@diplodoc/transform 4.63.2 → 4.63.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/css/_yfm-only.css.map +2 -2
- package/dist/css/_yfm-only.min.css.map +2 -2
- package/dist/css/base.css.map +2 -2
- package/dist/css/base.min.css.map +2 -2
- package/dist/css/print.css.map +2 -2
- package/dist/css/yfm.css.map +2 -2
- package/dist/css/yfm.min.css.map +2 -2
- package/dist/js/base.js +1 -1
- package/dist/js/base.js.map +2 -2
- package/dist/js/base.min.js +1 -1
- package/dist/js/base.min.js.map +2 -2
- package/dist/js/yfm.js +1 -1
- package/dist/js/yfm.js.map +2 -2
- package/dist/js/yfm.min.js +1 -1
- package/dist/js/yfm.min.js.map +2 -2
- package/lib/plugins/table/attrs.d.ts +18 -0
- package/lib/plugins/table/attrs.js +172 -0
- package/lib/plugins/table/attrs.js.map +1 -0
- package/lib/sanitize.js +110 -2
- package/lib/sanitize.js.map +1 -1
- package/package.json +1 -1
- package/src/js/code.ts +1 -1
- package/src/transform/sanitize.ts +142 -5
|
@@ -0,0 +1,172 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
|
|
3
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
|
|
4
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
|
|
5
|
+
return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
|
|
6
|
+
};
|
|
7
|
+
var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
|
|
8
|
+
if (kind === "m") throw new TypeError("Private method is not writable");
|
|
9
|
+
if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
|
|
10
|
+
if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
|
|
11
|
+
return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
|
|
12
|
+
};
|
|
13
|
+
var _AttrsParser_key, _AttrsParser_pending, _AttrsParser_isInsideQuotation, _AttrsParser_didQuotationClosed, _AttrsParser_currentKeyType, _AttrsParser_selectors, _AttrsParser_handlers, _AttrsParser_state;
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.AttrsParser = void 0;
|
|
16
|
+
class AttrsParser {
|
|
17
|
+
constructor() {
|
|
18
|
+
this.DELIMITER = '=';
|
|
19
|
+
this.SEPARATOR = ' ';
|
|
20
|
+
this.QUOTATION = '"';
|
|
21
|
+
/* allowed in keys / values chars */
|
|
22
|
+
this.ALLOWED_CHARS = /[a-zA-Z0-9_\- {}.|/]/;
|
|
23
|
+
/* allowed in all query chars */
|
|
24
|
+
this.VALIDATION_CHARS = /[a-zA-Z0-9_\- {}.#="|/]/;
|
|
25
|
+
_AttrsParser_key.set(this, '');
|
|
26
|
+
_AttrsParser_pending.set(this, '');
|
|
27
|
+
_AttrsParser_isInsideQuotation.set(this, false);
|
|
28
|
+
_AttrsParser_didQuotationClosed.set(this, false);
|
|
29
|
+
_AttrsParser_currentKeyType.set(this, void 0);
|
|
30
|
+
_AttrsParser_selectors.set(this, {
|
|
31
|
+
id: /#/,
|
|
32
|
+
class: /\./,
|
|
33
|
+
attr: /[a-zA-Z-_]/,
|
|
34
|
+
});
|
|
35
|
+
_AttrsParser_handlers.set(this, Object.entries(__classPrivateFieldGet(this, _AttrsParser_selectors, "f")));
|
|
36
|
+
_AttrsParser_state.set(this, {});
|
|
37
|
+
}
|
|
38
|
+
parse(target) {
|
|
39
|
+
/* escape from {} */
|
|
40
|
+
const content = this.extract(target);
|
|
41
|
+
if (!content) {
|
|
42
|
+
return {};
|
|
43
|
+
}
|
|
44
|
+
for (const char of content) {
|
|
45
|
+
this.next(char);
|
|
46
|
+
}
|
|
47
|
+
/* end-of-content mark */
|
|
48
|
+
this.next(this.SEPARATOR);
|
|
49
|
+
this.clear();
|
|
50
|
+
return __classPrivateFieldGet(this, _AttrsParser_state, "f");
|
|
51
|
+
}
|
|
52
|
+
extract(target) {
|
|
53
|
+
if (!target.startsWith('{')) {
|
|
54
|
+
return false;
|
|
55
|
+
}
|
|
56
|
+
let balance = 1;
|
|
57
|
+
for (let i = 1; i < target.length; i++) {
|
|
58
|
+
const char = target[i];
|
|
59
|
+
if (char === '}') {
|
|
60
|
+
balance--;
|
|
61
|
+
}
|
|
62
|
+
if (char === '{') {
|
|
63
|
+
balance++;
|
|
64
|
+
}
|
|
65
|
+
if (balance === 0) {
|
|
66
|
+
const contentInside = target.slice(1, i).trim();
|
|
67
|
+
return contentInside;
|
|
68
|
+
}
|
|
69
|
+
if (balance < 0) {
|
|
70
|
+
return false;
|
|
71
|
+
}
|
|
72
|
+
if (!this.VALIDATION_CHARS.test(char)) {
|
|
73
|
+
return false;
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
return false;
|
|
77
|
+
}
|
|
78
|
+
next(value) {
|
|
79
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_currentKeyType, "f")) {
|
|
80
|
+
__classPrivateFieldSet(this, _AttrsParser_currentKeyType, this.type(value), "f");
|
|
81
|
+
if (__classPrivateFieldGet(this, _AttrsParser_currentKeyType, "f") === 'attr') {
|
|
82
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, value, "f");
|
|
83
|
+
}
|
|
84
|
+
return;
|
|
85
|
+
}
|
|
86
|
+
if (this.isSeparator(value)) {
|
|
87
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_pending, "f")) {
|
|
88
|
+
/* (name= ) construction */
|
|
89
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_isInsideQuotation, "f")) {
|
|
90
|
+
this.append(__classPrivateFieldGet(this, _AttrsParser_key, "f"), ' ');
|
|
91
|
+
this.clear();
|
|
92
|
+
return;
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
/* single key (.name #id contenteditable) */
|
|
96
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_key, "f") && __classPrivateFieldGet(this, _AttrsParser_pending, "f")) {
|
|
97
|
+
this.append();
|
|
98
|
+
this.clear();
|
|
99
|
+
return;
|
|
100
|
+
}
|
|
101
|
+
/* trying to find close quotation */
|
|
102
|
+
if (__classPrivateFieldGet(this, _AttrsParser_isInsideQuotation, "f") && !__classPrivateFieldGet(this, _AttrsParser_didQuotationClosed, "f")) {
|
|
103
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, __classPrivateFieldGet(this, _AttrsParser_pending, "f") + value, "f");
|
|
104
|
+
return;
|
|
105
|
+
}
|
|
106
|
+
if (__classPrivateFieldGet(this, _AttrsParser_isInsideQuotation, "f") && __classPrivateFieldGet(this, _AttrsParser_didQuotationClosed, "f")) {
|
|
107
|
+
this.append(__classPrivateFieldGet(this, _AttrsParser_key, "f"), __classPrivateFieldGet(this, _AttrsParser_pending, "f"));
|
|
108
|
+
}
|
|
109
