@design-edito/tools 0.4.4 → 0.4.6

package/agnostic/sanitization/html/index.js

@@ -1,121 +1,177 @@
-import {
-  get
-} from "../../../chunks/chunk-57YKZBJR.js";
-import "../../../chunks/chunk-WSFCRVEQ.js";
-
-// src/agnostic/sanitization/html/index.ts
-var defaultOptions = { depth: 20 };
-function sanitizeHtml(inputStr, options = defaultOptions) {
-  const { document } = get();
-  const wrapperDiv = document.createElement("div");
-  const { inputFreeTransform } = options;
-  wrapperDiv.innerHTML = inputFreeTransform !== void 0 ? inputFreeTransform(inputStr) : inputStr;
-  const sanitizedWrapper = sanitizeElement(wrapperDiv, options);
-  const returned = sanitizedWrapper?.innerHTML;
-  return returned ?? "";
+import * as Window from '../../misc/crossenv/window/index.js';
+/**
+ * Default sanitization options.
+ *
+ * Only sets a default recursion depth of 20.
+ */
+export const defaultOptions = { depth: 20 };
+/**
+ * Sanitizes an HTML string according to the provided options.
+ *
+ * @deprecated
+ * @security
+ * ⚠️ SECURITY WARNING
+ * This function is **not a hardened or complete HTML sanitizer**.
+ * It does not guarantee protection against XSS or other injection attacks.
+ *
+ * Correctness and safety depend entirely on strict caller configuration.
+ * In particular, unsafe usage may occur if:
+ * - Wildcards (`'*'`) are used for allowed tags or attributes
+ * - URL-based attributes (`href`, `src`, `xlink:href`, etc.) are insufficiently constrained
+ * - Event handler attributes (`on*`) are not explicitly forbidden
+ * - SVG or MathML content is allowed
+ *
+ * This API must not be used as a security boundary for untrusted HTML.
+ * For security-critical sanitization, use a dedicated, security-audited library.
+ *
+ * @param {string} inputStr - The HTML string to sanitize.
+ * @param {SanitizeHtmlOptions} [options=defaultOptions] - Sanitization configuration.
+ * @returns {string} The sanitized HTML string.
+ *
+ * @throws Will throw an error if no document object is available for creating elements.
+ */
+export function sanitizeHtml(inputStr, options = defaultOptions) {
+    const { document } = Window.get();
+    const wrapperDiv = document.createElement('div');
+    const { inputFreeTransform } = options;
+    wrapperDiv.innerHTML = inputFreeTransform !== undefined ? inputFreeTransform(inputStr) : inputStr;
+    const sanitizedWrapper = sanitizeElement(wrapperDiv, options);
+    const returned = sanitizedWrapper?.innerHTML;
+    return returned ?? '';
 }
-function sanitizeElement(element, options = defaultOptions) {
-  const { tagName, attributes, childNodes } = element;
-  const {
-    allowedTags = [],
-    allowedAttributes = {},
-    forbiddenTags = [],
-    forbiddenAttributes = {},
-    depth = 20,
-    verbose = false
-  } = options;
-  if (depth <= 0) {
-    console.warn("Max depth reached");
-    return null;
-  }
-  const normalizedTagName = tagName.toLowerCase().trim();
-  const tagIsInForbidden = forbiddenTags.includes("*") || forbiddenTags.includes(normalizedTagName);
-  if (tagIsInForbidden) {
-    if (verbose) console.warn(tagName, "tag is forbidden");
-    return null;
-  }
-  const tagIsInAllowed = allowedTags.includes("*") || allowedTags.includes(normalizedTagName);
-  if (!tagIsInAllowed) {
-    if (verbose) console.warn(tagName, "tag is not allowed");
-    return null;
-  }
-  const returnedElement = get().document.createElement(tagName);
-  const returnedAttributes = Array.from(attributes).filter(({ name: attributeName, value: attributeValue }) => {
-    const allTagsForbiddenAttributes = forbiddenAttributes["*"] ?? [];
-    const thisTagForbiddenAttributes = forbiddenAttributes[normalizedTagName] ?? [];
-    const mergedForbiddenAttributes = [...allTagsForbiddenAttributes, ...thisTagForbiddenAttributes];
-    const isInForbidden = mergedForbiddenAttributes.some(({
-      attributeName: nameTester,
-      attributeValues: valTesters
-    }) => {
-      if (typeof nameTester === "string" && nameTester !== "*" && attributeName !== nameTester) return false;
-      if (typeof nameTester !== "string" && !nameTester.test(attributeName)) return false;
-      if (valTesters === void 0) {
-        if (verbose) console.warn(attributeName, "attribute on", tagName, "tag is forbidden");
-        return true;
-      }
-      if (valTesters.includes("*")) {
-        if (verbose) console.warn(attributeName, "attribute on", tagName, "tag is forbidden");
-        return true;
-      }
-      return valTesters.some((valTester) => {
-        if (typeof valTester === "string" && attributeValue === valTester) {
-          if (verbose) console.warn(attributeValue, "value for", attributeName, "attribute on", tagName, "tag is forbidden. Rule:", valTester);
-          return true;
-        }
-        if (typeof valTester !== "string" && valTester.test(attributeValue)) {
