@diplodoc/transform 4.63.2 → 4.63.4

package/lib/sanitize.js

@@ -548,6 +548,109 @@ exports.defaultOptions = Object.assign(Object.assign({}, sanitize_html_1.default
     ], allowVulnerableTags: true, parser: exports.defaultParseOptions, cssWhiteList: defaultCssWhitelist, transformTags: {
         use: useTagTransformer,
     } });
+// dangerous patterns
+const DANGEROUS_TAGS_RE = /<\s*(script|iframe|object|embed|svg|img|video|audio|link|meta|base|form|style|template|math|foreignobject)\b/i;
+const CLOSE_STYLE_RE = /<\s*\/\s*style/i;
+const DANGEROUS_URL_RE = /url\s*\(\s*['"]?\s*(?:javascript:|vbscript:|data\s*:\s*(?:text\/html|application\/xhtml\+xml|image\/svg\+xml))/i;
+const IE_EXPR_RE = /expression\s*\(/i;
+const IE_BEHAVIOR_RE = /behavior\s*:/i;
+const MOZ_BINDING_RE = /-moz-binding\s*:/i;
+const AT_RULES_RE = /@(?:import|charset|namespace)\b/i;
+const COMMENTS_RE = /\/\*[^]*?\*\//g; // CSS comments: /* ... */
+// control characters (C0/C1) and BiDi override characters that can hide malicious content
+const CTRL_BIDI_RE = new RegExp([
+    String.raw `[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]`,
+    String.raw `[\u202A-\u202E\u2066-\u2069]`, // BiDi overrides
+].join('|'), 'g');
+const SAFE_VALUE_FAST_CHECK_RE = /[<&\\/]|@|url\s*\(|expression|behavior|-moz-binding/i;
+// backslash (CSS escapes), ampersand (HTML entities), BiDi overrides
+const FAST_PATH_RE = /[\\&\u202A-\u202E\u2066-\u2069]/;
+// combined regex for decoding CSS escapes and HTML entities
+const RE_DECODE = new RegExp([
+    String.raw `\\([0-9A-Fa-f]{1,6})\s?`,
+    String.raw `&#x([0-9A-Fa-f]{1,6});`,
+    String.raw `&#(\d{1,7});`,
+    String.raw `&([a-zA-Z][a-zA-Z0-9]{1,31});`, // HTML named entities: &lt; or &amp; → '<' or '&'
+].join('|'), 'g');
+const htmlEntities = {
+    lt: '<',
+    gt: '>',
+    quot: '"',
+    apos: "'",
+    amp: '&',
+    newline: '\n',
+    tab: '\t',
+    colon: ':',
+    sol: '/',
+    lpar: '(',
+    rpar: ')',
+};
+// Decodes a single escaped or encoded token
+function decodeToken(whole, cssHex, htmlHex, htmlDec, named) {
+    var _a;
+    if (cssHex) {
+        return String.fromCodePoint(parseInt(cssHex, 16) || 0);
+    }
+    if (htmlHex) {
+        return String.fromCodePoint(parseInt(htmlHex, 16) || 0);
+    }
+    if (htmlDec) {
+        return String.fromCodePoint(parseInt(htmlDec, 10) || 0);
+    }
+    if (named) {
+        const rep = (_a = htmlEntities[named]) !== null && _a !== void 0 ? _a : htmlEntities[named.toLowerCase()];
+        if (rep) {
+            return rep;
+        }
+    }
+    return whole;
+}
+// Normalize CSS value by decoding HTML entities and CSS escapes
+function normalizeCssValue(value) {
+    let normalized = String(value !== null && value !== void 0 ? value : '');
+    // early-exit if no special chars
+    if (!FAST_PATH_RE.test(normalized)) {
+        return normalized;
+    }
+    // 1. remove CSS comments to prevent hiding escapes inside /* ... */
+    // 2. strip control characters and BiDi overrides
+    // 3. decode all CSS escapes and HTML entities in one pass
+    normalized = normalized
+        .replace(COMMENTS_RE, '')
+        .replace(CTRL_BIDI_RE, '')
+        .replace(RE_DECODE, decodeToken);
+    // unicode normalization (NFKC) to prevent homograph attacks
+    try {
+        normalized = normalized.normalize('NFKC');
+    }
+    catch (_) {
+        // silent fail: logging the value could expose sensitive data
+    }
+    return normalized;
+}
+// checks if a CSS value is safe from XSS attacks
+function isSafeCssValue(property, value) {
+    const prop = property.toLowerCase();
+    const isContentProperty = prop === 'content';
+    // normalize first to prevent bypasses via comments/escapes
+    const normalized = normalizeCssValue(value);
+    // early-exit for trivial safe values
+    if (!SAFE_VALUE_FAST_CHECK_RE.test(normalized)) {
+        return true;
+    }
+    // сheck if normalized value looks like an HTML tag
+    const looksLikeTag = /<[^>]{0,128}>/i.test(normalized);
+    const dangerousPatterns = [
+        looksLikeTag && CLOSE_STYLE_RE,
+        !isContentProperty && looksLikeTag && DANGEROUS_TAGS_RE,
+        DANGEROUS_URL_RE,
+        IE_EXPR_RE,
+        IE_BEHAVIOR_RE,
+        MOZ_BINDING_RE,
+        AT_RULES_RE, // @import, @charset, @namespace
+    ].filter(Boolean);
+    return !dangerousPatterns.some((pattern) => pattern.test(normalized));
+}
 function sanitizeStyleTags(dom, cssWhiteList) {
     const styleTags = dom('style');
     styleTags.each((_index, element) => {
@@ -566,9 +669,14 @@ function sanitizeStyleTags(dom, cssWhiteList) {
                     if (!declaration.property || !declaration.value) {
                         return false;
                     }
-                    const isWhiteListed = cssWhiteList[declaration.property];
+                    const prop = String(declaration.property).toLowerCase();
+                    const val = String(declaration.value);
+                    if (!isSafeCssValue(prop, val)) {
+                        return false;
+                    }
+                    const isWhiteListed = Boolean(cssWhiteList[prop]);
                     if (isWhiteListed) {
-                        declaration.value = cssfilter_1.default.safeAttrValue(declaration.property, declaration.value);
+                        declaration.value = cssfilter_1.default.safeAttrValue(prop, val);
                     }
                     if (!declaration.value) {
                         return false;

