@eggjs/security 5.0.0-beta.19 → 5.0.0-beta.21

package/dist/lib/helper/cliFilter.d.ts

@@ -1,7 +1,4 @@
-//#region src/lib/helper/cliFilter.d.ts
 /**
  * remote command execution
  */
-declare function cliFilter(text: string): string;
-//#endregion
-export { cliFilter as default };
+export default function cliFilter(text: string): string;

package/dist/lib/helper/cliFilter.js

@@ -1,18 +1,17 @@
-//#region src/lib/helper/cliFilter.ts
 /**
-* remote command execution
-*/
-const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_".split(""));
-function cliFilter(text) {
-	const str = "" + text;
-	let res = "";
-	let ascii;
-	for (let index = 0; index < str.length; index++) {
-		ascii = str[index];
-		if (BASIC_ALPHABETS.has(ascii)) res += ascii;
-	}
-	return res;
+ * remote command execution
+ */
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'.split(''));
+export default function cliFilter(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
 }
-
-//#endregion
-export { cliFilter as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpRmlsdGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvY2xpRmlsdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsbUVBQW1FLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFL0csTUFBTSxDQUFDLE9BQU8sVUFBVSxTQUFTLENBQUMsSUFBWTtJQUM1QyxNQUFNLEdBQUcsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDO0lBQ3RCLElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsS0FBSyxHQUFHLEdBQUcsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEVBQUUsQ0FBQztRQUNoRCxLQUFLLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ25CLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQy9CLEdBQUcsSUFBSSxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9

package/dist/lib/helper/escape.d.ts

@@ -1,2 +1,2 @@
-import escapeHTML from "escape-html";
-export { escapeHTML as default };
+import escapeHTML from 'escape-html';
+export default escapeHTML;

package/dist/lib/helper/escape.js

@@ -1,7 +1,3 @@
-import escapeHTML from "escape-html";
-
-//#region src/lib/helper/escape.ts
-var escape_default = escapeHTML;
-
-//#endregion
-export { escape_default as default };
+import escapeHTML from 'escape-html';
+export default escapeHTML;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvZXNjYXBlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sVUFBVSxNQUFNLGFBQWEsQ0FBQztBQUVyQyxlQUFlLFVBQVUsQ0FBQyJ9

package/dist/lib/helper/escapeShellArg.d.ts

@@ -1,4 +1 @@
-//#region src/lib/helper/escapeShellArg.d.ts
-declare function escapeShellArg(text: string): string;
-//#endregion
-export { escapeShellArg as default };
+export default function escapeShellArg(text: string): string;

package/dist/lib/helper/escapeShellArg.js

@@ -1,7 +1,5 @@
-//#region src/lib/helper/escapeShellArg.ts
-function escapeShellArg(text) {
-	return "'" + ("" + text).replace(/\\/g, "\\\\").replace(/'/g, "\\'") + "'";
+export default function escapeShellArg(text) {
+    const str = '' + text;
+    return "'" + str.replace(/\\/g, '\\\\').replace(/'/g, "\\'") + "'";
 }
-
-//#endregion
-export { escapeShellArg as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxBcmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbEFyZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsT0FBTyxHQUFHLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxLQUFLLENBQUMsR0FBRyxHQUFHLENBQUM7QUFDckUsQ0FBQyJ9

package/dist/lib/helper/escapeShellCmd.d.ts

@@ -1,4 +1 @@
-//#region src/lib/helper/escapeShellCmd.d.ts
-declare function escapeShellCmd(text: string): string;
-//#endregion
-export { escapeShellCmd as default };
+export default function escapeShellCmd(text: string): string;