-          if (verbose) console.warn(attributeValue, "value for", attributeName, "attribute on", tagName, "tag is forbidden. Rule:", valTester);
-          return true;
+/**
+ * Recursively sanitizes a DOM element and its descendants according to the provided options.
+ *
+ * @deprecated
+ * @security
+ * ⚠️ SECURITY WARNING
+ * This function is **not a hardened or complete HTML sanitizer**.
+ * It does not guarantee protection against XSS or other injection attacks.
+ *
+ * Correctness and safety depend entirely on strict caller configuration.
+ * In particular, unsafe usage may occur if:
+ * - Wildcards (`'*'`) are used for allowed tags or attributes
+ * - URL-based attributes (`href`, `src`, `xlink:href`, etc.) are insufficiently constrained
+ * - Event handler attributes (`on*`) are not explicitly forbidden
+ * - SVG or MathML content is allowed
+ *
+ * This API must not be used as a security boundary for untrusted HTML.
+ * For security-critical sanitization, use a dedicated, security-audited library.
+ *
+ * @param {Element} element - The DOM element to sanitize.
+ * @param {SanitizeHtmlOptions} [options=defaultOptions] - Sanitization configuration.
+ * @returns {Element | null}
+ * - A sanitized clone of the original element with allowed attributes and children.
+ * - `null` if the element is forbidden or maximum recursion depth is reached.
+ *
+ * @throws Will throw an error if no document object is available for creating elements.
+ */
+export function sanitizeElement(element, options = defaultOptions) {
+    const { tagName, attributes, childNodes } = element;
+    const { allowedTags = [], allowedAttributes = {}, forbiddenTags = [], forbiddenAttributes = {}, depth = 20, verbose = false } = options;
+    if (depth <= 0) {
+        console.warn('Max depth reached');
+        return null;
+    }
+    // Element's tag name checkup
+    const normalizedTagName = tagName.toLowerCase().trim();
+    const tagIsInForbidden = forbiddenTags.includes('*') || forbiddenTags.includes(normalizedTagName);
+    if (tagIsInForbidden) {
+        if (verbose)
+            console.warn(tagName, 'tag is forbidden');
+        return null;
+    }
+    const tagIsInAllowed = allowedTags.includes('*') || allowedTags.includes(normalizedTagName);
+    if (!tagIsInAllowed) {
+        if (verbose)
+            console.warn(tagName, 'tag is not allowed');
+        return null;
+    }
+    const returnedElement = Window.get().document.createElement(tagName);
+    // Element's attributes checkup
+    const returnedAttributes = Array.from(attributes).filter(({ name: attributeName, value: attributeValue }) => {
+        const allTagsForbiddenAttributes = forbiddenAttributes['*'] ?? [];
+        const thisTagForbiddenAttributes = forbiddenAttributes[normalizedTagName] ?? [];
+        const mergedForbiddenAttributes = [...allTagsForbiddenAttributes, ...thisTagForbiddenAttributes];
+        const isInForbidden = mergedForbiddenAttributes.some(({ attributeName: nameTester, attributeValues: valTesters }) => {
+            if (typeof nameTester === 'string' && nameTester !== '*' && attributeName !== nameTester)
+                return false; // attribute name doesnt match
+            if (typeof nameTester !== 'string' && !nameTester.test(attributeName))
+                return false; // attribute name doesnt match
+            if (valTesters === undefined) {
+                if (verbose)
+                    console.warn(attributeName, 'attribute on', tagName, 'tag is forbidden');
+                return true; // attribute name matches, and all values are forbidden
+            }
+            if (valTesters.includes('*')) {
+                if (verbose)
+                    console.warn(attributeName, 'attribute on', tagName, 'tag is forbidden');
+                return true; // attribute name matches, and all values are EXPLICITLY forbidden
+            }
+            return valTesters.some(valTester => {
+                if (typeof valTester === 'string' && attributeValue === valTester) {
+                    if (verbose)
+                        console.warn(attributeValue, 'value for', attributeName, 'attribute on', tagName, 'tag is forbidden. Rule:', valTester);
+                    return true; // attribute value strictly matches
+                }
+                if (typeof valTester !== 'string' && valTester.test(attributeValue)) {
+                    if (verbose)
+                        console.warn(attributeValue, 'value for', attributeName, 'attribute on', tagName, 'tag is forbidden. Rule:', valTester);
+                    return true; // attribute value partially matches
+                }
+                return false;
+            });
+        });
+        if (isInForbidden)
+            return false;
+        const allTagsAllowedAttributes = allowedAttributes['*'] ?? [];
+        const thisTagAllowedAttributes = allowedAttributes[normalizedTagName] ?? [];
