@bquery/bquery 1.4.0 → 1.5.0

package/src/reactive/signal.ts

@@ -1,20 +1,29 @@
-/**
- * Reactive primitives inspired by fine-grained reactivity.
- *
- * @module bquery/reactive
- */
-
-export { batch } from './batch';
-export { Computed, computed } from './computed';
-export { Signal, signal } from './core';
-export { effect } from './effect';
-export { linkedSignal } from './linked';
-export { persistedSignal } from './persisted';
-export { readonly } from './readonly';
-export { isComputed, isSignal } from './type-guards';
-export { untrack } from './untrack';
-export { watch } from './watch';
-
-export type { CleanupFn, Observer } from './internals';
-export type { LinkedSignal } from './linked';
-export type { ReadonlySignal } from './readonly';
+/**
+ * Reactive primitives inspired by fine-grained reactivity.
+ *
+ * @module bquery/reactive
+ */
+
+export { batch } from './batch';
+export { createUseFetch, useAsyncData, useFetch } from './async-data';
+export { Computed, computed } from './computed';
+export { Signal, signal } from './core';
+export { effect } from './effect';
+export { linkedSignal } from './linked';
+export { persistedSignal } from './persisted';
+export { readonly } from './readonly';
+export { isComputed, isSignal } from './type-guards';
+export { untrack } from './untrack';
+export { watch } from './watch';
+
+export type { CleanupFn, Observer } from './internals';
+export type {
+  AsyncDataState,
+  AsyncDataStatus,
+  AsyncWatchSource,
+  FetchInput,
+  UseAsyncDataOptions,
+  UseFetchOptions,
+} from './async-data';
+export type { LinkedSignal } from './linked';
+export type { ReadonlySignal } from './readonly';