package/lib/sanitize.js.map

@@ -1 +1 @@
-{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../src/transform/sanitize.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,kEAAyC;AACzC,aAAa;AACb,0DAAkC;AAClC,iDAAmC;AACnC,8CAAsB;AAEtB,gDAAwB;AAQxB,MAAM,QAAQ,GAAG;IACb,GAAG;IACH,MAAM;IACN,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,OAAO;IACP,OAAO;IACP,GAAG;IACH,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,KAAK;IACL,UAAU;IACV,SAAS;IACT,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,KAAK;IACL,SAAS;IACT,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,GAAG;IACH,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,KAAK;IACL,MAAM;IACN,IAAI;IACJ,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,GAAG;IACH,SAAS;IACT,KAAK;IACL,UAAU;IACV,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,GAAG;IACH,MAAM;IACN,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,SAAS;IACT,KAAK;IACL,OAAO;IACP,OAAO;IACP,IAAI;IACJ,UAAU;IACV,UAAU;IACV,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,KAAK;IACL,OAAO;IACP,KAAK;IACL,QAAQ;IACR,OAAO;CACV,CAAC;AAEF,MAAM,OAAO,GAAG;IACZ,KAAK;IACL,UAAU;IACV,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,GAAG;IACH,OAAO;IACP,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,gBAAgB;IAChB,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;IACT,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,KAAK;CACR,CAAC;AAEF,MAAM,SAAS,GAAG;IACd,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,UAAU;IACV,YAAY;IACZ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,aAAa;IACb,aAAa;IACb,SAAS;IACT,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,SAAS;IACT,UAAU;IACV,cAAc;IACd,QAAQ;IACR,aAAa;IACb,UAAU;IACV,UAAU;IACV,SAAS;IACT,KAAK;IACL,UAAU;IACV,yBAAyB;IACzB,uBAAuB;IACvB,UAAU;IACV,WAAW;IACX,SAAS;IACT,cAAc;IACd,MAAM;IACN,KAAK;IACL,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,WAAW;IACX,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,SAAS;IACT,MAAM;IACN,KAAK;IACL,KAAK;IACL,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,WAAW;IACX,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,SAAS;IACT,SAAS;IACT,aAAa;IACb,aAAa;IACb,QAAQ;IACR,SAAS;IACT,SAAS;IACT,YAAY;IACZ,UAAU;IACV,KAAK;IACL,UAAU;IACV,KAAK;IACL,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,YAAY;IACZ,OAAO;IACP,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,OAAO;IACP,KAAK;IACL,QAAQ;IACR,MAAM;IACN,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,WAAW;IACX,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,aAAa;IACb,WAAW;IACX,OAAO;IACP,QAAQ;IACR,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,QAAQ;IACR,cAAc;IACd,eAAe;CAClB,CAAC;AAEF,MAAM,QAAQ,GAAG;IACb,SAAS;IACT,eAAe;IACf,YAAY;IACZ,UAAU;IACV,oBAAoB;IACpB,QAAQ;IACR,eAAe;IACf,eAAe;IACf,SAAS;IACT,eAAe;IACf,gBAAgB;IAChB,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,MAAM;IACN,eAAe;IACf,WAAW;IACX,WAAW;IACX,OAAO;IACP,qBAAqB;IACrB,6BAA6B;IAC7B,eAAe;IACf,iBAAiB;IACjB,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,KAAK;IACL,UAAU;IACV,WAAW;IACX,KAAK;IACL,MAAM;IACN,cAAc;IACd,WAAW;IACX,QAAQ;IACR,aAAa;IACb,aAAa;IACb,eAAe;IACf,aAAa;IACb,WAAW;IACX,kBAAkB;IAClB,cAAc;IACd,YAAY;IACZ,cAAc;IACd,aAAa;IACb,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,YAAY;IACZ,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,QAAQ;IACR,MAAM;IACN,IAAI;IACJ,iBAAiB;IACjB,IAAI;IACJ,KAAK;IACL,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,UAAU;IACV,MAAM;IACN,cAAc;IACd,gBAAgB;IAChB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,OAAO;IACP,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,cAAc;IACd,aAAa;IACb,aAAa;IACb,kBAAkB;IAClB,WAAW;IACX,KAAK;IACL,MAAM;IACN,OAAO;IACP,QAAQ;IACR,MAAM;IACN,KAAK;IACL,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,UAAU;IACV,aAAa;IACb,MAAM;IACN,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,eAAe;IACf,qBAAqB;IACrB,gBAAgB;IAChB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,QAAQ;IACR,MAAM;IACN,MAAM;IACN,aAAa;IACb,WAAW;IACX,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,aAAa;IACb,cAAc;IACd,aAAa;IACb,YAAY;IACZ,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,mBAAmB;IACnB,gBAAgB;IAChB,QAAQ;IACR,cAAc;IACd,OAAO;IACP,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,gBAAgB;IAChB,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,eAAe;IACf,eAAe;IACf,OAAO;IACP,cAAc;IACd,MAAM;IACN,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