+        const mergedAllowedAttributes = [...allTagsAllowedAttributes, ...thisTagAllowedAttributes];
+        let latestNotAllowedReason = [tagName, 'has no allowed attributes'];
+        const isInAllowed = mergedAllowedAttributes.some(({ attributeName: nameTester, attributeValues: valTesters }) => {
+            if (typeof nameTester === 'string' && nameTester !== '*' && attributeName !== nameTester) {
+                latestNotAllowedReason = [attributeName, 'attribute on', tagName, 'tag is not allowed'];
+                return false; // attribute name doesnt match
+            }
+            if (typeof nameTester !== 'string' && !nameTester.test(attributeName)) {
+                latestNotAllowedReason = [attributeName, 'attribute on', tagName, 'tag is not allowed'];
+                return false; // attribute name doesnt match
+            }
+            if (valTesters === undefined)
+                return true; // attribute name matches, and all values are allowed
+            if (valTesters.includes('*'))
+                return true; // attribute name matches, and all values are EXPLICITLY allowed
+            return valTesters.some(valTester => {
+                if (typeof valTester === 'string' && attributeValue === valTester)
+                    return true; // attribute value strictly matches
+                if (typeof valTester !== 'string' && valTester.test(attributeValue))
+                    return true; // attribute value partially matches
+                latestNotAllowedReason = [attributeValue, 'value for', attributeName, 'attribute on', tagName, 'tag is not allowed'];
+                return false;
+            });
+        });
+        if (!isInAllowed) {
+            if (verbose)
+                console.warn(...latestNotAllowedReason);
+            return false;
         }
-        return false;
-      });
+        return true;
     });
-    if (isInForbidden) return false;
-    const allTagsAllowedAttributes = allowedAttributes["*"] ?? [];
-    const thisTagAllowedAttributes = allowedAttributes[normalizedTagName] ?? [];
-    const mergedAllowedAttributes = [...allTagsAllowedAttributes, ...thisTagAllowedAttributes];
-    let latestNotAllowedReason = [tagName, "has no allowed attributes"];
-    const isInAllowed = mergedAllowedAttributes.some(({
-      attributeName: nameTester,
-      attributeValues: valTesters
-    }) => {
-      if (typeof nameTester === "string" && nameTester !== "*" && attributeName !== nameTester) {
-        latestNotAllowedReason = [attributeName, "attribute on", tagName, "tag is not allowed"];
-        return false;
-      }
-      if (typeof nameTester !== "string" && !nameTester.test(attributeName)) {
-        latestNotAllowedReason = [attributeName, "attribute on", tagName, "tag is not allowed"];
-        return false;
-      }
-      if (valTesters === void 0) return true;
-      if (valTesters.includes("*")) return true;
-      return valTesters.some((valTester) => {
-        if (typeof valTester === "string" && attributeValue === valTester) return true;
-        if (typeof valTester !== "string" && valTester.test(attributeValue)) return true;
-        latestNotAllowedReason = [attributeValue, "value for", attributeName, "attribute on", tagName, "tag is not allowed"];
-        return false;
-      });
+    returnedAttributes.forEach(({ name, value }) => {
+        returnedElement.setAttribute(name, value);
     });
-    if (!isInAllowed) {
-      if (verbose) console.warn(...latestNotAllowedReason);
-      return false;
-    }
-    return true;
-  });
-  returnedAttributes.forEach(({ name, value }) => {
-    returnedElement.setAttribute(name, value);
-  });
-  const sanitizedChildNodes = Array.from(childNodes).map((node) => {
-    if (node.nodeType === Node.ELEMENT_NODE) return sanitizeElement(node, { ...options, depth: depth - 1 });
-    else if (node.nodeType === Node.TEXT_NODE) return node;
-    else if (options.keepComments === true && node.nodeType === Node.COMMENT_NODE) return node;
-    return null;
-  }).filter((elt) => elt !== null);
-  returnedElement.replaceChildren(...sanitizedChildNodes);
-  return returnedElement;
+    // Element's children sanitization
+    const sanitizedChildNodes = Array.from(childNodes)
+        .map((node) => {
+        if (node.nodeType === Node.ELEMENT_NODE)
+            return sanitizeElement(node, { ...options, depth: depth - 1 });
+        else if (node.nodeType === Node.TEXT_NODE)
+            return node;
+        else if (options.keepComments === true && node.nodeType === Node.COMMENT_NODE)
+            return node;
+        return null;
+    })
+        .filter((elt) => elt !== null);
+    returnedElement.replaceChildren(...sanitizedChildNodes);
+    return returnedElement;
 }
-export {
-  defaultOptions,
-  sanitizeElement,
-  sanitizeHtml
-};