package/src/security/constants.ts

@@ -1,209 +1,211 @@
-/**
- * Security constants and safe lists.
- *
- * @module bquery/security
- */
-
-/**
- * Trusted Types policy name.
- */
-export const POLICY_NAME = 'bquery-sanitizer';
-
-/**
- * Default allowed HTML tags considered safe.
- */
-export const DEFAULT_ALLOWED_TAGS = new Set([
-  'a',
-  'abbr',
-  'address',
-  'article',
-  'aside',
-  'b',
-  'bdi',
-  'bdo',
-  'blockquote',
-  'br',
-  'button',
-  'caption',
-  'cite',
-  'code',
-  'col',
-  'colgroup',
-  'data',
-  'dd',
-  'del',
-  'details',
-  'dfn',
-  'div',
-  'dl',
-  'dt',
-  'em',
-  'figcaption',
-  'figure',
-  'footer',
-  'form',
-  'h1',
-  'h2',
-  'h3',
-  'h4',
-  'h5',
-  'h6',
-  'header',
-  'hgroup',
-  'hr',
-  'i',
-  'img',
-  'input',
-  'ins',
-  'kbd',
-  'label',
-  'legend',
-  'li',
-  'main',
-  'mark',
-  'nav',
-  'ol',
-  'optgroup',
-  'option',
-  'p',
-  'picture',
-  'pre',
-  'progress',
-  'q',
-  'rp',
-  'rt',
-  'ruby',
-  's',
-  'samp',
-  'section',
-  'select',
-  'small',
-  'source',
-  'span',
-  'strong',
-  'sub',
-  'summary',
-  'sup',
-  'table',
-  'tbody',
-  'td',
-  'textarea',
-  'tfoot',
-  'th',
-  'thead',
-  'time',
-  'tr',
-  'u',
-  'ul',
-  'var',
-  'wbr',
-]);
-
-/**
- * Explicitly dangerous tags that should never be allowed.
- * These are checked even if somehow added to allowTags.
- */
-export const DANGEROUS_TAGS = new Set([
-  'script',
-  'iframe',
-  'frame',
-  'frameset',
-  'object',
-  'embed',
-  'applet',
-  'link',
-  'meta',
-  'style',
-  'base',
-  'template',
-  'slot',
-  'math',
-  'svg',
-  'foreignobject',
-  'noscript',
-]);
-
-/**
- * Reserved IDs that could cause DOM clobbering attacks.
- * These are prevented to avoid overwriting global browser objects.
- */
-export const RESERVED_IDS = new Set([
-  // Global objects
-  'document',
-  'window',
-  'location',
-  'top',
-  'self',
-  'parent',
-  'frames',
-  'history',
-  'navigator',
-  'screen',
-  // Dangerous functions
-  'alert',
-  'confirm',
-  'prompt',
-  'eval',
-  'function',
-  // Document properties
-  'cookie',
-  'domain',
-  'referrer',
-  'body',
-  'head',
-  'forms',
-  'images',
-  'links',
-  'scripts',
-  // DOM traversal properties
-  'children',
-  'parentnode',
-  'firstchild',
-  'lastchild',
-  // Content manipulation
-  'innerhtml',
-  'outerhtml',
-  'textcontent',
-]);
-
-/**
- * Default allowed attributes considered safe.
- * Note: 'style' is excluded by default because inline CSS can be abused for:
- * - UI redressing attacks
- * - Data exfiltration via url() in CSS
- * - CSS injection vectors
- * If you need to allow inline styles, add 'style' to allowAttributes in your
- * sanitizeHtml options, but ensure you implement proper CSS value validation.
- */
-export const DEFAULT_ALLOWED_ATTRIBUTES = new Set([
-  'alt',
-  'class',
-  'dir',
-  'height',
-  'hidden',
-  'href',
-  'id',
-  'lang',
-  'loading',
-  'name',
-  'rel',
-  'role',
-  'src',
-  'srcset',
-  'tabindex',
-  'target',
-  'title',
-  'type',
-  'width',
-  'aria-*',
-]);
-
-/**
- * Dangerous attribute prefixes to always remove.
- */
-export const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];
-
-/**
- * Dangerous URL protocols to block.
- */
-export const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];
+/**
+ * Security constants and safe lists.
+ *
+ * @module bquery/security
+ */
+
+/**
+ * Trusted Types policy name.
+ */
+export const POLICY_NAME = 'bquery-sanitizer';
+
+/**
+ * Default allowed HTML tags considered safe.
+ */
+export const DEFAULT_ALLOWED_TAGS = new Set([
+  'a',
+  'abbr',
+  'address',
+  'article',
+  'aside',
+  'b',
+  'bdi',
+  'bdo',
+  'blockquote',
+  'br',
+  'button',
+  'caption',
+  'cite',
+  'code',
+  'col',
+  'colgroup',
+  'data',
+  'dd',
+  'del',
+  'details',
+  'dfn',
+  'div',
+  'dl',
+  'dt',
+  'em',
+  'figcaption',
+  'figure',
+  'footer',
+  'form',
+  'h1',
+  'h2',
+  'h3',
+  'h4',
+  'h5',
+  'h6',
+  'header',
+  'hgroup',
+  'hr',
+  'i',
+  'img',
+  'input',
+  'ins',
+  'kbd',
+  'label',
+  'legend',
+  'li',
+  'main',
+  'mark',
+  'nav',
+  'ol',
+  'optgroup',
+  'option',
+  'p',
+  'picture',
+  'pre',
+  'progress',
+  'q',
+  'rp',
+  'rt',
+  'ruby',
+  's',
+  'samp',
+  'section',
+  'select',
+  'small',
+  'source',
+  'span',
+  'strong',
+  'sub',
+  'summary',
+  'sup',
+  'table',
+  'tbody',
+  'td',
+  'textarea',
+  'tfoot',
+  'th',
+  'thead',
+  'time',
+  'tr',
+  'u',
+  'ul',
+  'var',
+  'wbr',
+]);
+
+/**
+ * Explicitly dangerous tags that should never be allowed.
+ * These are checked even if somehow added to allowTags.
+ */
+export const DANGEROUS_TAGS = new Set([
+  'script',
+  'iframe',
+  'frame',
+  'frameset',
+  'object',
+  'embed',
+  'applet',
+  'link',
+  'meta',
+  'style',
+  'base',
+  'template',
+  // 'slot' is intentionally excluded here so component shadow markup can opt in
+  // via sanitizeHtml(..., { allowTags: ['slot'] }). It remains disallowed by default
+  // for general HTML writes, because DEFAULT_ALLOWED_TAGS does not include it.
+  'math',
+  'svg',
+  'foreignobject',
+  'noscript',
+]);
+
+/**
+ * Reserved IDs that could cause DOM clobbering attacks.
+ * These are prevented to avoid overwriting global browser objects.
+ */
+export const RESERVED_IDS = new Set([
+  // Global objects
+  'document',
+  'window',
+  'location',
+  'top',
+  'self',
+  'parent',
+  'frames',
+  'history',
+  'navigator',
+  'screen',
+  // Dangerous functions
+  'alert',
+  'confirm',
+  'prompt',
+  'eval',
+  'function',
+  // Document properties
+  'cookie',
+  'domain',
+  'referrer',
+  'body',
+  'head',
+  'forms',
+  'images',
+  'links',
+  'scripts',
+  // DOM traversal properties
+  'children',
+  'parentnode',
+  'firstchild',
+  'lastchild',
+  // Content manipulation
+  'innerhtml',
+  'outerhtml',
+  'textcontent',
+]);
+
+/**
+ * Default allowed attributes considered safe.
+ * Note: 'style' is excluded by default because inline CSS can be abused for:
+ * - UI redressing attacks
+ * - Data exfiltration via url() in CSS
+ * - CSS injection vectors
+ * If you need to allow inline styles, add 'style' to allowAttributes in your
+ * sanitizeHtml options, but ensure you implement proper CSS value validation.
+ */
+export const DEFAULT_ALLOWED_ATTRIBUTES = new Set([
+  'alt',
+  'class',
+  'dir',
+  'height',
+  'hidden',
+  'href',
+  'id',
+  'lang',
+  'loading',
+  'name',
+  'rel',
+  'role',
+  'src',
+  'srcset',
+  'tabindex',
+  'target',
+  'title',
+  'type',
+  'width',
+  'aria-*',
+]);
+
+/**
+ * Dangerous attribute prefixes to always remove.
+ */
+export const DANGEROUS_ATTR_PREFIXES = ['on', 'formaction', 'xlink:', 'xmlns:'];
+
+/**
+ * Dangerous URL protocols to block.
+ */
+export const DANGEROUS_PROTOCOLS = ['javascript:', 'data:', 'vbscript:', 'file:'];