package/dist/lib/helper/escapeShellCmd.js

@@ -1,15 +1,14 @@
-//#region src/lib/helper/escapeShellCmd.ts
-const BASIC_ALPHABETS = new Set("#&;`|*?~<>^()[]{}$;'\",\nÿ".split(""));
-function escapeShellCmd(text) {
-	const str = "" + text;
-	let res = "";
-	let ascii;
-	for (let index = 0; index < str.length; index++) {
-		ascii = str[index];
-		if (!BASIC_ALPHABETS.has(ascii)) res += ascii;
-	}
-	return res;
+const BASIC_ALPHABETS = new Set('#&;`|*?~<>^()[]{}$;\'",\x0A\xFF'.split(''));
+export default function escapeShellCmd(text) {
+    const str = '' + text;
+    let res = '';
+    let ascii;
+    for (let index = 0; index < str.length; index++) {
+        ascii = str[index];
+        if (!BASIC_ALPHABETS.has(ascii)) {
+            res += ascii;
+        }
+    }
+    return res;
 }
-
-//#endregion
-export { escapeShellCmd as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxDbWQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbENtZC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLGVBQWUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxpQ0FBaUMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUU3RSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ2hELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNoQyxHQUFHLElBQUksS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUMifQ==

package/dist/lib/helper/index.d.ts

@@ -1,24 +1,21 @@
-import cliFilter from "./cliFilter.js";
-import escapeShellArg from "./escapeShellArg.js";
-import escapeShellCmd from "./escapeShellCmd.js";
-import shtml from "./shtml.js";
-import escapeJavaScript from "./sjs.js";
-import jsonEscape from "./sjson.js";
-import pathFilter from "./spath.js";
-import surl from "./surl.js";
-import escapeHTML from "./escape.js";
-
-//#region src/lib/helper/index.d.ts
+import cliFilter from './cliFilter.ts';
+import escape from './escape.ts';
+import escapeShellArg from './escapeShellArg.ts';
+import escapeShellCmd from './escapeShellCmd.ts';
+import shtml from './shtml.ts';
+import sjs from './sjs.ts';
+import sjson from './sjson.ts';
+import spath from './spath.ts';
+import surl from './surl.ts';
 declare const _default: {
-  cliFilter: typeof cliFilter;
-  escape: typeof escapeHTML;
-  escapeShellArg: typeof escapeShellArg;
-  escapeShellCmd: typeof escapeShellCmd;
-  shtml: typeof shtml;
-  sjs: typeof escapeJavaScript;
-  sjson: typeof jsonEscape;
-  spath: typeof pathFilter;
-  surl: typeof surl;
+    cliFilter: typeof cliFilter;
+    escape: typeof escape;
+    escapeShellArg: typeof escapeShellArg;
+    escapeShellCmd: typeof escapeShellCmd;
+    shtml: typeof shtml;
+    sjs: typeof sjs;
+    sjson: typeof sjson;
+    spath: typeof spath;
+    surl: typeof surl;
 };
-//#endregion
-export { _default as default };
+export default _default;

package/dist/lib/helper/index.js

@@ -1,25 +1,21 @@
 import cliFilter from "./cliFilter.js";
-import escape_default from "./escape.js";
+import escape from "./escape.js";
 import escapeShellArg from "./escapeShellArg.js";
 import escapeShellCmd from "./escapeShellCmd.js";
 import shtml from "./shtml.js";
-import escapeJavaScript from "./sjs.js";
-import jsonEscape from "./sjson.js";
-import pathFilter from "./spath.js";
+import sjs from "./sjs.js";
+import sjson from "./sjson.js";
+import spath from "./spath.js";
 import surl from "./surl.js";
-
-//#region src/lib/helper/index.ts
-var helper_default = {
-	cliFilter,
-	escape: escape_default,
-	escapeShellArg,
-	escapeShellCmd,
-	shtml,
-	sjs: escapeJavaScript,
-	sjson: jsonEscape,
-	spath: pathFilter,
-	surl
+export default {
+    cliFilter,
+    escape,
+    escapeShellArg,
+    escapeShellCmd,
+    shtml,
+    sjs,
+    sjson,
+    spath,
+    surl,
 };
-
-//#endregion
-export { helper_default as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLFNBQVMsTUFBTSxnQkFBZ0IsQ0FBQztBQUN2QyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUU3QixlQUFlO0lBQ2IsU0FBUztJQUNULE1BQU07SUFDTixjQUFjO0lBQ2QsY0FBYztJQUNkLEtBQUs7SUFDTCxHQUFHO0lBQ0gsS0FBSztJQUNMLEtBQUs7SUFDTCxJQUFJO0NBQ0wsQ0FBQyJ9