package/agnostic/sanitization/path/index.js

@@ -1,14 +1,24 @@
-import {
-  sanitizeFileName
-} from "../../../chunks/chunk-HYPEWMYZ.js";
-import "../../../chunks/chunk-WSFCRVEQ.js";
-
-// src/agnostic/sanitization/path/index.ts
-function sanitizePath(targetPath) {
-  const sanitized = targetPath.split("/").filter((chunk) => chunk !== "").map((chunk) => sanitizeFileName(chunk) ?? "").filter((chunk) => chunk !== "" && chunk !== "..").join("/");
-  if (sanitized === "") return null;
-  return sanitized.startsWith("/") ? sanitized : `/${sanitized}`;
+import { sanitizeFileName } from '../file-name/index.js';
+/**
+ * Sanitizes a path string by sanitizing each path segment.
+ *
+ * - Removes empty segments and `..` segments to prevent path traversal.
+ * - Sanitizes each segment using `sanitizeFileName`.
+ * - Ensures the returned path starts with a `/`.
+ *
+ * @param {string} targetPath - The path to sanitize.
+ * @returns {string | null} Sanitized absolute path, or null if invalid/empty.
+ */
+export function sanitizePath(targetPath) {
+    const sanitized = targetPath
+        .split('/')
+        .filter(chunk => chunk !== '')
+        .map(chunk => sanitizeFileName(chunk) ?? '')
+        .filter(chunk => chunk !== '' && chunk !== '..')
+        .join('/');
+    if (sanitized === '')
+        return null;
+    return sanitized.startsWith('/')
+        ? sanitized
+        : `/${sanitized}`;
 }
-export {
-  sanitizePath
-};

