@eggjs/security 4.0.0 → 5.0.0-beta.15

package/dist/esm/config/config.default.js

@@ -1,351 +0,0 @@
-import z from 'zod';
-import { Context } from '@eggjs/core';
-const CSRFSupportRequestItem = z.object({
-    path: z.instanceof(RegExp),
-    methods: z.array(z.string()),
-});
-export const LookupAddress = z.object({
-    address: z.string(),
-    family: z.number(),
-});
-const LookupAddressAndStringArray = z.union([z.string(), LookupAddress]).array();
-const SSRFCheckAddressFunction = z.function()
-    .args(z.union([z.string(), LookupAddress, LookupAddressAndStringArray]), z.union([z.number(), z.string()]), z.string())
-    .returns(z.boolean());
-export const SecurityMiddlewareName = z.enum([
-    'csrf',
-    'hsts',
-    'methodnoallow',
-    'noopen',
-    'nosniff',
-    'csp',
-    'xssProtection',
-    'xframe',
-    'dta',
-]);
-/**
- * (ctx) => boolean
- */
-const IgnoreOrMatchHandler = z.function().args(z.instanceof(Context)).returns(z.boolean());
-const IgnoreOrMatch = z.union([
-    z.string(), z.instanceof(RegExp), IgnoreOrMatchHandler,
-]);
-const IgnoreOrMatchOption = z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional();
-/**
- * security options
- * @member Config#security
- */
-export const SecurityConfig = z.object({
-    /**
-     * domain white list
-     *
-     * Default to `[]`
-     */
-    domainWhiteList: z.array(z.string()).default([]),
-    /**
-     * protocol white list
-     *
-     * Default to `[]`
-     */
-    protocolWhiteList: z.array(z.string()).default([]),
-    /**
-     * default open security middleware
-     *
-     * Default to `'csrf,hsts,methodnoallow,noopen,nosniff,csp,xssProtection,xframe,dta'`
-     */
-    defaultMiddleware: z.union([z.string(), z.array(SecurityMiddlewareName)])
-        .default(SecurityMiddlewareName.options),
-    /**
-     * whether defend csrf attack
-     */
-    csrf: z.preprocess(val => {
-        // transform old config, `csrf: false` to `csrf: { enable: false }`
-        if (typeof val === 'boolean') {
-            return { enable: val };
-        }
-        return val;
-    }, z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-        /**
-         * csrf token detect source type
-         *
-         * Default to `'ctoken'`
-         */
-        type: z.enum(['ctoken', 'referer', 'all', 'any']).default('ctoken'),
-        /**
-         * ignore json request
-         *
-         * Default to `false`
-         *
-         * @deprecated is not safe now, don't use it
-         */
-        ignoreJSON: z.boolean().default(false),
-        /**
-         * csrf token cookie name
-         *
-         * Default to `'csrfToken'`
-         */
-        cookieName: z.union([z.string(), z.array(z.string())]).default('csrfToken'),
-        /**
-         * csrf token session name
-         *
-         * Default to `'csrfToken'`
-         */
-        sessionName: z.string().default('csrfToken'),
-        /**
-         * csrf token request header name
-         *
-         * Default to `'x-csrf-token'`
-         */
-        headerName: z.string().default('x-csrf-token'),
-        /**
-         * csrf token request body field name
-         *
-         * Default to `'_csrf'`
-         */
-        bodyName: z.union([z.string(), z.array(z.string())]).default('_csrf'),
-        /**
-         * csrf token request query field name
-         *
-         * Default to `'_csrf'`
-         */
-        queryName: z.union([z.string(), z.array(z.string())]).default('_csrf'),
-        /**
-         * rotate csrf token when it is invalid
-         *
-         * Default to `false`
-         */
-        rotateWhenInvalid: z.boolean().default(false),
-        /**
-         * These config works when using `'ctoken'` type
-         *
-         * Default to `false`
-         */
-        useSession: z.boolean().default(false),
-        /**
-         * csrf token cookie domain setting,
-         * can be `(ctx) => string` or `string`
-         *
-         * Default to `undefined`, auto set the cookie domain in the safe way
-         */
-        cookieDomain: z.union([
-            z.string(),
-            z.function()
-                .args(z.instanceof(Context))
-                .returns(z.string()),
-        ]).optional(),
-        /**
-         * csrf token check requests config
-         */
-        supportedRequests: z.array(CSRFSupportRequestItem)
-            .default([
-            { path: /^\//, methods: ['POST', 'PATCH', 'DELETE', 'PUT', 'CONNECT'] },
-        ]),
-        /**
-         * referer or origin header white list.
-         * It only works when using `'referer'` type
-         *
-         * Default to `[]`
-         */
-        refererWhiteList: z.array(z.string()).default([]),
-        /**