,OAAO;IACP,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,YAAY;IACZ,KAAK;CACR,CAAC;AAEF,MAAM,mBAAmB,mCAClB,mBAAS,CAAC,SAAS,KACtB,UAAU,EAAE,IAAI,GACnB,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AAE/C,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC1B,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,GAAG,uBAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAC3E,CAAC;AACF,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;AAE5F,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,CAAC,OAAe,EAAE,OAAmB,EAAO,EAAE;IACpE,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,EAAE;QAC/B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YACtB,OAAO,IAAI,CAAC;SACf;aAAM;YACH,OAAO,IAAI,CAAC;SACf;IACL,CAAC,CAAC;IACF,MAAM,UAAU,GAAG,CAAC,KAAiB,EAAc,EAAE;QACjD,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;aAChB,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAClB,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC/B,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;aAClC;YACD,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAC9C,CAAC;IACN,CAAC,CAAC;IACF,OAAO;QACH,OAAO;QACP,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;KAC/B,CAAC;AACN,CAAC,CAAC;AAOW,QAAA,mBAAmB,GAAG;IAC/B,uBAAuB,EAAE,KAAK;CACjC,CAAC;AAEW,QAAA,cAAc,mCACpB,uBAAY,CAAC,QAAQ,KACxB,WAAW,EACX,iBAAiB,kCACV,uBAAY,CAAC,QAAQ,CAAC,iBAAiB,KAC1C,GAAG,EAAE,iBAAiB,KAE1B,iCAAiC,EAAE;QAC/B,GAAG,uBAAY,CAAC,QAAQ,CAAC,iCAAiC;QAC1D,YAAY;QACZ,MAAM;QACN,IAAI;KACP,EACD,mBAAmB,EAAE,IAAI,EACzB,MAAM,EAAE,2BAAmB,EAC3B,YAAY,EAAE,mBAAmB,EACjC,aAAa,EAAE;QACX,GAAG,EAAE,iBAAiB;KACzB,IACH;AAEF,SAAS,iBAAiB,CAAC,GAAuB,EAAE,YAA0B;IAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/B,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtC,IAAI;YACA,MAAM,SAAS,GAAG,aAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEvC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBACvB,OAAO;aACV;YAED,SAAS,CAAC,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAC1D,CAAC,IAAc,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAC3C,CAAC;YAEF,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAc,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;oBACpB,OAAO;iBACV;gBAED,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,WAA4B,EAAE,EAAE;oBAC1E,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBAC7C,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,aAAa,GAAG,YAAY,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;oBAEzD,IAAI,aAAa,EAAE;wBACf,WAAW,CAAC,KAAK,GAAG,mBAAS,CAAC,aAAa,CACvC,WAAW,CAAC,QAAQ,EACpB,WAAW,CAAC,KAAK,CACpB,CAAC;qBACL;oBAED,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBACpB,OAAO,KAAK,CAAC;qBAChB;oBAED,OAAO,aAAa,CAAC;gBACzB,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;SAC/C;QAAC,OAAO,KAAK,EAAE;YACZ,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAEtB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC;YACzE,aAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1B;IACL,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB,EAAE,YAA0B;IAC3E,MAAM,OAAO,GAAG;QACZ,SAAS,EAAE,YAAY;KAC1B,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,mBAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtD,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,cAAc,EAAE;YACjB,OAAO;SACV;QAED,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY,EAAE,OAAwB;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAEhD,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7B,iBAAiB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACnC,kBAAkB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAEvC,OAAO,MAAM,GAAG,OAAO,CAAC;AAC5B,CAAC;AAZD,wCAYC;AAED,SAAgB,QAAQ,CACpB,IAAY,EACZ,OAAyB,EACzB,iBAAmC;;IAEnC,MAAM,eAAe,GAAG,OAAO,IAAI,sBAAc,CAAC;IAElD,IAAI,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,YAAY,EAAE;QACjC,eAAe,CAAC,YAAY,mCACrB,eAAe,CAAC,YAAY,GAC5B,iBAAiB,CAAC,YAAY,CACpC,CAAC;KACL;IAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAA,eAAe,CAAC,qBAAqB,mCAAI,KAAK,CAAC,CAAC;IAE/E,MAAM,YAAY,GAAG,oBAAoB,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzF,OAAO,IAAA,uBAAY,EAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACvD,CAAC;AAnBD,4BAmBC;AAED,kBAAe,QAAQ,CAAC"}