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_isInsideQuotation, "f") && !__classPrivateFieldGet(this, _AttrsParser_didQuotationClosed, "f")) {
|
|
110
|
+
this.append(__classPrivateFieldGet(this, _AttrsParser_key, "f"), __classPrivateFieldGet(this, _AttrsParser_pending, "f"));
|
|
111
|
+
}
|
|
112
|
+
this.clear();
|
|
113
|
+
return;
|
|
114
|
+
}
|
|
115
|
+
if (this.isAllowedChar(value)) {
|
|
116
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, __classPrivateFieldGet(this, _AttrsParser_pending, "f") + value, "f");
|
|
117
|
+
return;
|
|
118
|
+
}
|
|
119
|
+
if (this.isQuotation(value)) {
|
|
120
|
+
if (__classPrivateFieldGet(this, _AttrsParser_isInsideQuotation, "f")) {
|
|
121
|
+
__classPrivateFieldSet(this, _AttrsParser_didQuotationClosed, true, "f");
|
|
122
|
+
}
|
|
123
|
+
else {
|
|
124
|
+
__classPrivateFieldSet(this, _AttrsParser_isInsideQuotation, true, "f");
|
|
125
|
+
}
|
|
126
|
+
}
|
|
127
|
+
if (this.isDelimiter(value)) {
|
|
128
|
+
/* symbol is not delimiter, adding it to value */
|
|
129
|
+
if (__classPrivateFieldGet(this, _AttrsParser_key, "f")) {
|
|
130
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, __classPrivateFieldGet(this, _AttrsParser_pending, "f") + value, "f");
|
|
131
|
+
return;
|
|
132
|
+
}
|
|
133
|
+
__classPrivateFieldSet(this, _AttrsParser_key, __classPrivateFieldGet(this, _AttrsParser_pending, "f"), "f");
|
|
134
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, '', "f");
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
type(of) {
|
|
138
|
+
var _a;
|
|
139
|
+
return (_a = __classPrivateFieldGet(this, _AttrsParser_handlers, "f").find(([_, regex]) => regex.test(of))) === null || _a === void 0 ? void 0 : _a[0];
|
|
140
|
+
}
|
|
141
|
+
append(key = __classPrivateFieldGet(this, _AttrsParser_currentKeyType, "f"), value = __classPrivateFieldGet(this, _AttrsParser_pending, "f")) {
|
|
142
|
+
if (!key) {
|
|
143
|
+
return;
|
|
144
|
+
}
|
|
145
|
+
if (!__classPrivateFieldGet(this, _AttrsParser_state, "f")[key]) {
|
|
146
|
+
__classPrivateFieldGet(this, _AttrsParser_state, "f")[key] = [];
|
|
147
|
+
}
|
|
148
|
+
__classPrivateFieldGet(this, _AttrsParser_state, "f")[key].push(value);
|
|
149
|
+
}
|
|
150
|
+
clear() {
|
|
151
|
+
__classPrivateFieldSet(this, _AttrsParser_key, '', "f");
|
|
152
|
+
__classPrivateFieldSet(this, _AttrsParser_pending, '', "f");
|
|
153
|
+
__classPrivateFieldSet(this, _AttrsParser_isInsideQuotation, false, "f");
|
|
154
|
+
__classPrivateFieldSet(this, _AttrsParser_didQuotationClosed, false, "f");
|
|
155
|
+
__classPrivateFieldSet(this, _AttrsParser_currentKeyType, undefined, "f");
|
|
156
|
+
}
|
|
157
|
+
isDelimiter(target) {
|
|
158
|
+
return target === this.DELIMITER;
|
|
159
|
+
}
|
|
160
|
+
isSeparator(target) {
|
|
161
|
+
return target === this.SEPARATOR;
|
|
162
|
+
}
|
|
163
|
+
isQuotation(target) {
|
|
164
|
+
return target === this.QUOTATION;
|
|
165
|
+
}
|
|
166
|
+
isAllowedChar(target) {
|
|
167
|
+
return this.ALLOWED_CHARS.test(target);
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
exports.AttrsParser = AttrsParser;
|
|
171
|
+
_AttrsParser_key = new WeakMap(), _AttrsParser_pending = new WeakMap(), _AttrsParser_isInsideQuotation = new WeakMap(), _AttrsParser_didQuotationClosed = new WeakMap(), _AttrsParser_currentKeyType = new WeakMap(), _AttrsParser_selectors = new WeakMap(), _AttrsParser_handlers = new WeakMap(), _AttrsParser_state = new WeakMap();
|
|
172
|
+
//# sourceMappingURL=attrs.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"attrs.js","sourceRoot":"","sources":["../../../src/transform/plugins/table/attrs.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAEA,MAAa,WAAW;IAAxB;QACI,cAAS,GAAG,GAAG,CAAC;QAChB,cAAS,GAAG,GAAG,CAAC;QAChB,cAAS,GAAG,GAAG,CAAC;QAChB,oCAAoC;QACpC,kBAAa,GAAG,sBAAsB,CAAC;QACvC,gCAAgC;QAChC,qBAAgB,GAAG,yBAAyB,CAAC;QAE7C,2BAAO,EAAE,EAAC;QACV,+BAAW,EAAE,EAAC;QACd,yCAAqB,KAAK,EAAC;QAC3B,0CAAsB,KAAK,EAAC;QAC5B,8CAAmC;QAEnC,iCAAoC;YAChC,EAAE,EAAE,GAAG;YACP,KAAK,EAAE,IAAI;YACX,IAAI,EAAE,YAAY;SACrB,EAAC;QAEF,gCAAY,MAAM,CAAC,OAAO,CAAC,uBAAA,IAAI,8BAAW,CAAsB,EAAC;QACjE,6BAAmC,EAAE,EAAC;IA8K1C,CAAC;IA5KG,KAAK,CAAC,MAAc;QAChB,oBAAoB;QACpB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAErC,IAAI,CAAC,OAAO,EAAE;YACV,OAAO,EAAE,CAAC;SACb;QAED,KAAK,MAAM,IAAI,IAAI,OAAO,EAAE;YACxB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACnB;QAED,yBAAyB;QACzB,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAE1B,IAAI,CAAC,KAAK,EAAE,CAAC;QAEb,OAAO,uBAAA,IAAI,0BAAO,CAAC;IACvB,CAAC;IAEO,OAAO,CAAC,MAAc;QAC1B,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YACzB,OAAO,KAAK,CAAC;SAChB;QACD,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;YACpC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;YAEvB,IAAI,IAAI,KAAK,GAAG,EAAE;gBACd,OAAO,EAAE,CAAC;aACb;YAED,IAAI,IAAI,KAAK,GAAG,EAAE;gBACd,OAAO,EAAE,CAAC;aACb;YAED,IAAI,OAAO,KAAK,CAAC,EAAE;gBACf,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEhD,OAAO,aAAa,CAAC;aACxB;YAED,IAAI,OAAO,GAAG,CAAC,EAAE;gBACb,OAAO,KAAK,CAAC;aAChB;YAED,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBACnC,OAAO,KAAK,CAAC;aAChB;SACJ;QAED,OAAO,KAAK,CAAC;IACjB,CAAC;IAEO,IAAI,CAAC,KAAa;QACtB,IAAI,CAAC,uBAAA,IAAI,mCAAgB,EAAE;YACvB,uBAAA,IAAI,+BAAmB,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAA,CAAC;YAExC,IAAI,uBAAA,IAAI,mCAAgB,KAAK,MAAM,EAAE;gBACjC,uBAAA,IAAI,wBAAY,KAAK,MAAA,CAAC;aACzB;YAED,OAAO;SACV;QAED,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE;YACzB,IAAI,CAAC,uBAAA,IAAI,4BAAS,EAAE;gBAChB,2BAA2B;gBAC3B,IAAI,CAAC,uBAAA,IAAI,sCAAmB,EAAE;oBAC1B,IAAI,CAAC,MAAM,CAAC,uBAAA,IAAI,wBAAK,EAAE,GAAG,CAAC,CAAC;oBAC5B,IAAI,CAAC,KAAK,EAAE,CAAC;oBAEb,OAAO;iBACV;aACJ;YAED,4CAA4C;YAC5C,IAAI,CAAC,uBAAA,IAAI,wBAAK,IAAI,uBAAA,IAAI,4BAAS,EAAE;gBAC7B,IAAI,CAAC,MAAM,EAAE,CAAC;gBACd,IAAI,CAAC,KAAK,EAAE,CAAC;gBAEb,OAAO;aACV;YAED,oCAAoC;YACpC,IAAI,uBAAA,IAAI,sCAAmB,IAAI,CAAC,uBAAA,IAAI,uCAAoB,EAAE;gBACtD,6GAAiB,KAAK,MAAA,CAAC;gBACvB,