-         * csrf token cookie options
-         *
-         * Default to `{
-         *   signed: false,
-         *   httpOnly: false,
-         *   overwrite: true,
-         * }`
-         */
-        cookieOptions: z.object({
-            signed: z.boolean(),
-            httpOnly: z.boolean(),
-            overwrite: z.boolean(),
-        }).default({
-            signed: false,
-            httpOnly: false,
-            overwrite: true,
-        }),
-    }).default({})),
-    /**
-     * whether enable X-Frame-Options response header
-     */
-    xframe: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-        /**
-         * X-Frame-Options value, can be `'DENY'`, `'SAMEORIGIN'`, `'ALLOW-FROM https://example.com'`
-         *
-         * Default to `'SAMEORIGIN'`
-         */
-        value: z.string().default('SAMEORIGIN'),
-    }).default({}),
-    /**
-     * whether enable Strict-Transport-Security response header
-     */
-    hsts: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `false`
-         */
-        enable: z.boolean().default(false),
-        /**
-         * Max age of Strict-Transport-Security in seconds
-         *
-         * Default to `365 * 24 * 3600`
-         */
-        maxAge: z.number().default(365 * 24 * 3600),
-        /**
-         * Whether include sub domains
-         *
-         * Default to `false`
-         */
-        includeSubdomains: z.boolean().default(false),
-    }).default({}),
-    /**
-     * whether enable Http Method filter
-     */
-    methodnoallow: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-    }).default({}),
-    /**
-     * whether enable IE automatically download open
-     */
-    noopen: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-    }).default({}),
-    /**
-     * whether enable IE8 automatically detect mime
-     */
-    nosniff: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-    }).default({}),
-    /**
-     * whether enable IE8 XSS Filter
-     */
-    xssProtection: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-        /**
-         * X-XSS-Protection response header value
-         *
-         * Default to `'1; mode=block'`
-         */
-        value: z.coerce.string().default('1; mode=block'),
-    }).default({}),
-    /**
-     * content security policy config
-     */
-    csp: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `false`
-         */
-        enable: z.boolean().default(false),
-        // https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP#csp_overview
-        policy: z.record(z.union([z.string(), z.array(z.string()), z.boolean()])).default({}),
-        /**
-         * whether enable report only mode
-         * Default to `undefined`
-         */
-        reportOnly: z.boolean().optional(),
-        /**
-         * whether support IE
-         * Default to `undefined`
-         */
-        supportIE: z.boolean().optional(),
-    }).default({}),
-    /**
-     * whether enable referrer policy
-     * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
-     */
-    referrerPolicy: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `false`
-         */
-        enable: z.boolean().default(false),
-        /**
-         * referrer policy value
-         *
-         * Default to `'no-referrer-when-downgrade'`
-         */
-        value: z.string().default('no-referrer-when-downgrade'),
-    }).default({}),
-    /**
-     * whether enable auto avoid directory traversal attack
-     */
-    dta: z.object({
-        match: IgnoreOrMatchOption,
-        ignore: IgnoreOrMatchOption,
-        /**
-         * Default to `true`
-         */
-        enable: z.boolean().default(true),
-    }).default({}),
-    ssrf: z.object({
-        ipBlackList: z.array(z.string()).optional(),
-        ipExceptionList: z.array(z.string()).optional(),
-        hostnameExceptionList: z.array(z.string()).optional(),
-        checkAddress: SSRFCheckAddressFunction.optional(),
-    }).default({}),
-    match: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
-    ignore: z.union([IgnoreOrMatch, IgnoreOrMatch.array()]).optional(),
-    __protocolWhiteListSet: z.set(z.string()).optional().readonly(),
-});
-const SecurityHelperOnTagAttrHandler = z.function()
-    .args(z.string(), z.string(), z.string(), z.boolean())
-    .returns(z.union([z.string(), z.void()]));
-export const SecurityHelperConfig = z.object({
-    shtml: z.object({
-        /**
-         * tag attribute white list
-         */
-        whiteList: z.record(z.array(z.string())).optional(),
-        /**
-         * domain white list
-         * @deprecated use `config.security.domainWhiteList` instead
-         */
-        domainWhiteList: z.array(z.string()).optional(),
-        /**
-         * tag attribute handler
