@eggjs/security 5.0.0-beta.35 → 5.0.0-beta.36

package/dist/lib/extend/safe_curl.d.ts

@@ -1,16 +1,19 @@
-import type { EggApplicationCore } from 'egg';
-import type { SSRFCheckAddressFunction } from '../../config/config.default.ts';
-type HttpClient = EggApplicationCore['HttpClient'];
-type HttpClientParameters = Parameters<HttpClient['prototype']['request']>;
-export type HttpClientRequestURL = HttpClientParameters[0];
-export type HttpClientOptions = HttpClientParameters[1] & {
-    checkAddress?: SSRFCheckAddressFunction;
+import { SSRFCheckAddressFunction } from "../../config/config.default.js";
+import { EggApplicationCore } from "egg";
+
+//#region src/lib/extend/safe_curl.d.ts
+type HttpClient = EggApplicationCore["HttpClient"];
+type HttpClientParameters = Parameters<HttpClient["prototype"]["request"]>;
+type HttpClientRequestURL = HttpClientParameters[0];
+type HttpClientOptions = HttpClientParameters[1] & {
+  checkAddress?: SSRFCheckAddressFunction;
 };
-export type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient['prototype']['request']>> & {
-    data: T;
+type HttpClientResponse<T = any> = Awaited<ReturnType<HttpClient["prototype"]["request"]>> & {
+  data: T;
 };
 /**
- * safe curl with ssrf protection
- */
-export declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
-export {};
+* safe curl with ssrf protection
+*/
+declare function safeCurlForApplication<T = any>(app: EggApplicationCore, url: HttpClientRequestURL, options?: HttpClientOptions): Promise<HttpClientResponse<T>>;
+//#endregion
+export { HttpClientOptions, HttpClientRequestURL, HttpClientResponse, safeCurlForApplication };