+{"version":3,"file":"sanitize.js","sourceRoot":"","sources":["../src/transform/sanitize.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA,kEAAyC;AACzC,aAAa;AACb,0DAAkC;AAClC,iDAAmC;AACnC,8CAAsB;AAEtB,gDAAwB;AAQxB,MAAM,QAAQ,GAAG;IACb,GAAG;IACH,MAAM;IACN,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,OAAO;IACP,OAAO;IACP,GAAG;IACH,KAAK;IACL,KAAK;IACL,KAAK;IACL,OAAO;IACP,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,QAAQ;IACR,QAAQ;IACR,SAAS;IACT,QAAQ;IACR,MAAM;IACN,MAAM;IACN,KAAK;IACL,UAAU;IACV,SAAS;IACT,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,KAAK;IACL,SAAS;IACT,KAAK;IACL,QAAQ;IACR,KAAK;IACL,KAAK;IACL,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,GAAG;IACH,KAAK;IACL,OAAO;IACP,KAAK;IACL,KAAK;IACL,OAAO;IACP,QAAQ;IACR,IAAI;IACJ,MAAM;IACN,KAAK;IACL,MAAM;IACN,SAAS;IACT,MAAM;IACN,UAAU;IACV,OAAO;IACP,KAAK;IACL,MAAM;IACN,IAAI;IACJ,UAAU;IACV,QAAQ;IACR,QAAQ;IACR,GAAG;IACH,SAAS;IACT,KAAK;IACL,UAAU;IACV,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,MAAM;IACN,GAAG;IACH,MAAM;IACN,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,KAAK;IACL,SAAS;IACT,KAAK;IACL,OAAO;IACP,OAAO;IACP,IAAI;IACJ,UAAU;IACV,UAAU;IACV,OAAO;IACP,IAAI;IACJ,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,KAAK;IACL,OAAO;IACP,KAAK;IACL,QAAQ;IACR,OAAO;CACV,CAAC;AAEF,MAAM,OAAO,GAAG;IACZ,KAAK;IACL,UAAU;IACV,aAAa;IACb,cAAc;IACd,cAAc;IACd,eAAe;IACf,kBAAkB;IAClB,QAAQ;IACR,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,QAAQ;IACR,MAAM;IACN,GAAG;IACH,OAAO;IACP,UAAU;IACV,OAAO;IACP,OAAO;IACP,MAAM;IACN,gBAAgB;IAChB,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,SAAS;IACT,SAAS;IACT,UAAU;IACV,gBAAgB;IAChB,MAAM;IACN,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,KAAK;CACR,CAAC;AAEF,MAAM,SAAS,GAAG;IACd,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,KAAK;IACL,gBAAgB;IAChB,cAAc;IACd,sBAAsB;IACtB,UAAU;IACV,YAAY;IACZ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,aAAa;IACb,aAAa;IACb,SAAS;IACT,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,SAAS;IACT,UAAU;IACV,cAAc;IACd,QAAQ;IACR,aAAa;IACb,UAAU;IACV,UAAU;IACV,SAAS;IACT,KAAK;IACL,UAAU;IACV,yBAAyB;IACzB,uBAAuB;IACvB,UAAU;IACV,WAAW;IACX,SAAS;IACT,cAAc;IACd,MAAM;IACN,KAAK;IACL,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,MAAM;IACN,UAAU;IACV,IAAI;IACJ,WAAW;IACX,WAAW;IACX,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,MAAM;IACN,SAAS;IACT,MAAM;IACN,KAAK;IACL,KAAK;IACL,WAAW;IACX,OAAO;IACP,QAAQ;IACR,KAAK;IACL,WAAW;IACX,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,SAAS;IACT,YAAY;IACZ,QAAQ;IACR,MAAM;IACN,SAAS;IACT,SAAS;IACT,aAAa;IACb,aAAa;IACb,QAAQ;IACR,SAAS;IACT,SAAS;IACT,YAAY;IACZ,UAAU;IACV,KAAK;IACL,UAAU;IACV,KAAK;IACL,UAAU;IACV,MAAM;IACN,MAAM;IACN,SAAS;IACT,YAAY;IACZ,OAAO;IACP,UAAU;IACV,OAAO;IACP,MAAM;IACN,OAAO;IACP,MAAM;IACN,SAAS;IACT,OAAO;IACP,KAAK;IACL,QAAQ;IACR,MAAM;IACN,OAAO;IACP,SAAS;IACT,UAAU;IACV,OAAO;IACP,WAAW;IACX,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,OAAO;IACP,OAAO;IACP,MAAM;IACN,aAAa;IACb,WAAW;IACX,OAAO;IACP,QAAQ;IACR,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,kBAAkB;IAClB,QAAQ;IACR,cAAc;IACd,eAAe;CAClB,CAAC;AAEF,MAAM,QAAQ,GAAG;IACb,SAAS;IACT,eAAe;IACf,YAAY;IACZ,UAAU;IACV,oBAAoB;IACpB,QAAQ;IACR,eAAe;IACf,eAAe;IACf,SAAS;IACT,eAAe;IACf,gBAAgB;IAChB,OAAO;IACP,MAAM;IACN,IAAI;IACJ,OAAO;IACP,MAAM;IACN,eAAe;IACf,WAAW;IACX,WAAW;IACX,OAAO;IACP,qBAAqB;IACrB,6BAA6B;IAC7B,eAAe;IACf,iBAAiB;IACjB,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,iBAAiB;IACjB,WAAW;IACX,SAAS;IACT,SAAS;IACT,KAAK;IACL,UAAU;IACV,WAAW;IACX,KAAK;IACL,MAAM;IACN,cAAc;IACd,WAAW;IACX,QAAQ;IACR,aAAa;IACb,aAAa;IACb,eAAe;IACf,aAAa;IACb,WAAW;IACX,kBAAkB;IAClB,cAAc;IACd,YAAY;IACZ,cAAc;IACd,aAAa;IACb,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,YAAY;IACZ,UAAU;IACV,eAAe;IACf,mBAAmB;IACnB,QAAQ;IACR,MAAM;IACN,IAAI;IACJ,iBAAiB;IACjB,IAAI;IACJ,KAAK;IACL,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,WAAW;IACX,YAAY;IACZ,UAAU;IACV,MAAM;IACN,cAAc;IACd,gBAAgB;IAChB,cAAc;IACd,kBAAkB;IAClB,gBAAgB;IAChB,OAAO;IACP,YAAY;IACZ,YAAY;IACZ,cAAc;IACd,cAAc;IACd,aAAa;IACb,aAAa;IACb,kBAAkB;IAClB,WAAW;IACX,KAAK;IACL,MAAM;IACN,OAAO;IACP,QAAQ;IACR,MAAM;IACN,KAAK;IACL,MAAM;IACN,YAAY;IACZ,QAAQ;IACR,UAAU;IACV,SAAS;IACT,OAAO;IACP,QAAQ;IACR,aAAa;IACb,QAAQ;IACR,UAAU;IACV,aAAa;IACb,MAAM;IACN,YAAY;IACZ,qBAAqB;IACrB,kBAAkB;IAClB,cAAc;IACd,QAAQ;IACR,eAAe;IACf,qBAAqB;IACrB,gBAAgB;IAChB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,QAAQ;IACR,MAAM;IACN,MAAM;IACN,aAAa;IACb,WAAW;IACX,SAAS;IACT,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,MAAM;IACN,iBAAiB;IACjB,kBAAkB;IAClB,kBAAkB;IAClB,cAAc;IACd,aAAa;IACb,cAAc;IACd,aAAa;IACb,YAAY;IACZ,cAAc;IACd,kBAAkB;IAClB,mBAAmB;IACnB,gBAAgB;IAChB,iBAAiB;IACjB,mBAAmB;IACnB,gBAAgB;IAChB,QAAQ;IACR,cAAc;IACd,OAAO;IACP,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,SAAS;IACT,SAAS;IACT,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,gBAAgB;IAChB,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,IAAI;IACJ,SAAS;IACT,QAAQ;IACR,SAAS;IACT,YAAY;IACZ,SAAS;IACT,YAAY;IACZ,eAAe;IACf,eAAe;IACf,OAAO;IACP,cAAc;IACd,MAAM;IACN,cAAc;IACd,kBAAkB;IAClB,kBAAkB;IAClB,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,OAAO;IACP,GAAG;IACH,IAAI;IACJ,IAAI;IACJ,GAAG;IACH,YAAY;IACZ,MAAM;IACN,IAAI;IACJ,YAAY;IACZ,KAAK;CACR,CAAC;AAEF,MAAM,mBAAmB,mCAClB,mBAAS,CAAC,SAAS,KACtB,UAAU,EAAE,IAAI,GACnB,CAAC;AAEF,MAAM,YAAY,GAAG,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;AAE/C,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAC1B,IAAI,GAAG,CAAC,CAAC,GAAG,QAAQ,EAAE,GAAG,OAAO,EAAE,GAAG,uBAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAC3E,CAAC;AACF,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;AAE5F,2EAA2E;AAC3E,MAAM,iBAAiB,GAAG,CAAC,OAAe,EAAE,OAAmB,EAAO,EAAE;IACpE,MAAM,SAAS,GAAG,CAAC,IAAY,EAAE,EAAE;QAC/B,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE;YACtB,OAAO,IAAI,CAAC;SACf;aAAM;YACH,OAAO,IAAI,CAAC;SACf;IACL,CAAC,CAAC;IACF,MAAM,UAAU,GAAG,CAAC,KAAiB,EAAc,EAAE;QACjD,MAAM,eAAe,GAAG,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;QAC/C,OAAO,MAAM,CAAC,WAAW,CACrB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;aAChB,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAClB,IAAI,eAAe,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE;gBAC/B,OAAO,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;aAClC;YACD,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,CAAC,CAAC;aACD,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,IAAI,CAAC,CAC9C,CAAC;IACN,CAAC,CAAC;IACF,OAAO;QACH,OAAO;QACP,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;KAC/B,CAAC;AACN,CAAC,CAAC;AAOW,QAAA,mBAAmB,GAAG;IAC/B,uBAAuB,EAAE,KAAK;CACjC,CAAC;AAEW,QAAA,cAAc,mCACpB,uBAAY,CAAC,QAAQ,KACxB,WAAW,EACX,iBAAiB,kCACV,uBAAY,CAAC,QAAQ,CAAC,iBAAiB,KAC1C,GAAG,EAAE,iBAAiB,KAE1B,iCAAiC,EAAE;QAC/B,GAAG,uBAAY,CAAC,QAAQ,CAAC,iCAAiC;QAC1D,YAAY;QACZ,MAAM;QACN,IAAI;KACP,EACD,mBAAmB,EAAE,IAAI,EACzB,MAAM,EAAE,2BAAmB,EAC3B,YAAY,EAAE,mBAAmB,EACjC,aAAa,EAAE;QACX,GAAG,EAAE,iBAAiB;KACzB,IACH;AAEF,qBAAqB;AACrB,MAAM,iBAAiB,GACnB,+GAA+G,CAAC;AACpH,MAAM,cAAc,GAAG,iBAAiB,CAAC;AACzC,MAAM,gBAAgB,GAClB,iHAAiH,CAAC;AACtH,MAAM,UAAU,GAAG,kBAAkB,CAAC;AACtC,MAAM,cAAc,GAAG,eAAe,CAAC;AACvC,MAAM,cAAc,GAAG,mBAAmB,CAAC;AAC3C,MAAM,WAAW,GAAG,kCAAkC,CAAC;AACvD,MAAM,WAAW,GAAG,gBAAgB,CAAC,CAAC,0BAA0B;AAEhE,0FAA0F;AAC1F,MAAM,YAAY,GAAG,IAAI,MAAM,CAC3B;IACI,MAAM,CAAC,GAAG,CAAA,gDAAgD;IAC1D,MAAM,CAAC,GAAG,CAAA,8BAA8B,EAAE,iBAAiB;CAC9D,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,GAAG,CACN,CAAC;AAEF,MAAM,wBAAwB,GAAG,sDAAsD,CAAC;AAExF,qEAAqE;AACrE,MAAM,YAAY,GAAG,iCAAiC,CAAC;AAEvD,4DAA4D;AAC5D,MAAM,SAAS,GAAG,IAAI,MAAM,CACxB;IACI,MAAM,CAAC,GAAG,CAAA,yBAAyB;IACnC,MAAM,CAAC,GAAG,CAAA,wBAAwB;IAClC,MAAM,CAAC,GAAG,CAAA,cAAc;IACxB,MAAM,CAAC,GAAG,CAAA,+BAA+B,EAAE,kDAAkD;CAChG,CAAC,IAAI,CAAC,GAAG,CAAC,EACX,GAAG,CACN,CAAC;AAEF,MAAM,YAAY,GAA2B;IACzC,EAAE,EAAE,GAAG;IACP,EAAE,EAAE,GAAG;IACP,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;IACT,GAAG,EAAE,GAAG;IACR,OAAO,EAAE,IAAI;IACb,GAAG,EAAE,IAAI;IACT,KAAK,EAAE,GAAG;IACV,GAAG,EAAE,GAAG;IACR,IAAI,EAAE,GAAG;IACT,IAAI,EAAE,GAAG;CACZ,CAAC;AAEF,4CAA4C;AAC5C,SAAS,WAAW,CAChB,KAAa,EACb,MAAe,EACf,OAAgB,EAChB,OAAgB,EAChB,KAAc;;IAEd,IAAI,MAAM,EAAE;QACR,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC1D;IACD,IAAI,OAAO,EAAE;QACT,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC3D;IACD,IAAI,OAAO,EAAE;QACT,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;KAC3D;IACD,IAAI,KAAK,EAAE;QACP,MAAM,GAAG,GAAG,MAAA,YAAY,CAAC,KAAK,CAAC,mCAAI,YAAY,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;QACrE,IAAI,GAAG,EAAE;YACL,OAAO,GAAG,CAAC;SACd;KACJ;IACD,OAAO,KAAK,CAAC;AACjB,CAAC;AAED,gEAAgE;AAChE,SAAS,iBAAiB,CAAC,KAAa;IACpC,IAAI,UAAU,GAAG,MAAM,CAAC,KAAK,aAAL,KAAK,cAAL,KAAK,GAAI,EAAE,CAAC,CAAC;IAErC,iCAAiC;IACjC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAChC,OAAO,UAAU,CAAC;KACrB;IAED,oEAAoE;IACpE,iDAAiD;IACjD,0DAA0D;IAC1D,UAAU,GAAG,UAAU;SAClB,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;SACxB,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC;SACzB,OAAO,CAAC,SAAS,EAAE,WAAW,CAAC,CAAC;IAErC,4DAA4D;IAC5D,IAAI;QACA,UAAU,GAAG,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;KAC7C;IAAC,OAAO,CAAC,EAAE;QACR,6DAA6D;KAChE;IAED,OAAO,UAAU,CAAC;AACtB,CAAC;AAED,iDAAiD;AACjD,SAAS,cAAc,CAAC,QAAgB,EAAE,KAAa;IACnD,MAAM,IAAI,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACpC,MAAM,iBAAiB,GAAG,IAAI,KAAK,SAAS,CAAC;IAE7C,2DAA2D;IAC3D,MAAM,UAAU,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE5C,qCAAqC;IACrC,IAAI,CAAC,wBAAwB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE;QAC5C,OAAO,IAAI,CAAC;KACf;IAED,mDAAmD;IACnD,MAAM,YAAY,GAAG,gBAAgB,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAEvD,MAAM,iBAAiB,GAAG;QACtB,YAAY,IAAI,cAAc;QAC9B,CAAC,iBAAiB,IAAI,YAAY,IAAI,iBAAiB;QACvD,gBAAgB;QAChB,UAAU;QACV,cAAc;QACd,cAAc;QACd,WAAW,EAAE,gCAAgC;KAChD,CAAC,MAAM,CAAC,OAAO,CAAa,CAAC;IAE9B,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,iBAAiB,CAAC,GAAuB,EAAE,YAA0B;IAC1E,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC;IAE/B,SAAS,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC/B,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAEtC,IAAI;YACA,MAAM,SAAS,GAAG,aAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;YAEvC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE;gBACvB,OAAO;aACV;YAED,SAAS,CAAC,UAAU,CAAC,KAAK,GAAG,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAC1D,CAAC,IAAc,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,KAAK,MAAM,CAC3C,CAAC;YAEF,SAAS,CAAC,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAc,EAAE,EAAE;gBAClD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE;oBACpB,OAAO;iBACV;gBAED,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,WAA4B,EAAE,EAAE;oBAC1E,IAAI,CAAC,WAAW,CAAC,QAAQ,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBAC7C,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;oBACxD,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC;oBAEtC,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE;wBAC5B,OAAO,KAAK,CAAC;qBAChB;oBAED,MAAM,aAAa,GAAG,OAAO,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC;oBAElD,IAAI,aAAa,EAAE;wBACf,WAAW,CAAC,KAAK,GAAG,mBAAS,CAAC,aAAa,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;qBAC1D;oBAED,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;wBACpB,OAAO,KAAK,CAAC;qBAChB;oBAED,OAAO,aAAa,CAAC;gBACzB,CAAC,CAAC,CAAC;YACP,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,aAAG,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,CAAC;SAC/C;QAAC,OAAO,KAAK,EAAE;YACZ,GAAG,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC;YAEtB,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC;YACzE,aAAG,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SAC1B;IACL,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAS,kBAAkB,CAAC,GAAuB,EAAE,YAA0B;IAC3E,MAAM,OAAO,GAAG;QACZ,SAAS,EAAE,YAAY;KAC1B,CAAC;IACF,MAAM,YAAY,GAAG,IAAI,mBAAS,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEtD,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,EAAE;QAC9B,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAElD,IAAI,CAAC,cAAc,EAAE;YACjB,OAAO;SACV;QAED,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;AACP,CAAC;AAED,SAAgB,cAAc,CAAC,IAAY,EAAE,OAAwB;IACjE,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAEhD,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE7B,iBAAiB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IACnC,kBAAkB,CAAC,CAAC,EAAE,YAAY,CAAC,CAAC;IAEpC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IACtC,MAAM,OAAO,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC;IAEvC,OAAO,MAAM,GAAG,OAAO,CAAC;AAC5B,CAAC;AAZD,wCAYC;AAED,SAAgB,QAAQ,CACpB,IAAY,EACZ,OAAyB,EACzB,iBAAmC;;IAEnC,MAAM,eAAe,GAAG,OAAO,IAAI,sBAAc,CAAC;IAElD,IAAI,iBAAiB,aAAjB,iBAAiB,uBAAjB,iBAAiB,CAAE,YAAY,EAAE;QACjC,eAAe,CAAC,YAAY,mCACrB,eAAe,CAAC,YAAY,GAC5B,iBAAiB,CAAC,YAAY,CACpC,CAAC;KACL;IAED,MAAM,oBAAoB,GAAG,CAAC,CAAC,MAAA,eAAe,CAAC,qBAAqB,mCAAI,KAAK,CAAC,CAAC;IAE/E,MAAM,YAAY,GAAG,oBAAoB,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,EAAE,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEzF,OAAO,IAAA,uBAAY,EAAC,YAAY,EAAE,eAAe,CAAC,CAAC;AACvD,CAAC;AAnBD,4BAmBC;AAED,kBAAe,QAAQ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@diplodoc/transform",
-  "version": "4.63.2",
+  "version": "4.63.4",
   "description": "A simple transformer of text in YFM (Yandex Flavored Markdown) to HTML",
   "keywords": [
     "markdown",