-         */
-        onTagAttr: SecurityHelperOnTagAttrHandler.optional(),
-    }).default({}),
-});
-export default {
-    security: SecurityConfig.parse({}),
-    helper: SecurityHelperConfig.parse({}),
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmRlZmF1bHQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvY29uZmlnL2NvbmZpZy5kZWZhdWx0LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sQ0FBQyxNQUFNLEtBQUssQ0FBQztBQUNwQixPQUFPLEVBQUUsT0FBTyxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBRXRDLE1BQU0sc0JBQXNCLEdBQUcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztJQUN0QyxJQUFJLEVBQUUsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxNQUFNLENBQUM7SUFDMUIsT0FBTyxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDO0NBQzdCLENBQUMsQ0FBQztBQUdILE1BQU0sQ0FBQyxNQUFNLGFBQWEsR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDO0lBQ3BDLE9BQU8sRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFO0lBQ25CLE1BQU0sRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFO0NBQ25CLENBQUMsQ0FBQztBQUdILE1BQU0sMkJBQTJCLEdBQUcsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFhLENBQUUsQ0FBQyxDQUFDLEtBQUssRUFBRSxDQUFDO0FBQ25GLE1BQU0sd0JBQXdCLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtLQUMxQyxJQUFJLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxhQUFhLEVBQUUsMkJBQTJCLENBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFFLENBQUMsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7S0FDMUgsT0FBTyxDQUFDLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxDQUFDO0FBT3hCLE1BQU0sQ0FBQyxNQUFNLHNCQUFzQixHQUFHLENBQUMsQ0FBQyxJQUFJLENBQUM7SUFDM0MsTUFBTTtJQUNOLE1BQU07SUFDTixlQUFlO0lBQ2YsUUFBUTtJQUNSLFNBQVM7SUFDVCxLQUFLO0lBQ0wsZUFBZTtJQUNmLFFBQVE7SUFDUixLQUFLO0NBQ04sQ0FBQyxDQUFDO0FBR0g7O0dBRUc7QUFDSCxNQUFNLG9CQUFvQixHQUFHLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQyxJQUFJLENBQUMsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsQ0FBQztBQUczRixNQUFNLGFBQWEsR0FBRyxDQUFDLENBQUMsS0FBSyxDQUFDO0lBQzVCLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsVUFBVSxDQUFDLE1BQU0sQ0FBQyxFQUFFLG9CQUFvQjtDQUN2RCxDQUFDLENBQUM7QUFHSCxNQUFNLG1CQUFtQixHQUFHLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBRSxhQUFhLEVBQUUsYUFBYSxDQUFDLEtBQUssRUFBRSxDQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUUsQ0FBQztBQUd6Rjs7O0dBR0c7QUFDSCxNQUFNLENBQUMsTUFBTSxjQUFjLEdBQUcsQ0FBQyxDQUFDLE1BQU0sQ0FBQztJQUNyQzs7OztPQUlHO0lBQ0gsZUFBZSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNoRDs7OztPQUlHO0lBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2xEOzs7O09BSUc7SUFDSCxpQkFBaUIsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsc0JBQXNCLENBQUMsQ0FBRSxDQUFDO1NBQ3hFLE9BQU8sQ0FBQyxzQkFBc0IsQ0FBQyxPQUFPLENBQUM7SUFDMUM7O09BRUc7SUFDSCxJQUFJLEVBQUUsQ0FBQyxDQUFDLFVBQVUsQ0FBQyxHQUFHLENBQUMsRUFBRTtRQUN2QixtRUFBbUU7UUFDbkUsSUFBSSxPQUFPLEdBQUcsS0FBSyxTQUFTLEVBQUUsQ0FBQztZQUM3QixPQUFPLEVBQUUsTUFBTSxFQUFFLEdBQUcsRUFBRSxDQUFDO1FBQ3pCLENBQUM7UUFDRCxPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUMsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ1YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxJQUFJLEVBQUUsQ0FBQyxDQUFDLElBQUksQ0FBQyxDQUFFLFFBQVEsRUFBRSxTQUFTLEVBQUUsS0FBSyxFQUFFLEtBQUssQ0FBRSxDQUFDLENBQUMsT0FBTyxDQUFDLFFBQVEsQ0FBQztRQUNyRTs7Ozs7O1dBTUc7UUFDSCxVQUFVLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7UUFDdEM7Ozs7V0FJRztRQUNILFVBQVUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUUsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUM7UUFDN0U7Ozs7V0FJRztRQUNILFdBQVcsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsT0FBTyxDQUFDLFdBQVcsQ0FBQztRQUM1Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsY0FBYyxDQUFDO1FBQzlDOzs7O1dBSUc7UUFDSCxRQUFRLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3ZFOzs7O1dBSUc7UUFDSCxTQUFTLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFFLENBQUMsQ0FBQyxPQUFPLENBQUMsT0FBTyxDQUFDO1FBQ3hFOzs7O1dBSUc7UUFDSCxpQkFBaUIsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUM3Qzs7OztXQUlHO1FBQ0gsVUFBVSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ3RDOzs7OztXQUtHO1FBQ0gsWUFBWSxFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUM7WUFDcEIsQ0FBQyxDQUFDLE1BQU0sRUFBRTtZQUNWLENBQUMsQ0FBQyxRQUFRLEVBQUU7aUJBQ1QsSUFBSSxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsT0FBTyxDQUFDLENBQUM7aUJBQzNCLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUM7U0FDdkIsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUNiOztXQUVHO1FBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxzQkFBc0IsQ0FBQzthQUMvQyxPQUFPLENBQUM7WUFDUCxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsT0FBTyxFQUFFLENBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxRQUFRLEVBQUUsS0FBSyxFQUFFLFNBQVMsQ0FBRSxFQUFFO1NBQzFFLENBQUM7UUFDSjs7Ozs7V0FLRztRQUNILGdCQUFnQixFQUFFLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztRQUNqRDs7Ozs7Ozs7V0FRRztRQUNILGFBQWEsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1lBQ3RCLE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1lBQ25CLFFBQVEsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1lBQ3JCLFNBQVMsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFO1NBQ3ZCLENBQUMsQ0FBQyxPQUFPLENBQUM7WUFDVCxNQUFNLEVBQUUsS0FBSztZQUNiLFFBQVEsRUFBRSxLQUFLO1lBQ2YsU0FBUyxFQUFFLElBQUk7U0FDaEIsQ0FBQztLQUNILENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDLENBQUM7SUFDZjs7T0FFRztJQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2YsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUM7S0FDeEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILElBQUksRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2IsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztRQUMzQzs7OztXQUlHO1FBQ0gsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLENBQUM7S0FDOUMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILGFBQWEsRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ3RCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDZixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZDs7T0FFRztJQUNILE9BQU8sRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2hCLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQztLQUNsQyxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsYUFBYSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdEIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDO1FBQ2pDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxNQUFNLEVBQUUsQ0FBQyxPQUFPLENBQUMsZUFBZSxDQUFDO0tBQ2xELENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7O09BRUc7SUFDSCxHQUFHLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUNaLEtBQUssRUFBRSxtQkFBbUI7UUFDMUIsTUFBTSxFQUFFLG1CQUFtQjtRQUMzQjs7V0FFRztRQUNILE1BQU0sRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssQ0FBQztRQUNsQyxxRUFBcUU7UUFDckUsTUFBTSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO1FBQ3ZGOzs7V0FHRztRQUNILFVBQVUsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO1FBQ2xDOzs7V0FHRztRQUNILFNBQVMsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLENBQUMsUUFBUSxFQUFFO0tBQ2xDLENBQUMsQ0FBQyxPQUFPLENBQUMsRUFBRSxDQUFDO0lBQ2Q7OztPQUdHO0lBQ0gsY0FBYyxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDdkIsS0FBSyxFQUFFLG1CQUFtQjtRQUMxQixNQUFNLEVBQUUsbUJBQW1CO1FBQzNCOztXQUVHO1FBQ0gsTUFBTSxFQUFFLENBQUMsQ0FBQyxPQUFPLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxDQUFDO1FBQ2xDOzs7O1dBSUc7UUFDSCxLQUFLLEVBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLE9BQU8sQ0FBQyw0QkFBNEIsQ0FBQztLQUN4RCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkOztPQUVHO0lBQ0gsR0FBRyxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQUM7UUFDWixLQUFLLEVBQUUsbUJBQW1CO1FBQzFCLE1BQU0sRUFBRSxtQkFBbUI7UUFDM0I7O1dBRUc7UUFDSCxNQUFNLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sQ0FBQyxJQUFJLENBQUM7S0FDbEMsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7SUFDZCxJQUFJLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQztRQUNiLFdBQVcsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUMzQyxlQUFlLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDL0MscUJBQXFCLEVBQUUsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRLEVBQUU7UUFDckQsWUFBWSxFQUFFLHdCQUF3QixDQUFDLFFBQVEsRUFBRTtLQUNsRCxDQUFDLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztJQUNkLEtBQUssRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ25FLE1BQU0sRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsYUFBYSxFQUFFLGFBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBRSxDQUFDLENBQUMsUUFBUSxFQUFFO0lBQ3BFLHNCQUFzQixFQUFFLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxDQUFDLENBQUMsUUFBUSxFQUFFLENBQUMsUUFBUSxFQUFFO0NBQ2hFLENBQUMsQ0FBQztBQUdILE1BQU0sOEJBQThCLEdBQUcsQ0FBQyxDQUFDLFFBQVEsRUFBRTtLQUNoRCxJQUFJLENBQUMsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxNQUFNLEVBQUUsRUFBRSxDQUFDLENBQUMsTUFBTSxFQUFFLEVBQUUsQ0FBQyxDQUFDLE9BQU8sRUFBRSxDQUFDO0tBQ3JELE9BQU8sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUUsQ0FBQyxDQUFDLE1BQU0sRUFBRSxFQUFFLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBRSxDQUFDLENBQUMsQ0FBQztBQU85QyxNQUFNLENBQUMsTUFBTSxvQkFBb0IsR0FBRyxDQUFDLENBQUMsTUFBTSxDQUFDO0lBQzNDLEtBQUssRUFBRSxDQUFDLENBQUMsTUFBTSxDQUFDO1FBQ2Q7O1dBRUc7UUFDSCxTQUFTLEVBQUUsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUMsUUFBUSxFQUFFO1FBQ25EOzs7V0FHRztRQUNILGVBQWUsRUFBRSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLFFBQVEsRUFBRTtRQUMvQzs7V0FFRztRQUNILFNBQVMsRUFBRSw4QkFBOEIsQ0FBQyxRQUFRLEVBQUU7S0FDckQsQ0FBQyxDQUFDLE9BQU8sQ0FBQyxFQUFFLENBQUM7Q0FDZixDQUFDLENBQUM7QUFHSCxlQUFlO0lBQ2IsUUFBUSxFQUFFLGNBQWMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO0lBQ2xDLE1BQU0sRUFBRSxvQkFBb0IsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO0NBQ3ZDLENBQUMifQ==