package/agnostic/sanitization/path/index.test.js

@@ -0,0 +1,18 @@
+import { describe, it, expect } from 'vitest';
+import { sanitizePath } from './index.js';
+describe('sanitizePath', () => {
+    it('sanitizes each segment and removes empty/.. segments', () => {
+        const input = '/some//../unsafe/..//path/ fi?le.txt';
+        const result = sanitizePath(input);
+        expect(result).toBe('/some/unsafe/path/file.txt');
+    });
+    it('returns null for an empty or fully-invalid path', () => {
+        expect(sanitizePath('')).toBeNull();
+        expect(sanitizePath('/../..///')).toBeNull();
+    });
+    it('ensures the returned path starts with a leading slash', () => {
+        const input = 'relative/path.txt';
+        const result = sanitizePath(input);
+        expect(result?.startsWith('/')).toBe(true);
+    });
+});

package/agnostic/sanitization/types.js

@@ -0,0 +1 @@
+export {};

package/agnostic/sanitization/user-input/index.js

@@ -1,28 +1,38 @@
-import "../../../chunks/chunk-WSFCRVEQ.js";
-
-// src/agnostic/sanitization/user-input/index.ts
-import xss from "xss";
-var sanitizeUserInput = (input, seen = /* @__PURE__ */ new WeakMap()) => {
-  if (typeof input === "string") return xss(input);
-  if (Array.isArray(input)) {
-    if (seen.has(input)) return seen.get(input);
-    const sanitized = [];
-    seen.set(input, sanitized);
-    sanitized.push(...input.map((item) => sanitizeUserInput(item, seen)));
-    return sanitized;
-  }
-  if (input !== null && typeof input === "object") {
-    if (seen.has(input)) return seen.get(input);
-    const sanitized = {};
-    seen.set(input, sanitized);
-    const entries = Object.entries(input);
-    for (const [key, value] of entries) {
-      sanitized[xss(key)] = sanitizeUserInput(value, seen);
+import xss from 'xss';
+/**
+ * Recursively sanitizes user input to prevent XSS.
+ *
+ * - Strings are sanitized using `xss`.
+ * - Arrays and objects are sanitized recursively.
+ * - Circular references are safely handled via a `WeakMap`.
+ *
+ * @template T
+ * @param input - Input value to sanitize (string, object, or array).
+ * @param [seen] - Internal set to track circular references.
+ * @returns Sanitized input with the same structure as the original.
+ */
+export const sanitizeUserInput = (input, seen = new WeakMap()) => {
+    if (typeof input === 'string')
+        return xss(input);
+    if (Array.isArray(input)) {
+        if (seen.has(input))
+            return seen.get(input);
+        const sanitized = [];
+        seen.set(input, sanitized);
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
+        sanitized.push(...input.map(item => sanitizeUserInput(item, seen)));
+        return sanitized;
     }
-    return sanitized;
-  }
-  return input;
-};
-export {
-  sanitizeUserInput
+    if (input !== null && typeof input === 'object') {
+        if (seen.has(input))
+            return seen.get(input);
+        const sanitized = {};
+        seen.set(input, sanitized);
+        const entries = Object.entries(input);
+        for (const [key, value] of entries) {
+            sanitized[xss(key)] = sanitizeUserInput(value, seen);
+        }
+        return sanitized;
+    }
+    return input;
 };