OAAO;aACV;YAED,IAAI,uBAAA,IAAI,sCAAmB,IAAI,uBAAA,IAAI,uCAAoB,EAAE;gBACrD,IAAI,CAAC,MAAM,CAAC,uBAAA,IAAI,wBAAK,EAAE,uBAAA,IAAI,4BAAS,CAAC,CAAC;aACzC;YAED,IAAI,CAAC,uBAAA,IAAI,sCAAmB,IAAI,CAAC,uBAAA,IAAI,uCAAoB,EAAE;gBACvD,IAAI,CAAC,MAAM,CAAC,uBAAA,IAAI,wBAAK,EAAE,uBAAA,IAAI,4BAAS,CAAC,CAAC;aACzC;YAED,IAAI,CAAC,KAAK,EAAE,CAAC;YAEb,OAAO;SACV;QAED,IAAI,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE;YAC3B,6GAAiB,KAAK,MAAA,CAAC;YAEvB,OAAO;SACV;QAED,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE;YACzB,IAAI,uBAAA,IAAI,sCAAmB,EAAE;gBACzB,uBAAA,IAAI,mCAAuB,IAAI,MAAA,CAAC;aACnC;iBAAM;gBACH,uBAAA,IAAI,kCAAsB,IAAI,MAAA,CAAC;aAClC;SACJ;QAED,IAAI,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE;YACzB,iDAAiD;YACjD,IAAI,uBAAA,IAAI,wBAAK,EAAE;gBACX,6GAAiB,KAAK,MAAA,CAAC;gBAEvB,OAAO;aACV;YAED,uBAAA,IAAI,oBAAQ,uBAAA,IAAI,4BAAS,MAAA,CAAC;YAC1B,uBAAA,IAAI,wBAAY,EAAE,MAAA,CAAC;SACtB;IACL,CAAC;IAEO,IAAI,CAAC,EAAU;;QACnB,OAAO,MAAA,uBAAA,IAAI,6BAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,0CAAG,CAAC,CAAC,CAAC;IACpE,CAAC;IAEO,MAAM,CAAC,MAA0B,uBAAA,IAAI,mCAAgB,EAAE,QAAgB,uBAAA,IAAI,4BAAS;QACxF,IAAI,CAAC,GAAG,EAAE;YACN,OAAO;SACV;QAED,IAAI,CAAC,uBAAA,IAAI,0BAAO,CAAC,GAAG,CAAC,EAAE;YACnB,uBAAA,IAAI,0BAAO,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;SACzB;QAED,uBAAA,IAAI,0BAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,CAAC;IAEO,KAAK;QACT,uBAAA,IAAI,oBAAQ,EAAE,MAAA,CAAC;QACf,uBAAA,IAAI,wBAAY,EAAE,MAAA,CAAC;QAEnB,uBAAA,IAAI,kCAAsB,KAAK,MAAA,CAAC;QAChC,uBAAA,IAAI,mCAAuB,KAAK,MAAA,CAAC;QAEjC,uBAAA,IAAI,+BAAmB,SAAS,MAAA,CAAC;IACrC,CAAC;IAEO,WAAW,CAAC,MAAc;QAC9B,OAAO,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC;IACrC,CAAC;IAEO,WAAW,CAAC,MAAc;QAC9B,OAAO,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC;IACrC,CAAC;IAEO,WAAW,CAAC,MAAc;QAC9B,OAAO,MAAM,KAAK,IAAI,CAAC,SAAS,CAAC;IACrC,CAAC;IAEO,aAAa,CAAC,MAAc;QAChC,OAAO,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3C,CAAC;CACJ;AApMD,kCAoMC"}
|
package/lib/sanitize.js
CHANGED
|
@@ -548,6 +548,109 @@ exports.defaultOptions = Object.assign(Object.assign({}, sanitize_html_1.default
|
|
|
548
548
|
], allowVulnerableTags: true, parser: exports.defaultParseOptions, cssWhiteList: defaultCssWhitelist, transformTags: {
|
|
549
549
|
use: useTagTransformer,
|
|
550
550
|
} });
|
|
551
|
+
// dangerous patterns
|
|
552
|
+
const DANGEROUS_TAGS_RE = /<\s*(script|iframe|object|embed|svg|img|video|audio|link|meta|base|form|style|template|math|foreignobject)\b/i;
|
|
553
|
+
const CLOSE_STYLE_RE = /<\s*\/\s*style/i;
|
|
554
|
+
const DANGEROUS_URL_RE = /url\s*\(\s*['"]?\s*(?:javascript:|vbscript:|data\s*:\s*(?:text\/html|application\/xhtml\+xml|image\/svg\+xml))/i;
|
|
555
|
+
const IE_EXPR_RE = /expression\s*\(/i;
|
|
556
|
+
const IE_BEHAVIOR_RE = /behavior\s*:/i;
|
|
557
|
+
const MOZ_BINDING_RE = /-moz-binding\s*:/i;
|
|
558
|
+
const AT_RULES_RE = /@(?:import|charset|namespace)\b/i;
|
|
559
|
+
const COMMENTS_RE = /\/\*[^]*?\*\//g; // CSS comments: /* ... */
|
|
560
|
+
// control characters (C0/C1) and BiDi override characters that can hide malicious content
|
|
561
|
+
const CTRL_BIDI_RE = new RegExp([
|
|
562
|
+
String.raw `[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]`,
|
|
563
|
+
String.raw `[\u202A-\u202E\u2066-\u2069]`, // BiDi overrides
|
|
564
|
+
].join('|'), 'g');
|
|
565
|
+
const SAFE_VALUE_FAST_CHECK_RE = /[<&\\/]|@|url\s*\(|expression|behavior|-moz-binding/i;
|
|
566
|
+
// backslash (CSS escapes), ampersand (HTML entities), BiDi overrides
|
|
567
|
+
const FAST_PATH_RE = /[\\&\u202A-\u202E\u2066-\u2069]/;
|
|
568
|
+
// combined regex for decoding CSS escapes and HTML entities
|
|
569
|
+
const RE_DECODE = new RegExp([
|
|
570
|
+
String.raw `\\([0-9A-Fa-f]{1,6})\s?`,
|
|
571
|
+
String.raw `&#x([0-9A-Fa-f]{1,6});`,
|
|
572
|
+
String.raw `&#(\d{1,7});`,
|
|
573
|
+
String.raw `&([a-zA-Z][a-zA-Z0-9]{1,31});`, // HTML named entities: < or & → '<' or '&'
|
|
574
|
+
].join('|'), 'g');
|
|
575
|
+
const htmlEntities = {
|
|
576
|
+
lt: '<',
|
|
577
|
+
gt: '>',
|
|
578
|
+
quot: '"',
|
|
579
|
+
apos: "'",
|
|
580
|
+
amp: '&',
|
|
581
|
+
newline: '\n',
|
|
582
|
+
tab: '\t',
|
|
583
|
+
colon: ':',
|
|
584
|
+
sol: '/',
|
|
585
|
+
lpar: '(',
|
|
586
|
+
rpar: ')',
|
|
587
|
+
};
|
|
588
|
+
// Decodes a single escaped or encoded token
|
|
589
|
+
function decodeToken(whole, cssHex, htmlHex, htmlDec, named) {
|
|
590
|
+
var _a;
|
|
591
|
+
if (cssHex) {
|
|
592
|
+
return String.fromCodePoint(parseInt(cssHex, 16) || 0);
|
|
593
|
+
}
|
|
594
|
+
if (htmlHex) {
|
|
595
|
+
return String.fromCodePoint(parseInt(htmlHex, 16) || 0);
|
|
596
|
+
}
|
|
597
|
+
if (htmlDec) {
|
|
598
|
+
return String.fromCodePoint(parseInt(htmlDec, 10) || 0);
|
|
599
|
+
}
|
|
600
|
+
if (named) {
|
|
601
|
+
const rep = (_a = htmlEntities[named]) !== null && _a !== void 0 ? _a : htmlEntities[named.toLowerCase()];
|
|
602
|
+
if (rep) {
|
|
603
|
+
return rep;
|
|
604
|
+
}
|
|
605
|
+
}
|
|
606
|
+
return whole;
|
|
607
|
+
}
|
|
608
|
+
// Normalize CSS value by decoding HTML entities and CSS escapes
|
|
609
|
+
function normalizeCssValue(value) {
|
|
610
|
+
let normalized = String(value !== null && value !== void 0 ? value : '');
|
|
611
|
+
// early-exit if no special chars
|
|
612
|
+
if (!FAST_PATH_RE.test(normalized)) {
|
|
613
|
+
return normalized;
|
|
614
|
+
}
|
|
615
|
+
// 1. remove CSS comments to prevent hiding escapes inside /* ... */
|
|
616
|
+
// 2. strip control characters and BiDi overrides
|
|
617
|
+
// 3. decode all CSS escapes and HTML entities in one pass
|
|
618
|
+
normalized = normalized
|
|
619
|
+
.replace(COMMENTS_RE, '')
|
|
620
|
+
.replace(CTRL_BIDI_RE, '')
|
|
621
|
+
.replace(RE_DECODE, decodeToken);
|
|
622
|
+
// unicode normalization (NFKC) to prevent homograph attacks
|
|
623
|
+
try {
|
|
624
|
+
normalized = normalized.normalize('NFKC');