package/dist/esm/config/config.local.d.ts

@@ -1,5 +0,0 @@
-import { SecurityConfig } from '../types.js';
-declare const _default: {
-    security: SecurityConfig;
-};
-export default _default;

package/dist/esm/config/config.local.js

@@ -1,8 +0,0 @@
-export default {
-    security: {
-        hsts: {
-            enable: false,
-        },
-    },
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY29uZmlnLmxvY2FsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2NvbmZpZy9jb25maWcubG9jYWwudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBRUEsZUFBZTtJQUNiLFFBQVEsRUFBRTtRQUNSLElBQUksRUFBRTtZQUNKLE1BQU0sRUFBRSxLQUFLO1NBQ2Q7S0FDZ0I7Q0FDcEIsQ0FBQyJ9

package/dist/esm/index.d.ts

@@ -1 +0,0 @@
-import './types.js';

package/dist/esm/index.js

@@ -1,12 +0,0 @@
-import './types.js';
-// module.exports = require('./app/middleware/securities');
-// module.exports.csp = require('./lib/middlewares/csp');
-// module.exports.csrf = require('./lib/middlewares/csrf');
-// module.exports.methodNoAllow = require('./lib/middlewares/methodnoallow');
-// module.exports.noopen = require('./lib/middlewares/noopen');
-// module.exports.nosniff = require('./lib/middlewares/nosniff');
-// module.exports.xssProtection = require('./lib/middlewares/xssProtection');
-// module.exports.xframe = require('./lib/middlewares/xframe');
-// module.exports.safeRedirect = require('./lib/safe_redirect');
-// module.exports.utils = require('./lib/utils');
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUEsT0FBTyxZQUFZLENBQUM7QUFFcEIsMkRBQTJEO0FBQzNELHlEQUF5RDtBQUN6RCwyREFBMkQ7QUFDM0QsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxpRUFBaUU7QUFDakUsNkVBQTZFO0FBQzdFLCtEQUErRDtBQUMvRCxnRUFBZ0U7QUFDaEUsaURBQWlEIn0=

package/dist/esm/lib/extend/safe_curl.d.ts

@@ -1,16 +0,0 @@
-import { EggCore } from '@eggjs/core';
-import type { SSRFCheckAddressFunction } from '../../types.js';
-type HttpClient = EggCore['HttpClient'];
-type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
-export type HttpClientRequestURL = HttpClientParameters[0];
-export type HttpClientOptions = HttpClientParameters[1] & {
-    checkAddress?: SSRFCheckAddressFunction;
-};
-export type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
-    data: T;
-};
-/**
- * safe curl with ssrf protection
- */
-export declare function safeCurlForApplication<T = any>(app: EggCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<import("urllib").HttpClientResponse<T>>;
-export {};