package/dist/lib/extend/safe_curl.js

@@ -1,25 +1,19 @@
-const SSRF_HTTPCLIENT = Symbol('SSRF_HTTPCLIENT');
+//#region src/lib/extend/safe_curl.ts
+const SSRF_HTTPCLIENT = Symbol("SSRF_HTTPCLIENT");
 /**
- * safe curl with ssrf protection
- */
-export async function safeCurlForApplication(app, url, options = {}) {
-    const ssrfConfig = app.config.security.ssrf;
-    if (ssrfConfig?.checkAddress) {
-        options.checkAddress = ssrfConfig.checkAddress;
-    }
-    else {
-        app.logger.warn('[@eggjs/security] please configure `config.security.ssrf` first');
-    }
-    if (ssrfConfig?.checkAddress) {
-        let httpClient = app[SSRF_HTTPCLIENT];
-        // use the new httpClient init with checkAddress
-        if (!httpClient) {
-            httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({
-                checkAddress: ssrfConfig.checkAddress,
-            });
-        }
-        return await httpClient.request(url, options);
-    }
-    return await app.curl(url, options);
+* safe curl with ssrf protection
+*/
+async function safeCurlForApplication(app, url, options = {}) {
+	const ssrfConfig = app.config.security.ssrf;
+	if (ssrfConfig?.checkAddress) options.checkAddress = ssrfConfig.checkAddress;
+	else app.logger.warn("[@eggjs/security] please configure `config.security.ssrf` first");
+	if (ssrfConfig?.checkAddress) {
+		let httpClient = app[SSRF_HTTPCLIENT];
+		if (!httpClient) httpClient = app[SSRF_HTTPCLIENT] = app.createHttpClient({ checkAddress: ssrfConfig.checkAddress });
+		return await httpClient.request(url, options);
+	}
+	return await app.curl(url, options);
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2FmZV9jdXJsLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9leHRlbmQvc2FmZV9jdXJsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUlBLE1BQU0sZUFBZSxHQUFHLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDO0FBVWxEOztHQUVHO0FBQ0gsTUFBTSxDQUFDLEtBQUssVUFBVSxzQkFBc0IsQ0FDMUMsR0FBdUIsRUFDdkIsR0FBeUIsRUFDekIsVUFBNkIsRUFBRTtJQUUvQixNQUFNLFVBQVUsR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxJQUFJLENBQUM7SUFDNUMsSUFBSSxVQUFVLEVBQUUsWUFBWSxFQUFFLENBQUM7UUFDN0IsT0FBTyxDQUFDLFlBQVksR0FBRyxVQUFVLENBQUMsWUFBWSxDQUFDO0lBQ2pELENBQUM7U0FBTSxDQUFDO1FBQ04sR0FBRyxDQUFDLE1BQU0sQ0FBQyxJQUFJLENBQUMsaUVBQWlFLENBQUMsQ0FBQztJQUNyRixDQUFDO0lBRUQsSUFBSSxVQUFVLEVBQUUsWUFBWSxFQUFFLENBQUM7UUFDN0IsSUFBSSxVQUFVLEdBQUcsR0FBRyxDQUFDLGVBQWUsQ0FBdUQsQ0FBQztRQUM1RixnREFBZ0Q7UUFDaEQsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ2hCLFVBQVUsR0FBRyxHQUFHLENBQUMsZUFBZSxDQUFDLEdBQUcsR0FBRyxDQUFDLGdCQUFnQixDQUFDO2dCQUN2RCxZQUFZLEVBQUUsVUFBVSxDQUFDLFlBQVk7YUFDdEMsQ0FBQyxDQUFDO1FBQ0wsQ0FBQztRQUNELE9BQU8sTUFBTSxVQUFVLENBQUMsT0FBTyxDQUFJLEdBQUcsRUFBRSxPQUFPLENBQUMsQ0FBQztJQUNuRCxDQUFDO0lBRUQsT0FBTyxNQUFNLEdBQUcsQ0FBQyxJQUFJLENBQUksR0FBRyxFQUFFLE9BQU8sQ0FBQyxDQUFDO0FBQ3pDLENBQUMifQ==
+
+//#endregion
+export { safeCurlForApplication };

package/dist/lib/helper/cliFilter.d.ts

@@ -1,4 +1,4 @@
-/**
- * remote command execution
- */
-export default function cliFilter(text: string): string;
+//#region src/lib/helper/cliFilter.d.ts
+declare function cliFilter(text: string): string;
+//#endregion
+export { cliFilter as default };

package/dist/lib/helper/cliFilter.js

@@ -1,17 +1,18 @@
+//#region src/lib/helper/cliFilter.ts
 /**
- * remote command execution
- */
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_'.split(''));
-export default function cliFilter(text) {
-    const str = '' + text;
-    let res = '';
-    let ascii;
-    for (let index = 0; index < str.length; index++) {
-        ascii = str[index];
-        if (BASIC_ALPHABETS.has(ascii)) {
-            res += ascii;
-        }
-    }
-    return res;
+* remote command execution
+*/
+const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ.-_".split(""));
+function cliFilter(text) {
+	const str = "" + text;
+	let res = "";
+	let ascii;
+	for (let index = 0; index < str.length; index++) {
+		ascii = str[index];
+		if (BASIC_ALPHABETS.has(ascii)) res += ascii;
+	}
+	return res;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiY2xpRmlsdGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvY2xpRmlsdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsbUVBQW1FLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFL0csTUFBTSxDQUFDLE9BQU8sVUFBVSxTQUFTLENBQUMsSUFBWTtJQUM1QyxNQUFNLEdBQUcsR0FBRyxFQUFFLEdBQUcsSUFBSSxDQUFDO0lBQ3RCLElBQUksR0FBRyxHQUFHLEVBQUUsQ0FBQztJQUNiLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxJQUFJLEtBQUssR0FBRyxDQUFDLEVBQUUsS0FBSyxHQUFHLEdBQUcsQ0FBQyxNQUFNLEVBQUUsS0FBSyxFQUFFLEVBQUUsQ0FBQztRQUNoRCxLQUFLLEdBQUcsR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQ25CLElBQUksZUFBZSxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDO1lBQy9CLEdBQUcsSUFBSSxLQUFLLENBQUM7UUFDZixDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQyJ9
+
+//#endregion
+export { cliFilter as default };