package/dist/lib/helper/shtml.d.ts

@@ -1,6 +1,2 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/shtml.d.ts
-declare function shtml(this: BaseContextClass, val: string): string;
-//#endregion
-export { shtml as default };
+import type { BaseContextClass } from 'egg';
+export default function shtml(this: BaseContextClass, val: string): string;

package/dist/lib/helper/shtml.js

@@ -1,53 +1,69 @@
-import { getFromUrl, isSafeDomain } from "../utils.js";
-import xss from "xss";
-
-//#region src/lib/helper/shtml.ts
-const BUILD_IN_ON_TAG_ATTR = Symbol("buildInOnTagAttr");
-function shtml(val) {
-	if (typeof val !== "string") return val;
-	const securityOptions = this.ctx.securityOptions;
-	const shtmlConfig = {
-		...this.app.config.helper.shtml,
-		...securityOptions.shtml,
-		[BUILD_IN_ON_TAG_ATTR]: void 0
-	};
-	const domainWhiteList = this.app.config.security.domainWhiteList;
-	const app = this.app;
-	if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-		shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-			if (isWhiteAttr && (name === "href" || name === "src")) {
-				if (!value) return;
-				value = String(value);
-				if (value[0] === "/" || value[0] === "#") return;
-				const hostname = getFromUrl(value, "hostname");
-				if (!hostname) return;
-				if (!isSafeDomain(hostname, domainWhiteList)) if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-					app.deprecate("[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.");
-					if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) return "";
-				} else return "";
-			}
-		};
-		if (shtmlConfig.onTagAttr) {
-			const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-			shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
-				const result = customOnTagAttrHandler.apply(this, [
-					tag,
-					name,
-					value,
-					isWhiteAttr
-				]);
-				if (result !== void 0) return result;
-				return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [
-					tag,
-					name,
-					value,
-					isWhiteAttr
-				]);
-			};
-		} else shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-	}
-	return xss(val, shtmlConfig);
+import xss from 'xss';
+import { isSafeDomain, getFromUrl } from "../utils.js";
+const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
+// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
+// add domain filter based on xss module
+// custom options http://jsxss.com/zh/options.html
+// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
+export default function shtml(val) {
+    if (typeof val !== 'string') {
+        return val;
+    }
+    const securityOptions = this.ctx.securityOptions;
+    const shtmlConfig = {
+        ...this.app.config.helper.shtml,
+        ...securityOptions.shtml,
+        [BUILD_IN_ON_TAG_ATTR]: undefined,
+    };
+    const domainWhiteList = this.app.config.security.domainWhiteList;
+    const app = this.app;
+    // filter href and src attribute if not in domain white list
+    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+            if (isWhiteAttr && (name === 'href' || name === 'src')) {
+                if (!value) {
+                    return;
+                }
+                value = String(value);
+                if (value[0] === '/' || value[0] === '#') {
+                    return;
+                }
+                const hostname = getFromUrl(value, 'hostname');
+                if (!hostname) {
+                    return;
+                }
+                // If we don't have our hostname in the app.security.domainWhiteList,
+                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
+                if (!isSafeDomain(hostname, domainWhiteList)) {
+                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