package/src/js/code.ts

@@ -44,7 +44,7 @@ function buttonCopyFn(target: HTMLElement) {
         .map((node) => node.textContent)
         .join('');
 
-    copyToClipboard(textContent).then(() => {
+    copyToClipboard(textContent.trim()).then(() => {
         notifySuccess(parent.querySelector('.yfm-clipboard-icon'));
 
         setTimeout(() => target.blur(), 1500);

package/src/transform/plugins/images/index.ts

@@ -141,7 +141,7 @@ function replaceSvgContent(content: string, options: ImageOptions) {
     content = content.replace(/\n/g, '');
 
     // width, height
-    let svgRoot = content.replace(/<svg([^>]*)>.*/g, '$1');
+    let svgRoot = content.replace(/.*?<svg([^>]*)>.*/g, '$1');
 
     const {width, height} = svgRoot
         .match(/(?:width="(.*?)")|(?:height="(.*?)")/g)
@@ -160,7 +160,7 @@ function replaceSvgContent(content: string, options: ImageOptions) {
         svgRoot = `${svgRoot} height="${sanitizedHeight}"`;
     }
     if ((!width && options.width) || (!height && options.height)) {
-        content = content.replace(/<svg([^>]*)>/, `<svg${svgRoot}>`);
+        content = content.replace(/.*?<svg([^>]*)>/, `<svg${svgRoot}>`);
     }
 
     // randomize ids

package/src/transform/sanitize.ts

@@ -563,6 +563,139 @@ export const defaultOptions: SanitizeOptions = {
     },
 };
 