package/dist/lib/helper/escape.d.ts

@@ -1,2 +1,2 @@
-import escapeHTML from 'escape-html';
-export default escapeHTML;
+import escapeHTML from "escape-html";
+export { escapeHTML as default };

package/dist/lib/helper/escape.js

@@ -1,3 +1,7 @@
-import escapeHTML from 'escape-html';
-export default escapeHTML;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvZXNjYXBlLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sVUFBVSxNQUFNLGFBQWEsQ0FBQztBQUVyQyxlQUFlLFVBQVUsQ0FBQyJ9
+import escapeHTML from "escape-html";
+
+//#region src/lib/helper/escape.ts
+var escape_default = escapeHTML;
+
+//#endregion
+export { escape_default as default };

package/dist/lib/helper/escapeShellArg.d.ts

@@ -1 +1,4 @@
-export default function escapeShellArg(text: string): string;
+//#region src/lib/helper/escapeShellArg.d.ts
+declare function escapeShellArg(text: string): string;
+//#endregion
+export { escapeShellArg as default };

package/dist/lib/helper/escapeShellArg.js

@@ -1,5 +1,7 @@
-export default function escapeShellArg(text) {
-    const str = '' + text;
-    return "'" + str.replace(/\\/g, '\\\\').replace(/'/g, "\\'") + "'";
+//#region src/lib/helper/escapeShellArg.ts
+function escapeShellArg(text) {
+	return "'" + ("" + text).replace(/\\/g, "\\\\").replace(/'/g, "\\'") + "'";
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxBcmcuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbEFyZy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsT0FBTyxHQUFHLEdBQUcsR0FBRyxDQUFDLE9BQU8sQ0FBQyxLQUFLLEVBQUUsTUFBTSxDQUFDLENBQUMsT0FBTyxDQUFDLElBQUksRUFBRSxLQUFLLENBQUMsR0FBRyxHQUFHLENBQUM7QUFDckUsQ0FBQyJ9
+
+//#endregion
+export { escapeShellArg as default };

package/dist/lib/helper/escapeShellCmd.d.ts

@@ -1 +1,4 @@
-export default function escapeShellCmd(text: string): string;
+//#region src/lib/helper/escapeShellCmd.d.ts
+declare function escapeShellCmd(text: string): string;
+//#endregion
+export { escapeShellCmd as default };

package/dist/lib/helper/escapeShellCmd.js

@@ -1,14 +1,15 @@
-const BASIC_ALPHABETS = new Set('#&;`|*?~<>^()[]{}$;\'",\x0A\xFF'.split(''));
-export default function escapeShellCmd(text) {
-    const str = '' + text;
-    let res = '';
-    let ascii;
-    for (let index = 0; index < str.length; index++) {
-        ascii = str[index];
-        if (!BASIC_ALPHABETS.has(ascii)) {
-            res += ascii;
-        }
-    }
-    return res;
+//#region src/lib/helper/escapeShellCmd.ts
+const BASIC_ALPHABETS = new Set("#&;`|*?~<>^()[]{}$;'\",\nÿ".split(""));
+function escapeShellCmd(text) {
+	const str = "" + text;
+	let res = "";
+	let ascii;
+	for (let index = 0; index < str.length; index++) {
+		ascii = str[index];
+		if (!BASIC_ALPHABETS.has(ascii)) res += ascii;
+	}
+	return res;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZXNjYXBlU2hlbGxDbWQuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9lc2NhcGVTaGVsbENtZC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxNQUFNLGVBQWUsR0FBRyxJQUFJLEdBQUcsQ0FBQyxpQ0FBaUMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQztBQUU3RSxNQUFNLENBQUMsT0FBTyxVQUFVLGNBQWMsQ0FBQyxJQUFZO0lBQ2pELE1BQU0sR0FBRyxHQUFHLEVBQUUsR0FBRyxJQUFJLENBQUM7SUFDdEIsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLENBQUM7SUFFVixLQUFLLElBQUksS0FBSyxHQUFHLENBQUMsRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ2hELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxDQUFDLGVBQWUsQ0FBQyxHQUFHLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNoQyxHQUFHLElBQUksS0FBSyxDQUFDO1FBQ2YsQ0FBQztJQUNILENBQUM7SUFFRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUMifQ==
+
+//#endregion
+export { escapeShellCmd as default };