+                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
+                        if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
+                            return '';
+                        }
+                    }
+                    else {
+                        return '';
+                    }
+                }
+            }
+        };
+        // avoid overriding user configuration 'onTagAttr'
+        if (shtmlConfig.onTagAttr) {
+            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
+                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
+                if (result !== undefined) {
+                    return result;
+                }
+                // fallback to build-in handler
+                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
+            };
+        }
+        else {
+            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+        }
+    }
+    return xss(val, shtmlConfig);
 }
-
-//#endregion
-export { shtml as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUM7QUFFdEIsT0FBTyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFHdkQsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLENBQUMsa0JBQWtCLENBQUMsQ0FBQztBQUV4RCxnRkFBZ0Y7QUFDaEYsd0NBQXdDO0FBQ3hDLGtEQUFrRDtBQUNsRCxtRkFBbUY7QUFDbkYsTUFBTSxDQUFDLE9BQU8sVUFBVSxLQUFLLENBQXlCLEdBQVc7SUFDL0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQztJQUNqRCxNQUFNLFdBQVcsR0FBRztRQUNsQixHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLO1FBQy9CLEdBQUcsZUFBZSxDQUFDLEtBQUs7UUFDeEIsQ0FBQyxvQkFBb0IsQ0FBQyxFQUFFLFNBQXVEO0tBQ2hGLENBQUM7SUFDRixNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO0lBQ2pFLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7SUFDckIsNERBQTREO0lBQzVELElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQUMsSUFBSSxFQUFFLElBQUksRUFBRSxLQUFLLEVBQUUsV0FBVyxFQUFFLEVBQUU7WUFDckUsSUFBSSxXQUFXLElBQUksQ0FBQyxJQUFJLEtBQUssTUFBTSxJQUFJLElBQUksS0FBSyxLQUFLLENBQUMsRUFBRSxDQUFDO2dCQUN2RCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7b0JBQ1gsT0FBTztnQkFDVCxDQUFDO2dCQUVELEtBQUssR0FBRyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUM7Z0JBQ3RCLElBQUksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxFQUFFLENBQUM7b0JBQ3pDLE9BQU87Z0JBQ1QsQ0FBQztnQkFFRCxNQUFNLFFBQVEsR0FBRyxVQUFVLENBQUMsS0FBSyxFQUFFLFVBQVUsQ0FBQyxDQUFDO2dCQUMvQyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7b0JBQ2QsT0FBTztnQkFDVCxDQUFDO2dCQUVELHFFQUFxRTtnQkFDckUsb0VBQW9FO2dCQUNwRSxJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxlQUFlLENBQUMsRUFBRSxDQUFDO29CQUM3QyxpRUFBaUU7b0JBQ2pFLElBQUksV0FBVyxDQUFDLGVBQWUsSUFBSSxXQUFXLENBQUMsZUFBZSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQzt3QkFDMUUsR0FBRyxDQUFDLFNBQVMsQ0FDWCxvSkFBb0osQ0FDckosQ0FBQzt3QkFDRixJQUFJLENBQUMsWUFBWSxDQUFDLFFBQVEsRUFBRSxXQUFXLENBQUMsZUFBZSxDQUFDLEVBQUUsQ0FBQzs0QkFDekQsT0FBTyxFQUFFLENBQUM7d0JBQ1osQ0FBQztvQkFDSCxDQUFDO3lCQUFNLENBQUM7d0JBQ04sT0FBTyxFQUFFLENBQUM7b0JBQ1osQ0FBQztnQkFDSCxDQUFDO1lBQ0gsQ0FBQztRQUNILENBQUMsQ0FBQztRQUVGLGtEQUFrRDtRQUNsRCxJQUFJLFdBQVcsQ0FBQyxTQUFTLEVBQUUsQ0FBQztZQUMxQixNQUFNLHNCQUFzQixHQUFHLFdBQVcsQ0FBQyxTQUFTLENBQUM7WUFDckQsV0FBVyxDQUFDLFNBQVMsR0FBRyxVQUFVLEdBQUcsRUFBRSxJQUFJLEVBQUUsS0FBSyxFQUFFLFdBQVc7Z0JBQzdELE1BQU0sTUFBTSxHQUFHLHNCQUFzQixDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO2dCQUNuRixJQUFJLE1BQU0sS0FBSyxTQUFTLEVBQUUsQ0FBQztvQkFDekIsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7Z0JBQ0QsK0JBQStCO2dCQUMvQixPQUFPLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1lBQ3pGLENBQUMsQ0FBQztRQUNKLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxDQUFDLFNBQVMsR0FBRyxXQUFXLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQztBQUMvQixDQUFDIn0=

package/dist/lib/helper/sjs.d.ts

@@ -1,7 +1,4 @@
-//#region src/lib/helper/sjs.d.ts
 /**
  * Escape JavaScript to \xHH format
  */
-declare function escapeJavaScript(text: string): string;
-//#endregion
-export { escapeJavaScript as default };
+export default function escapeJavaScript(text: string): string;

package/dist/lib/helper/sjs.js

@@ -1,36 +1,49 @@
-//#region src/lib/helper/sjs.ts
 /**
-* Escape JavaScript to \xHH format
-*/
+ * Escape JavaScript to \xHH format
+ */
+// escape \x00-\x7f
+// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
+// eslint-disable-next-line
 const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""));
+// eslint-enable-next-line
+const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
 const map = {
-	"	": "\\t",
-	"\n": "\\n",
-	"\r": "\\r"
+    '\t': '\\t',
+    '\n': '\\n',
+    '\r': '\\r',
 };
-function escapeJavaScript(text) {
-	const str = "" + text;
-	const match = MATCH_VULNERABLE_REGEXP.exec(str);
-	if (!match) return str;
-	let res = "";
-	let index = 0;
-	let lastIndex = 0;
-	let ascii;
-	for (index = match.index; index < str.length; index++) {
-		ascii = str[index];
-		if (BASIC_ALPHABETS.has(ascii)) continue;
-		else if (map[ascii] === void 0) {
-			const code = ascii.charCodeAt(0);
-			if (code > 127) continue;
-			else map[ascii] = "\\x" + code.toString(16);
-		}
-		if (lastIndex !== index) res += str.substring(lastIndex, index);
-		lastIndex = index + 1;
-		res += map[ascii];
-	}
-	return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
+export default function escapeJavaScript(text) {
+    const str = '' + text;
+    const match = MATCH_VULNERABLE_REGEXP.exec(str);
+    if (!match) {
+        return str;
+    }
+    let res = '';
+    let index = 0;
+    let lastIndex = 0;
+    let ascii;
+    for (index = match.index; index < str.length; index++) {
+        ascii = str[index];
+        if (BASIC_ALPHABETS.has(ascii)) {
+            continue;
+        }
+        else {
+            if (map[ascii] === undefined) {
+                const code = ascii.charCodeAt(0);
+                if (code > 127) {
+                    continue;
+                }
+                else {
+                    map[ascii] = '\\x' + code.toString(16);
+                }
+            }
+        }
+        if (lastIndex !== index) {
+            res += str.substring(lastIndex, index);
+        }
+        lastIndex = index + 1;
+        res += map[ascii];
+    }
+    return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
 }
-
-//#endregion
-export { escapeJavaScript as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvc2pzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsbUJBQW1CO0FBQ25CLG9EQUFvRDtBQUVwRCwyQkFBMkI7QUFDM0IsTUFBTSx1QkFBdUIsR0FBRyx3Q0FBd0MsQ0FBQztBQUN6RSwwQkFBMEI7QUFFMUIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsZ0VBQWdFLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFNUcsTUFBTSxHQUFHLEdBQTJCO0lBQ2xDLElBQUksRUFBRSxLQUFLO0lBQ1gsSUFBSSxFQUFFLEtBQUs7SUFDWCxJQUFJLEVBQUUsS0FBSztDQUNaLENBQUM7QUFFRixNQUFNLENBQUMsT0FBTyxVQUFVLGdCQUFnQixDQUFDLElBQVk7SUFDbkQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixNQUFNLEtBQUssR0FBRyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFaEQsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQ1gsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0lBRUQsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBQ2QsSUFBSSxTQUFTLEdBQUcsQ0FBQyxDQUFDO0lBQ2xCLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxLQUFLLEdBQUcsS0FBSyxDQUFDLEtBQUssRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3RELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsU0FBUztRQUNYLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQzdCLE1BQU0sSUFBSSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ2pDLElBQUksSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO29CQUNmLFNBQVM7Z0JBQ1gsQ0FBQztxQkFBTSxDQUFDO29CQUNOLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsSUFBSSxTQUFTLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDeEIsR0FBRyxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3pDLENBQUM7UUFFRCxTQUFTLEdBQUcsS0FBSyxHQUFHLENBQUMsQ0FBQztRQUN0QixHQUFHLElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3BCLENBQUM7SUFFRCxPQUFPLFNBQVMsS0FBSyxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDLFNBQVMsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDO0FBQzNFLENBQUMifQ==