+// dangerous patterns
+const DANGEROUS_TAGS_RE =
+    /<\s*(script|iframe|object|embed|svg|img|video|audio|link|meta|base|form|style|template|math|foreignobject)\b/i;
+const CLOSE_STYLE_RE = /<\s*\/\s*style/i;
+const DANGEROUS_URL_RE =
+    /url\s*\(\s*['"]?\s*(?:javascript:|vbscript:|data\s*:\s*(?:text\/html|application\/xhtml\+xml|image\/svg\+xml))/i;
+const IE_EXPR_RE = /expression\s*\(/i;
+const IE_BEHAVIOR_RE = /behavior\s*:/i;
+const MOZ_BINDING_RE = /-moz-binding\s*:/i;
+const AT_RULES_RE = /@(?:import|charset|namespace)\b/i;
+const COMMENTS_RE = /\/\*[^]*?\*\//g; // CSS comments: /* ... */
+
+// control characters (C0/C1) and BiDi override characters that can hide malicious content
+const CTRL_BIDI_RE = new RegExp(
+    [
+        String.raw`[\u0000-\u0008\u000B\u000C\u000E-\u001F\u007F]`, // C0/C1 controls
+        String.raw`[\u202A-\u202E\u2066-\u2069]`, // BiDi overrides
+    ].join('|'),
+    'g',
+);
+
+const SAFE_VALUE_FAST_CHECK_RE = /[<&\\/]|@|url\s*\(|expression|behavior|-moz-binding/i;
+
+// backslash (CSS escapes), ampersand (HTML entities), BiDi overrides
+const FAST_PATH_RE = /[\\&\u202A-\u202E\u2066-\u2069]/;
+
+// combined regex for decoding CSS escapes and HTML entities
+const RE_DECODE = new RegExp(
+    [
+        String.raw`\\([0-9A-Fa-f]{1,6})\s?`, // CSS hex escapes: \41 or \000041  → 'A'
+        String.raw`&#x([0-9A-Fa-f]{1,6});`, // HTML hex entities: &#x41; or &#X41; → 'A'
+        String.raw`&#(\d{1,7});`, // HTML decimal entities: &#65; → 'A'
+        String.raw`&([a-zA-Z][a-zA-Z0-9]{1,31});`, // HTML named entities: &lt; or &amp; → '<' or '&'
+    ].join('|'),
+    'g',
+);
+
+const htmlEntities: Record<string, string> = {
+    lt: '<',
+    gt: '>',
+    quot: '"',
+    apos: "'",
+    amp: '&',
+    newline: '\n',
+    tab: '\t',
+    colon: ':',
+    sol: '/',
+    lpar: '(',
+    rpar: ')',
+};
+
+// Decodes a single escaped or encoded token
+function decodeToken(
+    whole: string,
+    cssHex?: string,
+    htmlHex?: string,
+    htmlDec?: string,
+    named?: string,
+): string {
+    if (cssHex) {
+        return String.fromCodePoint(parseInt(cssHex, 16) || 0);
+    }
+    if (htmlHex) {
+        return String.fromCodePoint(parseInt(htmlHex, 16) || 0);
+    }
+    if (htmlDec) {
+        return String.fromCodePoint(parseInt(htmlDec, 10) || 0);
+    }
+    if (named) {
+        const rep = htmlEntities[named] ?? htmlEntities[named.toLowerCase()];
+        if (rep) {
+            return rep;
+        }
+    }
+    return whole;
+}
+
+// Normalize CSS value by decoding HTML entities and CSS escapes
+function normalizeCssValue(value: string): string {
+    let normalized = String(value ?? '');
+
+    // early-exit if no special chars
+    if (!FAST_PATH_RE.test(normalized)) {
+        return normalized;
+    }
+
+    // 1. remove CSS comments to prevent hiding escapes inside /* ... */
+    // 2. strip control characters and BiDi overrides
+    // 3. decode all CSS escapes and HTML entities in one pass
+    normalized = normalized
+        .replace(COMMENTS_RE, '')
+        .replace(CTRL_BIDI_RE, '')
+        .replace(RE_DECODE, decodeToken);
+
+    // unicode normalization (NFKC) to prevent homograph attacks
+    try {
+        normalized = normalized.normalize('NFKC');
+    } catch (_) {
+        // silent fail: logging the value could expose sensitive data
+    }
+
+    return normalized;
+}
+
+// checks if a CSS value is safe from XSS attacks
+function isSafeCssValue(property: string, value: string): boolean {
+    const prop = property.toLowerCase();
+    const isContentProperty = prop === 'content';
+
+    // normalize first to prevent bypasses via comments/escapes
+    const normalized = normalizeCssValue(value);
+
+    // early-exit for trivial safe values
+    if (!SAFE_VALUE_FAST_CHECK_RE.test(normalized)) {
+        return true;
+    }
+
+    // сheck if normalized value looks like an HTML tag
+    const looksLikeTag = /<[^>]{0,128}>/i.test(normalized);
+
+    const dangerousPatterns = [
+        looksLikeTag && CLOSE_STYLE_RE, // </style> tag closure
+        !isContentProperty && looksLikeTag && DANGEROUS_TAGS_RE, // dangerous HTML tags
+        DANGEROUS_URL_RE, // javascript:, data:, vbscript: URLs
+        IE_EXPR_RE, // IE expression()
+        IE_BEHAVIOR_RE, // IE behavior:
+        MOZ_BINDING_RE, // FF -moz-binding
+        AT_RULES_RE, // @import, @charset, @namespace
+    ].filter(Boolean) as RegExp[];
+
+    return !dangerousPatterns.some((pattern) => pattern.test(normalized));
+}
+
 function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList) {
     const styleTags = dom('style');
 
@@ -590,13 +723,17 @@ function sanitizeStyleTags(dom: cheerio.CheerioAPI, cssWhiteList: CssWhiteList)
                         return false;
                     }
 
-                    const isWhiteListed = cssWhiteList[declaration.property];
+                    const prop = String(declaration.property).toLowerCase();
+                    const val = String(declaration.value);
+
+                    if (!isSafeCssValue(prop, val)) {
+                        return false;
+                    }
+
+                    const isWhiteListed = Boolean(cssWhiteList[prop]);
 
                     if (isWhiteListed) {
-                        declaration.value = cssfilter.safeAttrValue(
-                            declaration.property,
-                            declaration.value,
-                        );
+                        declaration.value = cssfilter.safeAttrValue(prop, val);
                     }
 
                     if (!declaration.value) {