|
|
625
|
+
}
|
|
626
|
+
catch (_) {
|
|
627
|
+
// silent fail: logging the value could expose sensitive data
|
|
628
|
+
}
|
|
629
|
+
return normalized;
|
|
630
|
+
}
|
|
631
|
+
// checks if a CSS value is safe from XSS attacks
|
|
632
|
+
function isSafeCssValue(property, value) {
|
|
633
|
+
const prop = property.toLowerCase();
|
|
634
|
+
const isContentProperty = prop === 'content';
|
|
635
|
+
// normalize first to prevent bypasses via comments/escapes
|
|
636
|
+
const normalized = normalizeCssValue(value);
|
|
637
|
+
// early-exit for trivial safe values
|
|
638
|
+
if (!SAFE_VALUE_FAST_CHECK_RE.test(normalized)) {
|
|
639
|
+
return true;
|
|
640
|
+
}
|
|
641
|
+
// сheck if normalized value looks like an HTML tag
|
|
642
|
+
const looksLikeTag = /<[^>]{0,128}>/i.test(normalized);
|
|
643
|
+
const dangerousPatterns = [
|
|
644
|
+
looksLikeTag && CLOSE_STYLE_RE,
|
|
645
|
+
!isContentProperty && looksLikeTag && DANGEROUS_TAGS_RE,
|
|
646
|
+
DANGEROUS_URL_RE,
|
|
647
|
+
IE_EXPR_RE,
|
|
648
|
+
IE_BEHAVIOR_RE,
|
|
649
|
+
MOZ_BINDING_RE,
|
|
650
|
+
AT_RULES_RE, // @import, @charset, @namespace
|
|
651
|
+
].filter(Boolean);
|
|
652
|
+
return !dangerousPatterns.some((pattern) => pattern.test(normalized));
|
|
653
|
+
}
|
|
551
654
|
function sanitizeStyleTags(dom, cssWhiteList) {
|
|
552
655
|
const styleTags = dom('style');
|
|
553
656
|
styleTags.each((_index, element) => {
|
|
@@ -566,9 +669,14 @@ function sanitizeStyleTags(dom, cssWhiteList) {
|
|
|
566
669
|
if (!declaration.property || !declaration.value) {
|
|
567
670
|
return false;
|
|
568
671
|
}
|
|
569
|
-
const
|
|
672
|
+
const prop = String(declaration.property).toLowerCase();
|
|
673
|
+
const val = String(declaration.value);
|
|
674
|
+
if (!isSafeCssValue(prop, val)) {
|
|
675
|
+
return false;
|
|
676
|
+
}
|
|
677
|
+
const isWhiteListed = Boolean(cssWhiteList[prop]);
|
|
570
678
|
if (isWhiteListed) {
|
|
571
|
-
declaration.value = cssfilter_1.default.safeAttrValue(
|
|
679
|
+
declaration.value = cssfilter_1.default.safeAttrValue(prop, val);
|
|
572
680
|
}
|
|
573
681
|
if (!declaration.value) {
|
|
574
682
|
return false;
|
package/lib/sanitize.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../src/transform/sanitize.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,kEAAyC;AACzC,aAAa;AACb,0DAAkC;AAClC,iDAAmC;AACnC,8CAAsB;AAEtB,gDAAwB;AAQxB,MAAM,QAAQ,GAAG;IACb,GAAG;IACH,MAAM;IACN,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,OAAO;IACP,OAAO;IACP,GAAG;IACH,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,KAAK;IACL,UAAU;IACV,SAAS;IACT,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,KAAK;IACL,SAAS;IACT,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,GAAG;IACH,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,KAAK;IACL,MAAM;IACN,IAAI;IACJ,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,GAAG;IACH,SAAS;IACT,KAAK;IACL,UAAU;IACV,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,GAAG;IACH,MAAM;IACN,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,SAAS;IACT,KAAK;IACL,OAAO;IACP,OAAO;IACP,IAAI;IACJ,UAAU;IACV,UAAU;IACV,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,KAAK;IACL,OAAO;IACP,KAAK;IACL,QAAQ;IACR,OAAO;CACV,CAAC;AAEF,MAAM,OAAO,GAAG;IACZ,KAAK;IACL,UAAU;IACV,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,GAAG;IACH,OAAO;IACP,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,gBAAgB;IAChB,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;IACT,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,KAAK;CACR,CAAC;AAEF,MAAM,SAAS,GAAG;IACd,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,UAAU;IACV,YAAY;IACZ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,aAAa;IACb,aAAa;IACb,SAAS;IACT,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,SAAS;IACT,UAAU;IACV,cAAc;IACd,QAAQ;IACR,aAAa;IACb,UAAU;IACV,UAAU;IACV,SAAS;IACT,KAAK;IACL,UAAU;IACV,yBAAyB;IACzB,uBAAuB;IACvB,UAAU;IACV,WAAW;IACX,SAAS;IACT,cAAc;IACd,MAAM;IACN,KAAK;IACL,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,WAAW;IACX,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,SAAS;IACT,MAAM;IACN,KAAK;IACL,KAAK;IACL,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,WAAW;IACX,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,SAAS;IACT,SAAS;IACT,aAAa;IACb,aAAa;IACb,QAAQ;IACR,SAAS;IACT,SAAS;IACT,YAAY;IACZ,UAAU;IACV,KAAK;IACL,UAAU;IACV,KAAK;IACL,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,YAAY;IACZ,OAAO;IACP,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,OAAO;IACP,KAAK;IACL,QAAQ;IACR,MAAM;IACN,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,WAAW;IACX,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,aAAa;IACb,WAAW;IACX,OAAO;IACP,QAAQ;IACR,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,QAAQ;IACR,cAAc;IACd,eAAe;CAClB,CAAC;AAEF,MAAM,QAAQ,GAAG;IACb,SAAS;IACT,eAAe;IACf,YAAY;IACZ,UAAU;IACV,oBAAoB;IACpB,QAAQ;IACR,eAAe;IACf,eAAe;IACf,SAAS;IACT,eAAe;IACf,gBAAgB;IAChB,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,MAAM;IACN,eAAe;IACf,WAAW;IACX,WAAW;IACX,OAAO;IACP,qBAAqB;IACrB,6BAA6B;IAC7B,eAAe;IACf,iBAAiB;IACjB,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,KAAK;IACL,UAAU;IACV,WAAW;IACX,KAAK;IACL,MAAM;IACN,cAAc;IACd,WAAW;IACX,QAAQ;IACR,aAAa;IACb,aAAa;IACb,eAAe;IACf,aAAa;IACb,WAAW;IACX,kBAAkB;IAClB,cAAc;IACd,YAAY;IACZ,cAAc;IACd,aAAa;IACb,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,YAAY;IACZ,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,QAAQ;IACR,MAAM;IACN,IAAI;IACJ,iBAAiB;IACjB,IAAI;IACJ,KAAK;IACL,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,UAAU;IACV,MAAM;IACN,cAAc;IACd,gBAAgB;IAChB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,OAAO;IACP,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,cAAc;IACd,aAAa;IACb,aAAa;IACb,kBAAkB;IAClB,WAAW;IACX,KAAK;IACL,MAAM;IACN,OAAO;IACP,QAAQ;IACR,MAAM;IACN,KAAK;IACL,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,UAAU;IACV,aAAa;IACb,MAAM;IACN,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,eAAe;IACf,qBAAqB;IACrB,gBAAgB;IAChB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,QAAQ;IACR,MAAM;IACN,MAAM;IACN,aAAa;IACb,WAAW;IACX,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,aAAa;IACb,cAAc;IACd,aAAa;IACb,YAAY;IACZ,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,mBAAmB;IACnB,gBAAgB;IAChB,QAAQ;IACR,cAAc;IACd,OAAO;IACP,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,gBAAgB;IAChB,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,eAAe;IACf,eAAe;IACf,OAAO;IACP,cAAc;IACd,MAAM;IACN,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,OAAO;IACP,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,YAAY;IACZ,KAAK;CACR,CAAC;AAEF,MAAM,mBAAmB,mCAClB,mBAAS,CAAC,SAAS,KACtB,UAAU,EAAE,IAAI,GACnB,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AAE/C,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC1B,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,GAAG,uBAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAC3E,CAAC;AACF,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;AAE5F,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,CAAC,OAAe,EAAE,OAAmB,EAAO,EAAE;IACpE,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,EAAE;QAC/B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YACtB,OAAO,IAAI,CAAC;SACf;aAAM;YACH,OAAO,IAAI,CAAC;SACf;IACL,CAAC,CAAC;IACF,MAAM,UAAU,GAAG,CAAC,KAAiB,EAAc,EAAE;QACjD,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;aAChB,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAClB,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC/B,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;aAClC;YACD,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAC9C,CAAC;IACN,CAAC,CAAC;IACF,OAAO;QACH,OAAO;QACP,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;KAC/B,CAAC;AACN,CAAC,CAAC;AAOW,QAAA,mBAAmB,GAAG;IAC/B,uBAAuB,EAAE,KAAK;CACjC,CAAC;AAEW,QAAA,cAAc,mCACpB,uBAAY,CAAC,QAAQ,KACxB,WAAW,EACX,iBAAiB,kCACV,uBAAY,CAAC,QAAQ,CAAC,iBAAiB,KAC1C,GAAG,EAAE,iBAAiB,KAE1B,iCAAiC,EAAE;QAC/B,GAAG,uBAAY,CAAC,QAAQ,CAAC,iCAAiC;QAC1D,YAAY;QACZ,MAAM;QACN,IAAI;KACP,EACD,mBAAmB,EAAE,IAAI,EACzB,MAAM,EAAE,2BAAmB,EAC3B,YAAY,EAAE,mBAAmB,EACjC,aAAa,EAAE;QACX,GAAG,EAAE,iBAAiB;KACzB,IACH;AAEF,SAAS,iBAAiB,CAAC,GAAuB,EAAE,YAA0B;IAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/B,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtC,IAAI;YACA,MAAM,SAAS,GAAG,aAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEvC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBACvB,OAAO;aACV;YAED,SAAS,CAAC,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAC1D,CAAC,IAAc,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAC3C,CAAC;YAEF,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAc,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;oBACpB,OAAO;iBACV;gBAED,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,WAA4B,EAAE,EAAE;oBAC1E,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBAC7C,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,aAAa,GAAG,YAAY,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;oBAEzD,IAAI,aAAa,EAAE;wBACf,WAAW,CAAC,KAAK,GAAG,mBAAS,CAAC,aAAa,CACvC,WAAW,CAAC,QAAQ,EACpB,WAAW,CAAC,KAAK,CACpB,CAAC;qBACL;oBAED,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBACpB,OAAO,KAAK,CAAC;qBAChB;oBAED,OAAO,aAAa,CAAC;gBACzB,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;SAC/C;QAAC,OAAO,KAAK,EAAE;YACZ,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAEtB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC;YACzE,aAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1B;IACL,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB,EAAE,YAA0B;IAC3E,MAAM,OAAO,GAAG;QACZ,SAAS,EAAE,YAAY;KAC1B,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,mBAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtD,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,cAAc,EAAE;YACjB,OAAO;SACV;QAED,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY,EAAE,OAAwB;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAEhD,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7B,iBAAiB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACnC,kBAAkB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAEvC,OAAO,MAAM,GAAG,OAAO,CAAC;AAC5B,CAAC;AAZD,wCAYC;AAED,SAAgB,QAAQ,CACpB,IAAY,EACZ,OAAyB,EACzB,iBAAmC;;IAEnC,MAAM,eAAe,GAAG,OAAO,IAAI,sBAAc,CAAC;IAElD,IAAI,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,YAAY,EAAE;QACjC,eAAe,CAAC,YAAY,mCACrB,eAAe,CAAC,YAAY,GAC5B,iBAAiB,CAAC,YAAY,CACpC,CAAC;KACL;IAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAA,eAAe,CAAC,qBAAqB,mCAAI,KAAK,CAAC,CAAC;IAE/E,MAAM,YAAY,GAAG,oBAAoB,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzF,OAAO,IAAA,uBAAY,EAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACvD,CAAC;AAnBD,4BAmBC;AAED,kBAAe,QAAQ,CAAC"}
|
|
1
|
+
{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../src/transform/sanitize.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,kEAAyC;AACzC,aAAa;AACb,0DAAkC;AAClC,iDAAmC;AACnC,8CAAsB;AAEtB,gDAAwB;AAQxB,MAAM,QAAQ,GAAG;IACb,GAAG;IACH,MAAM;IACN,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,OAAO;IACP,OAAO;IACP,GAAG;IACH,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,KAAK;IACL,UAAU;IACV,SAAS;IACT,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,KAAK;IACL,SAAS;IACT,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,GAAG;IACH,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,KAAK;IACL,MAAM;IACN,IAAI;IACJ,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,GAAG;IACH,SAAS;IACT,KAAK;IACL,UAAU;IACV,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,GAAG;IACH,MAAM;IACN,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,SAAS;IACT,KAAK;IACL,OAAO;IACP,OAAO;IACP,IAAI;IACJ,UAAU;IACV,UAAU;IACV,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,KAAK;IACL,OAAO;IACP,KAAK;IACL,QAAQ;IACR,OAAO;CACV,CAAC;AAEF,MAAM,OAAO,GAAG;IACZ,KAAK;IACL,UAAU;IACV,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,GAAG;IACH,OAAO;IACP,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,gBAAgB;IAChB,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;IACT,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,KAAK;CACR,CAAC;AAEF,MAAM,SAAS,GAAG;IACd,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,UAAU;IACV,YAAY;IACZ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,aAAa;IACb,aAAa;IACb,SAAS;IACT,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,SAAS;IACT,UAAU;IACV,cAAc;IACd,QAAQ;IACR,aAAa;IACb,UAAU;IACV,UAAU;IACV,SAAS;IACT,KAAK;IACL,UAAU;IACV,yBAAyB;IACzB,uBAAuB;IACvB,UAAU;IACV,WAAW;IACX,SAAS;IACT,cAAc;IACd,MAAM;IACN,KAAK;IACL,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,WAAW;IACX,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,SAAS;IACT,MAAM;IACN,KAAK;IACL,KAAK;IACL,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,WAAW;IACX,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,SAAS;IACT,SAAS;IACT,aAAa;IACb,aAAa;IACb,QAAQ;IACR,SAAS;IACT,SAAS;IACT,YAAY;IACZ,UAAU;IACV,KAAK;IACL,UAAU;IACV,KAAK;IACL,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,YAAY;IACZ,OAAO;IACP,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,OAAO;IACP,KAAK;IACL,QAAQ;IACR,MAAM;IACN,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,WAAW;IACX,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,aAAa;IACb,WAAW;IACX,OAAO;IACP,QAAQ;IACR,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,QAAQ;IACR,cAAc;IACd,eAAe;CAClB,CAAC;AAEF,MAAM,QAAQ,GAAG;IACb,SAAS;IACT,eAAe;IACf,YAAY;IACZ,UAAU;IACV,oBAAoB;IACpB,QAAQ;IACR,eAAe;IACf,eAAe;IACf,SAAS;IACT,eAAe;IACf,gBAAgB;IAChB,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,MAAM;IACN,eAAe;IACf,WAAW;IACX,WAAW;IACX,OAAO;IACP,qBAAqB;IACrB,6BAA6B;IAC7B,eAAe;IACf,iBAAiB;IACjB,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,KAAK;IACL,UAAU;IACV,WAAW;IACX,KAAK;IACL,MAAM;IACN,cAAc;IACd,WAAW;IACX,QAAQ;IACR,aAAa;IACb,aAAa;IACb,eAAe;IACf,aAAa;IACb,WAAW;IACX,kBAAkB;IAClB,cAAc;IACd,YAAY;IACZ,cAAc;IACd,aAAa;IACb,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,YAAY;IACZ,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,QAAQ;IACR,MAAM;IACN,IAAI;IACJ,iBAAiB;IACjB,IAAI;IACJ,KAAK;IACL,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,UAAU;IACV,MAAM;IACN,cAAc;IACd,gBAAgB;IAChB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,OAAO;IACP,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,cAAc;IACd,aAAa;IACb,aAAa;IACb,kBAAkB;IAClB,WAAW;IACX,KAAK;IACL,MAAM;IACN,OAAO;IACP,QAAQ;IACR,MAAM;IACN,KAAK;IACL,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,UAAU;IACV,aAAa;IACb,MAAM;IACN,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,eAAe;IACf,qBAAqB;IACrB,gBAAgB;IAChB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,QAAQ;IACR,MAAM;IACN,MAAM;IACN,aAAa;IACb,WAAW;IACX,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,aAAa;IACb,cAAc;IACd,aAAa;IACb,YAAY;IACZ,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,mBAAmB;IACnB,gBAAgB;IAChB,QAAQ;IACR,cAAc;IACd,OAAO;IACP,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,gBAAgB;IAChB,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,eAAe;IACf,eAAe;IACf,OAAO;IACP,cAAc;IACd,MAAM;IACN,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,OAAO;IACP,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,YAAY;IACZ,KAAK;CACR,CAAC;AAEF,MAAM,mBAAmB,mCAClB,mBAAS,CAAC,SAAS,KACtB,UAAU,EAAE,IAAI,GACnB,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AAE/C,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC1B,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,GAAG,uBAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAC3E,CAAC;AACF,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;AAE5F,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,CAAC,OAAe,EAAE,OAAmB,EAAO,EAAE;IACpE,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,EAAE;QAC/B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YACtB,OAAO,IAAI,CAAC;SACf;aAAM;YACH,OAAO,IAAI,CAAC;SACf;IACL,CAAC,CAAC;IACF,MAAM,UAAU,GAAG,CAAC,KAAiB,EAAc,EAAE;QACjD,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;aAChB,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAClB,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC/B,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;aAClC;YACD,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAC9C,CAAC;IACN,CAAC,CAAC;IACF,OAAO;QACH,OAAO;QACP,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;KAC/B,CAAC;AACN,CAAC,CAAC;AAOW,QAAA,mBAAmB,GAAG;IAC/B,uBAAuB,EAAE,KAAK;CACjC,CAAC;AAEW,QAAA,cAAc,mCACpB,uBAAY,CAAC,QAAQ,KACxB,WAAW,EACX,iBAAiB,kCACV,uBAAY,CAAC,QAAQ,CAAC,iBAAiB,KAC1C,GAAG,EAAE,iBAAiB,KAE1B,iCAAiC,EAAE;QAC/B,GAAG,uBAAY,CAAC,QAAQ,CAAC,iCAAiC;QAC1D,YAAY;QACZ,MAAM;QACN,IAAI;KACP,EACD,mBAAmB,EAAE,IAAI,EACzB,MAAM,EAAE,2BAAmB,EAC3B,YAAY,EAAE,mBAAmB,EACjC,aAAa,EAAE;QACX,GAAG,EAAE,iBAAiB;KACzB,IACH;AAEF,qBAAqB;AACrB,MAAM,iBAAiB,GACnB,+GAA+G,CAAC;AACpH,MAAM,cAAc,GAAG,iBAAiB,CAAC;AACzC,MAAM,gBAAgB,GAClB,iHAAiH,CAAC;AACtH,MAAM,UAAU,GAAG,kBAAkB,CAAC;AACtC,MAAM,cAAc,GAAG,eAAe,CAAC;AACvC,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAC3C,MAAM,WAAW,GAAG,kCAAkC,CAAC;AACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC,CAAC,0BAA0B;AAEhE,0FAA0F;AAC1F,MAAM,YAAY,GAAG,IAAI,MAAM,CAC3B;IACI,MAAM,CAAC,GAAG,CAAA,gDAAgD;IAC1D,MAAM,CAAC,GAAG,CAAA,8BAA8B,EAAE,iBAAiB;CAC9D,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,GAAG,CACN,CAAC;AAEF,MAAM,wBAAwB,GAAG,sDAAsD,CAAC;AAExF,qEAAqE;AACrE,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAEvD,4DAA4D;AAC5D,MAAM,SAAS,GAAG,IAAI,MAAM,CACxB;IACI,MAAM,CAAC,GAAG,CAAA,yBAAyB;IACnC,MAAM,CAAC,GAAG,CAAA,wBAAwB;IAClC,MAAM,CAAC,GAAG,CAAA,cAAc;IACxB,MAAM,CAAC,GAAG,CAAA,+BAA+B,EAAE,kDAAkD;CAChG,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,GAAG,CACN,CAAC;AAEF,MAAM,YAAY,GAA2B;IACzC,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