package/dist/lib/helper/index.d.ts

@@ -1,21 +1,24 @@
-import cliFilter from './cliFilter.ts';
-import escape from './escape.ts';
-import escapeShellArg from './escapeShellArg.ts';
-import escapeShellCmd from './escapeShellCmd.ts';
-import shtml from './shtml.ts';
-import sjs from './sjs.ts';
-import sjson from './sjson.ts';
-import spath from './spath.ts';
-import surl from './surl.ts';
+import cliFilter from "./cliFilter.js";
+import escapeHTML from "./escape.js";
+import escapeShellArg from "./escapeShellArg.js";
+import escapeShellCmd from "./escapeShellCmd.js";
+import shtml from "./shtml.js";
+import escapeJavaScript from "./sjs.js";
+import jsonEscape from "./sjson.js";
+import pathFilter from "./spath.js";
+import surl from "./surl.js";
+
+//#region src/lib/helper/index.d.ts
 declare const helpers: {
-    cliFilter: typeof cliFilter;
-    escape: typeof escape;
-    escapeShellArg: typeof escapeShellArg;
-    escapeShellCmd: typeof escapeShellCmd;
-    shtml: typeof shtml;
-    sjs: typeof sjs;
-    sjson: typeof sjson;
-    spath: typeof spath;
-    surl: typeof surl;
+  cliFilter: typeof cliFilter;
+  escape: typeof escapeHTML;
+  escapeShellArg: typeof escapeShellArg;
+  escapeShellCmd: typeof escapeShellCmd;
+  shtml: typeof shtml;
+  sjs: typeof escapeJavaScript;
+  sjson: typeof jsonEscape;
+  spath: typeof pathFilter;
+  surl: typeof surl;
 };
-export default helpers;
+//#endregion
+export { helpers as default };

package/dist/lib/helper/index.js

@@ -1,22 +1,26 @@
 import cliFilter from "./cliFilter.js";
-import escape from "./escape.js";
+import escape_default from "./escape.js";
 import escapeShellArg from "./escapeShellArg.js";
 import escapeShellCmd from "./escapeShellCmd.js";
 import shtml from "./shtml.js";
-import sjs from "./sjs.js";
-import sjson from "./sjson.js";
-import spath from "./spath.js";
+import escapeJavaScript from "./sjs.js";
+import jsonEscape from "./sjson.js";
+import pathFilter from "./spath.js";
 import surl from "./surl.js";
+
+//#region src/lib/helper/index.ts
 const helpers = {
-    cliFilter,
-    escape,
-    escapeShellArg,
-    escapeShellCmd,
-    shtml,
-    sjs,
-    sjson,
-    spath,
-    surl,
+	cliFilter,
+	escape: escape_default,
+	escapeShellArg,
+	escapeShellCmd,
+	shtml,
+	sjs: escapeJavaScript,
+	sjson: jsonEscape,
+	spath: pathFilter,
+	surl
 };
-export default helpers;
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLFNBQVMsTUFBTSxnQkFBZ0IsQ0FBQztBQUN2QyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxjQUFjLE1BQU0scUJBQXFCLENBQUM7QUFDakQsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sR0FBRyxNQUFNLFVBQVUsQ0FBQztBQUMzQixPQUFPLEtBQUssTUFBTSxZQUFZLENBQUM7QUFDL0IsT0FBTyxLQUFLLE1BQU0sWUFBWSxDQUFDO0FBQy9CLE9BQU8sSUFBSSxNQUFNLFdBQVcsQ0FBQztBQUU3QixNQUFNLE9BQU8sR0FVVDtJQUNGLFNBQVM7SUFDVCxNQUFNO0lBQ04sY0FBYztJQUNkLGNBQWM7SUFDZCxLQUFLO0lBQ0wsR0FBRztJQUNILEtBQUs7SUFDTCxLQUFLO0lBQ0wsSUFBSTtDQUNMLENBQUM7QUFFRixlQUFlLE9BQU8sQ0FBQyJ9
+var helper_default = helpers;
+
+//#endregion
+export { helper_default as default };