package/dist/lib/helper/sjson.d.ts

@@ -1,4 +1 @@
-//#region src/lib/helper/sjson.d.ts
-declare function jsonEscape(obj: any): string;
-//#endregion
-export { jsonEscape as default };
+export default function jsonEscape(obj: any): string;

package/dist/lib/helper/sjson.js

@@ -1,32 +1,39 @@
-import escapeJavaScript from "./sjs.js";
-
-//#region src/lib/helper/sjson.ts
+import sjs from "./sjs.js";
 /**
-* escape json
-* for output json in script
-*/
+ * escape json
+ * for output json in script
+ */
 function sanitizeKey(obj) {
-	if (typeof obj !== "object") return obj;
-	if (Array.isArray(obj)) return obj;
-	if (obj === null) return null;
-	if (typeof obj === "boolean") return obj;
-	if (typeof obj === "number") return obj;
-	if (Buffer.isBuffer(obj)) return obj.toString();
-	for (const k in obj) {
-		const escapedK = escapeJavaScript(k);
-		if (escapedK !== k) {
-			obj[escapedK] = sanitizeKey(obj[k]);
-			obj[k] = void 0;
-		} else obj[k] = sanitizeKey(obj[k]);
-	}
-	return obj;
+    if (typeof obj !== 'object')
+        return obj;
+    if (Array.isArray(obj))
+        return obj;
+    if (obj === null)
+        return null;
+    if (typeof obj === 'boolean')
+        return obj;
+    if (typeof obj === 'number')
+        return obj;
+    if (Buffer.isBuffer(obj))
+        return obj.toString();
+    for (const k in obj) {
+        const escapedK = sjs(k);
+        if (escapedK !== k) {
+            obj[escapedK] = sanitizeKey(obj[k]);
+            obj[k] = undefined;
+        }
+        else {
+            obj[k] = sanitizeKey(obj[k]);
+        }
+    }
+    return obj;
 }
-function jsonEscape(obj) {
-	return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-		if (typeof v === "string") return escapeJavaScript(v);
-		return v;
-	});
+export default function jsonEscape(obj) {
+    return JSON.stringify(sanitizeKey(obj), (_k, v) => {
+        if (typeof v === 'string') {
+            return sjs(v);
+        }
+        return v;
+    });
 }
-
-//#endregion
-export { jsonEscape as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zanNvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEdBQUcsTUFBTSxVQUFVLENBQUM7QUFFM0I7OztHQUdHO0FBRUgsU0FBUyxXQUFXLENBQUMsR0FBUTtJQUMzQixJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQztJQUN4QyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQUUsT0FBTyxHQUFHLENBQUM7SUFDbkMsSUFBSSxHQUFHLEtBQUssSUFBSTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLElBQUksT0FBTyxHQUFHLEtBQUssU0FBUztRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3pDLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUTtRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3hDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7UUFBRSxPQUFPLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztJQUVoRCxLQUFLLE1BQU0sQ0FBQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN4QixJQUFJLFFBQVEsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNuQixHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUM7UUFDckIsQ0FBQzthQUFNLENBQUM7WUFDTixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxDQUFDLE9BQU8sVUFBVSxVQUFVLENBQUMsR0FBUTtJQUN6QyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFO1FBQ2hELElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDMUIsT0FBTyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEIsQ0FBQztRQUNELE9BQU8sQ0FBQyxDQUFDO0lBQ1gsQ0FBQyxDQUFDLENBQUM7QUFDTCxDQUFDIn0=