,GAAG;IACP,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,GAAG;IACR,OAAO,EAAE,IAAI;IACb,GAAG,EAAE,IAAI;IACT,KAAK,EAAE,GAAG;IACV,GAAG,EAAE,GAAG;IACR,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;CACZ,CAAC;AAEF,4CAA4C;AAC5C,SAAS,WAAW,CAChB,KAAa,EACb,MAAe,EACf,OAAgB,EAChB,OAAgB,EAChB,KAAc;;IAEd,IAAI,MAAM,EAAE;QACR,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC1D;IACD,IAAI,OAAO,EAAE;QACT,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC3D;IACD,IAAI,OAAO,EAAE;QACT,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC3D;IACD,IAAI,KAAK,EAAE;QACP,MAAM,GAAG,GAAG,MAAA,YAAY,CAAC,KAAK,CAAC,mCAAI,YAAY,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QACrE,IAAI,GAAG,EAAE;YACL,OAAO,GAAG,CAAC;SACd;KACJ;IACD,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,gEAAgE;AAChE,SAAS,iBAAiB,CAAC,KAAa;IACpC,IAAI,UAAU,GAAG,MAAM,CAAC,KAAK,aAAL,KAAK,cAAL,KAAK,GAAI,EAAE,CAAC,CAAC;IAErC,iCAAiC;IACjC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAChC,OAAO,UAAU,CAAC;KACrB;IAED,oEAAoE;IACpE,iDAAiD;IACjD,0DAA0D;IAC1D,UAAU,GAAG,UAAU;SAClB,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;SACxB,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;SACzB,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAErC,4DAA4D;IAC5D,IAAI;QACA,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;KAC7C;IAAC,OAAO,CAAC,EAAE;QACR,6DAA6D;KAChE;IAED,OAAO,UAAU,CAAC;AACtB,CAAC;AAED,iDAAiD;AACjD,SAAS,cAAc,CAAC,QAAgB,EAAE,KAAa;IACnD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,iBAAiB,GAAG,IAAI,KAAK,SAAS,CAAC;IAE7C,2DAA2D;IAC3D,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE5C,qCAAqC;IACrC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAC5C,OAAO,IAAI,CAAC;KACf;IAED,mDAAmD;IACnD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEvD,MAAM,iBAAiB,GAAG;QACtB,YAAY,IAAI,cAAc;QAC9B,CAAC,iBAAiB,IAAI,YAAY,IAAI,iBAAiB;QACvD,gBAAgB;QAChB,UAAU;QACV,cAAc;QACd,cAAc;QACd,WAAW,EAAE,gCAAgC;KAChD,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;IAE9B,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAuB,EAAE,YAA0B;IAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/B,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtC,IAAI;YACA,MAAM,SAAS,GAAG,aAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEvC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBACvB,OAAO;aACV;YAED,SAAS,CAAC,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAC1D,CAAC,IAAc,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAC3C,CAAC;YAEF,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAc,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;oBACpB,OAAO;iBACV;gBAED,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,WAA4B,EAAE,EAAE;oBAC1E,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBAC7C,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;oBACxD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;oBAEtC,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE;wBAC5B,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;oBAElD,IAAI,aAAa,EAAE;wBACf,WAAW,CAAC,KAAK,GAAG,mBAAS,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;qBAC1D;oBAED,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBACpB,OAAO,KAAK,CAAC;qBAChB;oBAED,OAAO,aAAa,CAAC;gBACzB,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;SAC/C;QAAC,OAAO,KAAK,EAAE;YACZ,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAEtB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC;YACzE,aAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1B;IACL,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB,EAAE,YAA0B;IAC3E,MAAM,OAAO,GAAG;QACZ,SAAS,EAAE,YAAY;KAC1B,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,mBAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtD,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,cAAc,EAAE;YACjB,OAAO;SACV;QAED,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY,EAAE,OAAwB;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAEhD,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7B,iBAAiB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACnC,kBAAkB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAEvC,OAAO,MAAM,GAAG,OAAO,CAAC;AAC5B,CAAC;AAZD,wCAYC;AAED,SAAgB,QAAQ,CACpB,IAAY,EACZ,OAAyB,EACzB,iBAAmC;;IAEnC,MAAM,eAAe,GAAG,OAAO,IAAI,sBAAc,CAAC;IAElD,IAAI,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,YAAY,EAAE;QACjC,eAAe,CAAC,YAAY,mCACrB,eAAe,CAAC,YAAY,GAC5B,iBAAiB,CAAC,YAAY,CACpC,CAAC;KACL;IAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAA,eAAe,CAAC,qBAAqB,mCAAI,KAAK,CAAC,CAAC;IAE/E,MAAM,YAAY,GAAG,oBAAoB,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzF,OAAO,IAAA,uBAAY,EAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACvD,CAAC;AAnBD,4BAmBC;AAED,kBAAe,QAAQ,CAAC"}
|
package/package.json
CHANGED
package/src/js/code.ts
CHANGED
|
@@ -44,7 +44,7 @@ function buttonCopyFn(target: HTMLElement) {
|
|
|
44
44
|
.map((node) => node.textContent)
|
|
45
45
|
.join('');
|
|
46
46
|
|
|
47
|
-
copyToClipboard(textContent).then(() => {
|
|
47
|
+
copyToClipboard(textContent.trim()).then(() => {
|
|
48
48
|
notifySuccess(parent.querySelector('.yfm-clipboard-icon'));
|
|
49
49
|
|
|
50
50
|
setTimeout(() => target.blur(), 1500);
|
|
@@ -563,6 +563,139 @@ export const defaultOptions: SanitizeOptions = {
|
|
|
563
563
|
},
|
|
564
564
|
};
|
|
565
565
|
|
|
566
|
+
// dangerous patterns
|
|
567
|
+
const DANGEROUS_TAGS_RE =
|
|
568
|
+
/<\s*(script|iframe|object|embed|svg|img|video|audio|link|meta|base|form|style|template|math|foreignobject)\b/i;
|
|
569
|
+
const CLOSE_STYLE_RE = /<\s*\/\s*style/i;
|
|
570
|
+
const DANGEROUS_URL_RE =
|
|
571
|
+
/url\s*\(\s*['"]?\s*(?:javascript:|vbscript:|data\s*:\s*(?:text\/html|application\/xhtml\+xml|image\/svg\+xml))/i;
|
|
572
|
+
const IE_EXPR_RE = /expression\s*\(/i;
|
|
573
|
+
const IE_BEHAVIOR_RE = /behavior\s*:/i;
|
|
574
|
+
const MOZ_BINDING_RE = /-moz-binding\s*:/i;
|
|
575