package/dist/esm/lib/extend/safe_curl.js

@@ -1,25 +0,0 @@
-const SSRF_HTTPCLIENT = Symbol('SSRF_HTTPCLIENT');
-/**
- * safe curl with ssrf protection
- */
-export async function safeCurlForApplication(app, url, options = {}) {
-    const ssrfConfig = app.config.security.ssrf;
-    if (ssrfConfig?.checkAddress) {
-        options.checkAddress = ssrfConfig.checkAddress;
-    }
-    else {
-        app.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
-    }
-    if (ssrfConfig?.checkAddress) {
-        let httpClient = app[SSRF_HTTPCLIENT];
-        // use the new httpClient init with checkAddress
-        if (!httpClient) {
-            httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({
-                checkAddress: ssrfConfig.checkAddress,
-            });
-        }
-        return await httpClient.request(url, options);
-    }
-    return await app.curl(url, options);
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FmZV9jdXJsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9leHRlbmQvc2FmZV9jdXJsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUdBLE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0FBUWxEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxzQkFBc0IsQ0FBVSxHQUFZLEVBQUUsR0FBeUIsRUFBRSxVQUE2QixFQUFFO0lBQzVILE1BQU0sVUFBVSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQztJQUM1QyxJQUFJLFVBQVUsRUFBRSxZQUFZLEVBQUUsQ0FBQztRQUM3QixPQUFPLENBQUMsWUFBWSxHQUFHLFVBQVUsQ0FBQyxZQUFZLENBQUM7SUFDakQsQ0FBQztTQUFNLENBQUM7UUFDTixHQUFHLENBQUMsTUFBTSxDQUFDLElBQUksQ0FBQyxpRUFBaUUsQ0FBQyxDQUFDO0lBQ3JGLENBQUM7SUFFRCxJQUFJLFVBQVUsRUFBRSxZQUFZLEVBQUUsQ0FBQztRQUM3QixJQUFJLFVBQVUsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUE0QyxDQUFDO1FBQ2pGLGdEQUFnRDtRQUNoRCxJQUFJLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDaEIsVUFBVSxHQUFHLEdBQUcsQ0FBQyxlQUFlLENBQUMsR0FBRyxHQUFHLENBQUMsZ0JBQWdCLENBQUM7Z0JBQ3ZELFlBQVksRUFBRSxVQUFVLENBQUMsWUFBWTthQUN0QyxDQUFDLENBQUM7UUFDTCxDQUFDO1FBQ0QsT0FBTyxNQUFNLFVBQVUsQ0FBQyxPQUFPLENBQUksR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBQ25ELENBQUM7SUFFRCxPQUFPLE1BQU0sR0FBRyxDQUFDLElBQUksQ0FBSSxHQUFHLEVBQUUsT0FBTyxDQUFDLENBQUM7QUFDekMsQ0FBQyJ9

package/dist/esm/lib/helper/cliFilter.d.ts

@@ -1,4 +0,0 @@
-/**
- * remote command execution
- */
-export default function cliFilter(text: string): string;

package/dist/esm/lib/helper/cliFilter.js

@@ -1,17 +0,0 @@
-/**
- * remote command execution
- */
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'.split(''));
-export default function cliFilter(text) {
-    const str = '' + text;
-    let res = '';
-    let ascii;
-    for (let index = 0; index < str.length; index++) {
-        ascii = str[index];
-        if (BASIC_ALPHABETS.has(ascii)) {
-            res += ascii;
-        }
-    }
-    return res;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpRmlsdGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvY2xpRmlsdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsbUVBQW1FLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFL0csTUFBTSxDQUFDLE9BQU8sVUFBVSxTQUFTLENBQUMsSUFBWTtJQUM1QyxNQUFNLEdBQUcsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDO0lBQ3RCLElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsS0FBSyxHQUFHLEdBQUcsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEVBQUUsQ0FBQztRQUNoRCxLQUFLLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ25CLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQy9CLEdBQUcsSUFBSSxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9

package/dist/esm/lib/helper/escape.d.ts

@@ -1,2 +0,0 @@
-import escapeHTML from 'escape-html';
-export default escapeHTML;

package/dist/esm/lib/helper/escape.js

@@ -1,3 +0,0 @@
-import escapeHTML from 'escape-html';
-export default escapeHTML;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvZXNjYXBlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sVUFBVSxNQUFNLGFBQWEsQ0FBQztBQUVyQyxlQUFlLFVBQVUsQ0FBQyJ9