package/dist/lib/helper/spath.d.ts

@@ -1,7 +1,5 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/spath.d.ts
-
-declare function pathFilter(this: BaseContextClass, path: string): string | null;
-//#endregion
-export { pathFilter as default };
+/**
+ * File Inclusion
+ */
+import type { BaseContextClass } from 'egg';
+export default function pathFilter(this: BaseContextClass, path: string): string | null;

package/dist/lib/helper/spath.js

@@ -1,16 +1,25 @@
-//#region src/lib/helper/spath.ts
-function pathFilter(path) {
-	if (typeof path !== "string") return path;
-	const pathSource = path;
-	while (path.indexOf("%") !== -1) try {
-		path = decodeURIComponent(path);
-	} catch {
-		if (process.env.NODE_ENV !== "production") this.ctx.coreLogger.warn("[@eggjs/security/lib/helper/spath] : decode file path %j failed.", path);
-		break;
-	}
-	if (path.indexOf("..") !== -1 || path[0] === "/") return null;
-	return pathSource;
+/**
+ * File Inclusion
+ */
+export default function pathFilter(path) {
+    if (typeof path !== 'string')
+        return path;
+    const pathSource = path;
+    while (path.indexOf('%') !== -1) {
+        try {
+            path = decodeURIComponent(path);
+        }
+        catch {
+            if (process.env.NODE_ENV !== 'production') {
+                // Not a PROD env, logging with a warning.
+                this.ctx.coreLogger.warn('[@eggjs/security/lib/helper/spath] : decode file path %j failed.', path);
+            }
+            break;
+        }
+    }
+    if (path.indexOf('..') !== -1 || path[0] === '/') {
+        return null;
+    }
+    return pathSource;
 }
-
-//#endregion
-export { pathFilter as default };
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3BhdGguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zcGF0aC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7R0FFRztBQUlILE1BQU0sQ0FBQyxPQUFPLFVBQVUsVUFBVSxDQUF5QixJQUFZO0lBQ3JFLElBQUksT0FBTyxJQUFJLEtBQUssUUFBUTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBRTFDLE1BQU0sVUFBVSxHQUFHLElBQUksQ0FBQztJQUV4QixPQUFPLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUNoQyxJQUFJLENBQUM7WUFDSCxJQUFJLEdBQUcsa0JBQWtCLENBQUMsSUFBSSxDQUFDLENBQUM7UUFDbEMsQ0FBQztRQUFDLE1BQU0sQ0FBQztZQUNQLElBQUksT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssWUFBWSxFQUFFLENBQUM7Z0JBQzFDLDBDQUEwQztnQkFDMUMsSUFBSSxDQUFDLEdBQUcsQ0FBQyxVQUFVLENBQUMsSUFBSSxDQUFDLGtFQUFrRSxFQUFFLElBQUksQ0FBQyxDQUFDO1lBQ3JHLENBQUM7WUFDRCxNQUFNO1FBQ1IsQ0FBQztJQUNILENBQUM7SUFDRCxJQUFJLElBQUksQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDLENBQUMsQ0FBQyxLQUFLLEdBQUcsRUFBRSxDQUFDO1FBQ2pELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUNELE9BQU8sVUFBVSxDQUFDO0FBQ3BCLENBQUMifQ==

package/dist/lib/helper/surl.d.ts

@@ -1,6 +1,2 @@
-import { BaseContextClass } from "egg";
-
-//#region src/lib/helper/surl.d.ts
-declare function surl(this: BaseContextClass, val: string): string;
-//#endregion
-export { surl as default };
+import type { BaseContextClass } from 'egg';
+export default function surl(this: BaseContextClass, val: string): string;