OAQnD,CAAC"}
+{"version":3,"file":"sanitize.d.ts","sourceRoot":"","sources":["../../src/security/sanitize.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,OAAO,CAAC;AACtC,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE1D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,EAAE,UAAS,eAAoB,KAAG,MAE1E,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,UAAU,GAAI,MAAM,MAAM,KAAG,MAUzC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,SAAS,GAAI,MAAM,MAAM,KAAG,MAExC,CAAC;AAEF,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC"}

package/dist/security/trusted-types.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Trusted Types helpers for CSP compatibility.
+ *
+ * @module bquery/security
+ */
+import type { TrustedHTML, TrustedTypePolicy } from './types';
+/**
+ * Check if Trusted Types API is available.
+ * @returns True if Trusted Types are supported
+ */
+export declare const isTrustedTypesSupported: () => boolean;
+/**
+ * Get or create the bQuery Trusted Types policy.
+ * @returns The Trusted Types policy or null if unsupported
+ */
+export declare const getTrustedTypesPolicy: () => TrustedTypePolicy | null;
+/**
+ * Create a Trusted HTML value for use with Trusted Types-enabled sites.
+ * Falls back to regular string when Trusted Types are unavailable.
+ *
+ * @param html - The HTML string to wrap
+ * @returns Trusted HTML value or sanitized string
+ */
+export declare const createTrustedHtml: (html: string) => TrustedHTML | string;
+//# sourceMappingURL=trusted-types.d.ts.map

package/dist/security/trusted-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trusted-types.d.ts","sourceRoot":"","sources":["../../src/security/trusted-types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,iBAAiB,EAAsB,MAAM,SAAS,CAAC;AAQlF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,QAAO,OAK1C,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,qBAAqB,QAAO,iBAAiB,GAAG,IAsB5D,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,WAAW,GAAG,MAM9D,CAAC"}

package/dist/security/types.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Security types for sanitization, CSP compatibility, and Trusted Types.
+ *
+ * @module bquery/security
+ */
+/**
+ * Sanitizer configuration options.
+ */
+export interface SanitizeOptions {
+    /** Allow these additional tags (default: none) */
+    allowTags?: string[];
+    /** Allow these additional attributes (default: none) */
+    allowAttributes?: string[];
+    /** Allow data-* attributes (default: true) */
+    allowDataAttributes?: boolean;
+    /** Strip all tags and return plain text (default: false) */
+    stripAllTags?: boolean;
+}
+/** Window interface extended with Trusted Types */
+export interface TrustedTypesWindow extends Window {
+    trustedTypes?: {
+        createPolicy: (name: string, rules: {
+            createHTML?: (input: string) => string;
+        }) => TrustedTypePolicy;
+        isHTML?: (value: unknown) => boolean;
+    };
+}
+/** Trusted Types policy interface */
+export interface TrustedTypePolicy {
+    createHTML: (input: string) => TrustedHTML;
+}
+/** Trusted HTML type placeholder for environments without Trusted Types */
+export interface TrustedHTML {
+    toString(): string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/security/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/security/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kDAAkD;IAClD,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,wDAAwD;IACxD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,8CAA8C;IAC9C,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,4DAA4D;IAC5D,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,mDAAmD;AACnD,MAAM,WAAW,kBAAmB,SAAQ,MAAM;IAChD,YAAY,CAAC,EAAE;QACb,YAAY,EAAE,CACZ,IAAI,EAAE,MAAM,EACZ,KAAK,EAAE;YAAE,UAAU,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,CAAA;SAAE,KAC9C,iBAAiB,CAAC;QACvB,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,KAAK,OAAO,CAAC;KACtC,CAAC;CACH;AAED,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,WAAW,CAAC;CAC5C;AAED,2EAA2E;AAC3E,MAAM,WAAW,WAAW;IAC1B,QAAQ,IAAI,MAAM,CAAC;CACpB"}