|
+
const AT_RULES_RE = /@(?:import|charset|namespace)\b/i;
|
|
576
|
+
const COMMENTS_RE = /\/\*[^]*?\*\//g; // CSS comments: /* ... */
|
|
577
|
+
|
|
578
|
+
// control characters (C0/C1) and BiDi override characters that can hide malicious content
|
|
579
|
+
const CTRL_BIDI_RE = new RegExp(
|
|
580
|
+
[
|
|
581
|
+
String.raw`[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]`, // C0/C1 controls
|
|
582
|
+
String.raw`[\u202A-\u202E\u2066-\u2069]`, // BiDi overrides
|
|
583
|
+
].join('|'),
|
|
584
|
+
'g',
|
|
585
|
+
);
|
|
586
|
+
|
|
587
|
+
const SAFE_VALUE_FAST_CHECK_RE = /[<&\\/]|@|url\s*\(|expression|behavior|-moz-binding/i;
|
|
588
|
+
|
|
589
|
+
// backslash (CSS escapes), ampersand (HTML entities), BiDi overrides
|
|
590
|
+
const FAST_PATH_RE = /[\\&\u202A-\u202E\u2066-\u2069]/;
|
|
591
|
+
|
|
592
|
+
// combined regex for decoding CSS escapes and HTML entities
|
|
593
|
+
const RE_DECODE = new RegExp(
|
|
594
|
+
[
|
|
595
|
+
String.raw`\\([0-9A-Fa-f]{1,6})\s?`, // CSS hex escapes: \41 or \000041 → 'A'
|
|
596
|
+
String.raw`&#x([0-9A-Fa-f]{1,6});`, // HTML hex entities: A or A → 'A'
|
|
597
|
+
String.raw`&#(\d{1,7});`, // HTML decimal entities: A → 'A'
|
|
598
|
+
String.raw`&([a-zA-Z][a-zA-Z0-9]{1,31});`, // HTML named entities: < or & → '<' or '&'
|
|
599
|
+
].join('|'),
|
|
600
|
+
'g',
|
|
601
|
+
);
|
|
602
|
+
|
|
603
|
+
const htmlEntities: Record<string, string> = {
|
|
604
|
+
lt: '<',
|
|
605
|
+
gt: '>',
|
|
606
|
+
quot: '"',
|
|
607
|
+
apos: "'",
|
|
608
|
+
amp: '&',
|
|
609
|
+
newline: '\n',
|
|
610
|
+
tab: '\t',
|
|
611
|
+
colon: ':',
|
|
612
|
+
sol: '/',
|
|
613
|
+
lpar: '(',
|
|
614
|
+
rpar: ')',
|
|
615
|
+
};
|
|
616
|
+
|
|
617
|
+
// Decodes a single escaped or encoded token
|
|
618
|
+
function decodeToken(
|
|
619
|
+
whole: string,
|
|
620
|
+
cssHex?: string,
|
|
621
|
+
htmlHex?: string,
|
|
622
|
+
htmlDec?: string,
|
|
623
|
+
named?: string,
|
|
624
|
+
): string {
|
|
625
|
+
if (cssHex) {
|
|
626
|
+
return String.fromCodePoint(parseInt(cssHex, 16) || 0);
|
|
627
|
+
}
|
|
628
|
+
if (htmlHex) {
|
|
629
|
+
return String.fromCodePoint(parseInt(htmlHex, 16) || 0);
|
|
630
|
+
}
|
|
631
|
+
if (htmlDec) {
|
|
632
|
+
return String.fromCodePoint(parseInt(htmlDec, 10) || 0);
|
|
633
|
+
}
|
|
634
|
+
if (named) {
|
|
635
|
+
const rep = htmlEntities[named] ?? htmlEntities[named.toLowerCase()];
|
|
636
|
+
if (rep) {
|
|
637
|
+
return rep;
|
|
638
|
+
}
|
|
639
|
+
}
|
|
640
|
+
return whole;
|
|
641
|
+
}
|
|
642
|
+
|
|
643
|
+
// Normalize CSS value by decoding HTML entities and CSS escapes
|
|
644
|
+
function normalizeCssValue(value: string): string {
|
|
645
|
+
let normalized = String(value ?? '');
|
|
646
|
+
|
|
647
|
+
// early-exit if no special chars
|
|
648
|
+
if (!FAST_PATH_RE.test(normalized)) {
|
|
649
|
+
return normalized;
|
|
650
|
+
}
|
|
651
|
+
|
|
652
|
+
// 1. remove CSS comments to prevent hiding escapes inside /* ... */
|
|
653
|
+
// 2. strip control characters and BiDi overrides
|
|
654
|
+
// 3. decode all CSS escapes and HTML entities in one pass
|
|
655
|
+
normalized = normalized
|
|
656
|
+
.replace(COMMENTS_RE, '')
|
|
657
|
+
.replace(CTRL_BIDI_RE, '')
|
|
658
|
+
.replace(RE_DECODE, decodeToken);
|
|
659
|
+
|
|
660
|
+
// unicode normalization (NFKC) to prevent homograph attacks
|
|
661
|
+
try {
|
|
662
|
+
normalized = normalized.normalize('NFKC');
|
|
663
|
+
} catch (_) {
|
|
664
|
+
// silent fail: logging the value could expose sensitive data
|
|
665
|
+
}
|
|
666
|
+
|
|
667
|
+
return normalized;
|
|
668
|
+
}
|
|
669
|
+
|
|
670
|
+
// checks if a CSS value is safe from XSS attacks
|
|
671
|
+
function isSafeCssValue(property: string, value: string): boolean {
|
|
672
|
+
const prop = property.toLowerCase();
|
|
673
|
+
const isContentProperty = prop === 'content';
|
|
674
|
+
|
|
675
|
+
// normalize first to prevent bypasses via comments/escapes
|
|
676
|
+
const normalized = normalizeCssValue(value);
|
|
677
|
+
|
|
678
|
+
// early-exit for trivial safe values
|
|
679
|
+
if (!SAFE_VALUE_FAST_CHECK_RE.test(normalized)) {
|
|
680
|
+
return true;
|
|
681
|
+
}
|
|
682
|
+
|
|
683
|
+
// сheck if normalized value looks like an HTML tag
|
|
684
|
+
const looksLikeTag = /<[^>]{0,128}>/i.test(normalized);
|
|
685
|
+
|
|
686
|
+
const dangerousPatterns = [
|
|
687
|
+
looksLikeTag && CLOSE_STYLE_RE, // </style> tag closure
|
|
688
|
+
!isContentProperty && looksLikeTag && DANGEROUS_TAGS_RE, // dangerous HTML tags
|
|
689
|
+
DANGEROUS_URL_RE, // javascript:, data:, vbscript: URLs
|
|
690
|
+
IE_EXPR_RE, // IE expression()
|
|
691
|
+
IE_BEHAVIOR_RE, // IE behavior:
|
|
692
|
+
MOZ_BINDING_RE, // FF -moz-binding
|
|
693
|
+
AT_RULES_RE, // @import, @charset, @namespace
|
|
694
|
+
].filter(Boolean) as RegExp[];
|
|
695
|
+
|
|
696
|
+
return !dangerousPatterns.some((pattern) => pattern.test(normalized));
|
|
697
|
+
}
|
|
698
|
+
|
|
566
699
|
function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList) {
|
|
567
700
|
const styleTags = dom('style');
|
|
568
701
|
|
|
@@ -590,13 +723,17 @@ function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList)
|
|
|
590
723
|
return false;
|
|
591
724
|
}
|
|
592
725
|
|
|
593
|
-
const
|
|
726
|
+
const prop = String(declaration.property).toLowerCase();
|
|
727
|
+
const val = String(declaration.value);
|
|
728
|
+
|
|
729
|
+
if (!isSafeCssValue(prop, val)) {
|
|
730
|
+
return false;
|
|
731
|
+
}
|
|
732
|
+
|
|
733
|
+
const isWhiteListed = Boolean(cssWhiteList[prop]);
|
|
594
734
|
|
|
595
735
|
if (isWhiteListed) {
|
|
596
|
-
declaration.value = cssfilter.safeAttrValue(
|
|
597
|
-
declaration.property,
|
|
598
|
-
declaration.value,
|
|
599
|
-
);
|
|
736
|
+
declaration.value = cssfilter.safeAttrValue(prop, val);
|
|
600
737
|
}
|
|
601
738
|
|
|
602
739
|
if (!declaration.value) {
|