@character-foundry/character-foundry 0.4.2-dev.1765942273 → 0.4.2-dev.1765997746

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/dist/charx.cjs +13 -34
  2. package/dist/charx.cjs.map +1 -1
  3. package/dist/charx.js +13 -34
  4. package/dist/charx.js.map +1 -1
  5. package/dist/exporter.cjs +32 -36
  6. package/dist/exporter.cjs.map +1 -1
  7. package/dist/exporter.js +32 -36
  8. package/dist/exporter.js.map +1 -1
  9. package/dist/federation.cjs +104 -36
  10. package/dist/federation.cjs.map +1 -1
  11. package/dist/federation.d.cts +35 -0
  12. package/dist/federation.d.ts +35 -0
  13. package/dist/federation.js +104 -36
  14. package/dist/federation.js.map +1 -1
  15. package/dist/index.cjs +32 -36
  16. package/dist/index.cjs.map +1 -1
  17. package/dist/index.js +32 -36
  18. package/dist/index.js.map +1 -1
  19. package/dist/loader.cjs +99 -13
  20. package/dist/loader.cjs.map +1 -1
  21. package/dist/loader.d.cts +14 -0
  22. package/dist/loader.d.ts +14 -0
  23. package/dist/loader.js +99 -13
  24. package/dist/loader.js.map +1 -1
  25. package/dist/normalizer.cjs.map +1 -1
  26. package/dist/normalizer.js.map +1 -1
  27. package/dist/png.cjs.map +1 -1
  28. package/dist/png.js.map +1 -1
  29. package/dist/schemas.cjs +5 -5
  30. package/dist/schemas.cjs.map +1 -1
  31. package/dist/schemas.js +5 -5
  32. package/dist/schemas.js.map +1 -1
  33. package/dist/voxta.cjs +19 -2
  34. package/dist/voxta.cjs.map +1 -1
  35. package/dist/voxta.js +19 -2
  36. package/dist/voxta.js.map +1 -1
  37. package/package.json +5 -5
package/dist/charx.js CHANGED
@@ -836,36 +836,6 @@ var SAFE_ASSET_TYPES = /* @__PURE__ */ new Set([
836
836
  "data",
837
837
  "unknown"
838
838
  ]);
839
- var SAFE_EXTENSIONS = /* @__PURE__ */ new Set([
840
- // Images
841
- "png",
842
- "jpg",
843
- "jpeg",
844
- "webp",
845
- "gif",
846
- "avif",
847
- "svg",
848
- "bmp",
849
- "ico",
850
- // Audio
851
- "mp3",
852
- "wav",
853
- "ogg",
854
- "flac",
855
- "m4a",
856
- "aac",
857
- "opus",
858
- // Video
859
- "mp4",
860
- "webm",
861
- "avi",
862
- "mov",
863
- "mkv",
864
- // Data
865
- "json",
866
- "txt",
867
- "bin"
868
- ]);
869
839
  function getCharxCategory(mimetype) {
870
840
  if (mimetype.startsWith("image/")) return "images";
871
841
  if (mimetype.startsWith("audio/")) return "audio";
@@ -881,11 +851,20 @@ function sanitizeAssetType(type) {
881
851
  return sanitized || "custom";
882
852
  }
883
853
  function sanitizeExtension(ext) {
884
- const normalized = ext.replace(/^\./, "").toLowerCase().replace(/[^a-z0-9]/g, "");
885
- if (SAFE_EXTENSIONS.has(normalized)) {
886
- return normalized;
854
+ const normalized = ext.trim().replace(/^\./, "").toLowerCase();
855
+ if (!normalized) {
856
+ throw new Error("Invalid asset extension: empty extension");
857
+ }
858
+ if (normalized.length > 64) {
859
+ throw new Error(`Invalid asset extension: too long (${normalized.length} chars)`);
860
+ }
861
+ if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("\0")) {
862
+ throw new Error("Invalid asset extension: path separators are not allowed");
863
+ }
864
+ if (!/^[a-z0-9][a-z0-9._-]*$/.test(normalized)) {
865
+ throw new Error(`Invalid asset extension: "${ext}"`);
887
866
  }
888
- return "bin";
867
+ return normalized;
889
868
  }
890
869
  function sanitizeName(name, ext) {
891
870
  let safeName = name;