package/dist/esm/lib/helper/escapeShellArg.d.ts

@@ -1 +0,0 @@
-export default function escapeShellArg(text: string): string;

package/dist/esm/lib/helper/escapeShellArg.js

@@ -1,5 +0,0 @@
-export default function escapeShellArg(text) {
-    const str = '' + text;
-    return '\'' + str.replace(/\\/g, '\\\\').replace(/\'/g, '\\\'') + '\'';
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxBcmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbEFyZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsT0FBTyxJQUFJLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLEtBQUssRUFBRSxNQUFNLENBQUMsR0FBRyxJQUFJLENBQUM7QUFDekUsQ0FBQyJ9

package/dist/esm/lib/helper/escapeShellCmd.d.ts

@@ -1 +0,0 @@
-export default function escapeShellCmd(text: string): string;

package/dist/esm/lib/helper/escapeShellCmd.js

@@ -1,14 +0,0 @@
-const BASIC_ALPHABETS = new Set('#&;`|*?~<>^()[]{}$;\'",\x0A\xFF'.split(''));
-export default function escapeShellCmd(text) {
-    const str = '' + text;
-    let res = '';
-    let ascii;
-    for (let index = 0; index < str.length; index++) {
-        ascii = str[index];
-        if (!BASIC_ALPHABETS.has(ascii)) {
-            res += ascii;
-        }
-    }
-    return res;
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxDbWQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbENtZC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLGVBQWUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxpQ0FBaUMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUU3RSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ2hELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNoQyxHQUFHLElBQUksS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUMifQ==

package/dist/esm/lib/helper/index.d.ts

@@ -1,21 +0,0 @@
-import cliFilter from './cliFilter.js';
-import escape from './escape.js';
-import escapeShellArg from './escapeShellArg.js';
-import escapeShellCmd from './escapeShellCmd.js';
-import shtml from './shtml.js';
-import sjs from './sjs.js';
-import sjson from './sjson.js';
-import spath from './spath.js';
-import surl from './surl.js';
-declare const _default: {
-    cliFilter: typeof cliFilter;
-    escape: typeof escape;
-    escapeShellArg: typeof escapeShellArg;
-    escapeShellCmd: typeof escapeShellCmd;
-    shtml: typeof shtml;
-    sjs: typeof sjs;
-    sjson: typeof sjson;
-    spath: typeof spath;
-    surl: typeof surl;
-};
-export default _default;

package/dist/esm/lib/helper/index.js

@@ -1,21 +0,0 @@
-import cliFilter from './cliFilter.js';
-import escape from './escape.js';
-import escapeShellArg from './escapeShellArg.js';
-import escapeShellCmd from './escapeShellCmd.js';
-import shtml from './shtml.js';
-import sjs from './sjs.js';
-import sjson from './sjson.js';
-import spath from './spath.js';
-import surl from './surl.js';
-export default {
-    cliFilter,
-    escape,
-    escapeShellArg,
-    escapeShellCmd,
-    shtml,
-    sjs,
-    sjson,
-    spath,
-    surl,
-};
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLFNBQVMsTUFBTSxnQkFBZ0IsQ0FBQztBQUN2QyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUU3QixlQUFlO0lBQ2IsU0FBUztJQUNULE1BQU07SUFDTixjQUFjO0lBQ2QsY0FBYztJQUNkLEtBQUs7SUFDTCxHQUFHO0lBQ0gsS0FBSztJQUNMLEtBQUs7SUFDTCxJQUFJO0NBQ0wsQ0FBQyJ9

package/dist/esm/lib/helper/shtml.d.ts

@@ -1,2 +0,0 @@
-import type { BaseContextClass } from '@eggjs/core';
-export default function shtml(this: BaseContextClass, val: string): string;