package/agnostic/sanitization/user-input/index.test.js

@@ -0,0 +1,31 @@
+import { describe, it, expect, vi } from 'vitest';
+import { sanitizeUserInput } from './index.js';
+vi.mock('xss', () => ({
+    default: vi.fn((value) => `sanitized(${value})`)
+}));
+describe('sanitizeUserInput', () => {
+    it('sanitizes plain strings using xss', () => {
+        const result = sanitizeUserInput('<script>alert(1)</script>');
+        expect(result).toBe('sanitized(<script>alert(1)</script>)');
+    });
+    it('recursively sanitizes arrays and objects', () => {
+        const input = {
+            '<key>': ['<v1>', '<v2>'],
+            nested: { '<inner>': '<v3>' }
+        };
+        const result = sanitizeUserInput(input);
+        expect(result).toEqual({
+            'sanitized(<key>)': ['sanitized(<v1>)', 'sanitized(<v2>)'],
+            'sanitized(nested)': { 'sanitized(<inner>)': 'sanitized(<v3>)' }
+        });
+    });
+    it('handles circular references without infinite recursion', () => {
+        const obj = { name: '<name>' };
+        obj.self = obj;
+        const result = sanitizeUserInput(obj);
+        // Just verify it doesn't throw and returns something
+        expect(result).toBeDefined();
+        // The circular reference should still be circular
+        expect(result['sanitized(self)']).toBe(result);
+    });
+});

package/agnostic/strings/char-codes/index.js

@@ -1,70 +1,136 @@
-import "../../../chunks/chunk-WSFCRVEQ.js";
-
-// src/agnostic/strings/char-codes/index.ts
-function charCodeToB36(charCode) {
-  if (charCode === null) return "\0";
-  return charCode.toString(36);
+// CharCode to/from B36CharCode
+/**
+ * Converts a Unicode character code to a base-36 string.
+ * @param charCode - The character code to convert.
+ * @returns Base-36 encoded character code.
+ */
+export function charCodeToB36(charCode) {
+    if (charCode === null)
+        return '\x00';
+    return charCode.toString(36);
 }
-function b36CharCodeToCharCode(b36CharCode) {
-  if (b36CharCode === null) return 0;
-  const charCode = parseInt(b36CharCode, 36);
-  if (!Number.isInteger(charCode)) return 0;
-  return charCode;
+/**
+ * Converts a base-36 character code string back to a Unicode character code.
+ * @param b36CharCode - Base-36 encoded character code.
+ * @returns Unicode character code.
+ */
+export function b36CharCodeToCharCode(b36CharCode) {
+    if (b36CharCode === null)
+        return 0;
+    const charCode = parseInt(b36CharCode, 36);
+    if (!Number.isInteger(charCode))
+        return 0;
+    return charCode;
 }
-function charToCharCode(char) {
-  const charCode = char.charCodeAt(0);
-  if (!Number.isInteger(charCode)) return 0;
-  return charCode;
+// Char to
+/**
+ * Converts a single character to its Unicode character code.
+ * @param char - The character to convert.
+ * @returns Unicode character code.
+ */
+export function charToCharCode(char) {
+    const charCode = char.charCodeAt(0);
+    if (!Number.isInteger(charCode))
+        return 0;
+    return charCode;
 }
-function charToB36CharCode(char) {
-  const charCode = charToCharCode(char);
-  return charCodeToB36(charCode);
+/**
+ * Converts a single character to its base-36 encoded character code.
+ * @param char - The character to convert.
+ * @returns Base-36 character code.
+ */
+export function charToB36CharCode(char) {
+    const charCode = charToCharCode(char);
+    return charCodeToB36(charCode);
 }
-function charFromCharCode(charCode) {
-  return String.fromCharCode(charCode);
+// Char from
+/**
+ * Returns the character corresponding to a Unicode character code.
+ * @param charCode - Unicode character code.
+ * @returns Single-character string.
+ */
+export function charFromCharCode(charCode) {
+    return String.fromCharCode(charCode);
 }
-function charFromB36CharCode(b36CharCode) {
-  const charCode = parseInt(b36CharCode, 36);
-  if (!Number.isInteger(charCode)) return "\0";
-  return charFromCharCode(charCode);
+/**
+ * Returns the character corresponding to a base-36 encoded character code.
+ * @param b36CharCode - Base-36 character code.
+ * @returns Single-character string.
+ */
+export function charFromB36CharCode(b36CharCode) {
+    const charCode = parseInt(b36CharCode, 36);
+    if (!Number.isInteger(charCode))
+        return '\x00';
+    return charFromCharCode(charCode);
 }
-function toCharCodes(string) {
-  const chars = string.split("");
-  return chars.map(charToCharCode);
+// String to
+/**
+ * Converts a string into an array of Unicode character codes.
+ * @param string - Input string.
+ * @returns Array of character codes.
+ */
+export function toCharCodes(string) {
+    const chars = string.split('');
+    return chars.map(charToCharCode);
 }
-function toB36CharCodes(string) {
-  const chars = string.split("");
-  return chars.map(charToB36CharCode);
+/**
+ * Converts a string into an array of base-36 encoded character codes.
+ * @param string - Input string.
+ * @returns Array of base-36 character codes.
+ */
+export function toB36CharCodes(string) {
+    const chars = string.split('');
+    return chars.map(charToB36CharCode);
 }
-function fromCharCodes(charCodes) {
-  return charCodes.map(charFromCharCode).map((char) => char ?? "\0").join("");
+// String from
+/**
+ * Converts an array of Unicode character codes back to a string.
+ * @param charCodes - Array of character codes.
+ * @returns Reconstructed string.
+ */
+export function fromCharCodes(charCodes) {
+    return charCodes
+        .map(charFromCharCode)
+        .map(char => char ?? '\x00')
+        .join('');
 }
-function fromB36CharCodes(b36CharCodes) {
-  return b36CharCodes.map(charFromB36CharCode).map((char) => char ?? "\0").join("");
+/**
+ * Converts an array of base-36 encoded character codes back to a string.
+ * @param b36CharCodes - Array of base-36 character codes.
+ * @returns Reconstructed string.
+ */
+export function fromB36CharCodes(b36CharCodes) {
+    return b36CharCodes
+        .map(charFromB36CharCode)
+        .map(char => char ?? '\x00')
+        .join('');
 }
-function serialize(charCodes) {
-  return charCodes.map((c) => typeof c === "string" ? c : charCodeToB36(c)).join(",");
+// Serialization
+/**
+ * Serializes an array of character codes (Unicode or base-36) into a string.
+ * @param charCodes - Array of character codes to serialize.
+ * @returns Serialized string representation.
+ */
+export function serialize(charCodes) {
+    return charCodes
+        .map(c => typeof c === 'string' ? c : charCodeToB36(c))
+        .join(',');
 }
-function deserialize(serializedCharCodes) {
-  const b36CharCodes = serializedCharCodes.split("");
-  return b36CharCodes.map(b36CharCodeToCharCode);
+/**
+ * Deserializes a string of base-36 character codes into an array of Unicode character codes.
+ * @param serializedCharCodes - Serialized string.
+ * @returns Array of Unicode character codes.
+ */
+export function deserialize(serializedCharCodes) {
+    const b36CharCodes = serializedCharCodes.split('');
+    return b36CharCodes.map(b36CharCodeToCharCode);
 }
-function fromSerialized(serializedCharCodes) {
-  const charCodes = deserialize(serializedCharCodes);
-  return fromCharCodes(charCodes);
+/**
+ * Deserializes a string of base-36 character codes and reconstructs the original string.
+ * @param serializedCharCodes - Serialized string.
+ * @returns Original string.
+ */
+export function fromSerialized(serializedCharCodes) {
+    const charCodes = deserialize(serializedCharCodes);
+    return fromCharCodes(charCodes);
 }
-export {
-  b36CharCodeToCharCode,
-  charCodeToB36,
-  charFromB36CharCode,
-  charFromCharCode,
-  charToB36CharCode,
-  charToCharCode,
-  deserialize,
-  fromB36CharCodes,
-  fromCharCodes,
-  fromSerialized,
-  serialize,
-  toB36CharCodes,
-  toCharCodes
-};