package/dist/esm/lib/helper/shtml.js

@@ -1,70 +0,0 @@
-import xss from 'xss';
-import { isSafeDomain, getFromUrl } from '../utils.js';
-const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
-// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
-// add domain filter based on xss module
-// custom options http://jsxss.com/zh/options.html
-// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
-export default function shtml(val) {
-    if (typeof val !== 'string') {
-        return val;
-    }
-    const securityOptions = this.ctx.securityOptions;
-    let buildInOnTagAttrHandler;
-    const shtmlConfig = {
-        ...this.app.config.helper.shtml,
-        ...securityOptions.shtml,
-        [BUILD_IN_ON_TAG_ATTR]: buildInOnTagAttrHandler,
-    };
-    const domainWhiteList = this.app.config.security.domainWhiteList;
-    const app = this.app;
-    // filter href and src attribute if not in domain white list
-    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-            if (isWhiteAttr && (name === 'href' || name === 'src')) {
-                if (!value) {
-                    return;
-                }
-                value = String(value);
-                if (value[0] === '/' || value[0] === '#') {
-                    return;
-                }
-                const hostname = getFromUrl(value, 'hostname');
-                if (!hostname) {
-                    return;
-                }
-                // If we don't have our hostname in the app.security.domainWhiteList,
-                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
-                if (!isSafeDomain(hostname, domainWhiteList)) {
-                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
-                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
-                        if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
-                            return '';
-                        }
-                    }
-                    else {
-                        return '';
-                    }
-                }
-            }
-        };
-        // avoid overriding user configuration 'onTagAttr'
-        if (shtmlConfig.onTagAttr) {
-            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
-                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
-                if (result !== undefined) {
-                    return result;
-                }
-                // fallback to build-in handler
-                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
-            };
-        }
-        else {
-            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-        }
-    }
-    return xss(val, shtmlConfig);
-}
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUM7QUFDdEIsT0FBTyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHdkQsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLENBQUMsa0JBQWtCLENBQUMsQ0FBQztBQUV4RCxnRkFBZ0Y7QUFDaEYsd0NBQXdDO0FBQ3hDLGtEQUFrRDtBQUNsRCxtRkFBbUY7QUFDbkYsTUFBTSxDQUFDLE9BQU8sVUFBVSxLQUFLLENBQXlCLEdBQVc7SUFDL0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQztJQUNqRCxJQUFJLHVCQUFtRSxDQUFDO0lBQ3hFLE1BQU0sV0FBVyxHQUFHO1FBQ2xCLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUs7UUFDL0IsR0FBRyxlQUFlLENBQUMsS0FBSztRQUN4QixDQUFDLG9CQUFvQixDQUFDLEVBQUUsdUJBQXVCO0tBQ2hELENBQUM7SUFDRixNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO0lBQ2pFLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7SUFDckIsNERBQTREO0lBQzVELElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsV0FBVyxFQUFFLEVBQUU7WUFDckUsSUFBSSxXQUFXLElBQUksQ0FBQyxJQUFJLEtBQUssTUFBTSxJQUFJLElBQUksS0FBSyxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUN2RCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ1gsT0FBTztnQkFDVCxDQUFDO2dCQUVELEtBQUssR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ3RCLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7b0JBQ3pDLE9BQU87Z0JBQ1QsQ0FBQztnQkFFRCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsS0FBSyxFQUFFLFVBQVUsQ0FBQyxDQUFDO2dCQUMvQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7b0JBQ2QsT0FBTztnQkFDVCxDQUFDO2dCQUVELHFFQUFxRTtnQkFDckUsb0VBQW9FO2dCQUNwRSxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxlQUFlLENBQUMsRUFBRSxDQUFDO29CQUM3QyxpRUFBaUU7b0JBQ2pFLElBQUksV0FBVyxDQUFDLGVBQWUsSUFBSSxXQUFXLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQzt3QkFDMUUsR0FBRyxDQUFDLFNBQVMsQ0FBQyxvSkFBb0osQ0FBQyxDQUFDO3dCQUNwSyxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxXQUFXLENBQUMsZUFBZSxDQUFDLEVBQUUsQ0FBQzs0QkFDekQsT0FBTyxFQUFFLENBQUM7d0JBQ1osQ0FBQztvQkFDSCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sT0FBTyxFQUFFLENBQUM7b0JBQ1osQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLGtEQUFrRDtRQUNsRCxJQUFJLFdBQVcsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUMxQixNQUFNLHNCQUFzQixHQUFHLFdBQVcsQ0FBQyxTQUFTLENBQUM7WUFDckQsV0FBVyxDQUFDLFNBQVMsR0FBRyxVQUFTLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVc7Z0JBQzVELE1BQU0sTUFBTSxHQUFHLHNCQUFzQixDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBRSxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUUsQ0FBQyxDQUFDO2dCQUNyRixJQUFJLE1BQU0sS0FBSyxTQUFTLEVBQUUsQ0FBQztvQkFDekIsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7Z0JBQ0QsK0JBQStCO2dCQUMvQixPQUFPLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBRSxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUUsQ0FBQyxDQUFDO1lBQzNGLENBQUMsQ0FBQztRQUNKLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxDQUFDLFNBQVMsR0FBRyxXQUFXLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQztBQUMvQixDQUFDIn0=

package/dist/esm/lib/helper/sjs.d.ts

@@ -1,4 +0,0 @@
-/**
- * Escape JavaScript to \xHH format
- */
-export default function escapeJavaScript(text: string): string;