package/dist/lib/helper/shtml.d.ts

@@ -1,2 +1,6 @@
-import type { BaseContextClass } from 'egg';
-export default function shtml(this: BaseContextClass, val: string): string;
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/shtml.d.ts
+declare function shtml(this: BaseContextClass, val: string): string;
+//#endregion
+export { shtml as default };

package/dist/lib/helper/shtml.js

@@ -1,69 +1,53 @@
-import xss from 'xss';
-import { isSafeDomain, getFromUrl } from "../utils.js";
-const BUILD_IN_ON_TAG_ATTR = Symbol('buildInOnTagAttr');
-// default rule: https://github.com/leizongmin/js-xss/blob/master/lib/default.js
-// add domain filter based on xss module
-// custom options http://jsxss.com/zh/options.html
-// eg: support a tag，filter attributes except for title : whiteList: {a: ['title']}
-export default function shtml(val) {
-    if (typeof val !== 'string') {
-        return val;
-    }
-    const securityOptions = this.ctx.securityOptions;
-    const shtmlConfig = {
-        ...this.app.config.helper.shtml,
-        ...securityOptions.shtml,
-        [BUILD_IN_ON_TAG_ATTR]: undefined,
-    };
-    const domainWhiteList = this.app.config.security.domainWhiteList;
-    const app = this.app;
-    // filter href and src attribute if not in domain white list
-    if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
-        shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
-            if (isWhiteAttr && (name === 'href' || name === 'src')) {
-                if (!value) {
-                    return;
-                }
-                value = String(value);
-                if (value[0] === '/' || value[0] === '#') {
-                    return;
-                }
-                const hostname = getFromUrl(value, 'hostname');
-                if (!hostname) {
-                    return;
-                }
-                // If we don't have our hostname in the app.security.domainWhiteList,
-                // Just check for `shtmlConfig.domainWhiteList` and `ctx.whiteList`.
-                if (!isSafeDomain(hostname, domainWhiteList)) {
-                    // Check for `shtmlConfig.domainWhiteList` first (duplicated now)
-                    if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
-                        app.deprecate('[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.');
-                        if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) {
-                            return '';
-                        }
-                    }
-                    else {
-                        return '';
-                    }
-                }
-            }
-        };
-        // avoid overriding user configuration 'onTagAttr'
-        if (shtmlConfig.onTagAttr) {
-            const customOnTagAttrHandler = shtmlConfig.onTagAttr;
-            shtmlConfig.onTagAttr = function (tag, name, value, isWhiteAttr) {
-                const result = customOnTagAttrHandler.apply(this, [tag, name, value, isWhiteAttr]);
-                if (result !== undefined) {
-                    return result;
-                }
-                // fallback to build-in handler
-                return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [tag, name, value, isWhiteAttr]);
-            };
-        }
-        else {
-            shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
-        }
-    }
-    return xss(val, shtmlConfig);
+import { getFromUrl, isSafeDomain } from "../utils.js";
+import xss from "xss";
+
+//#region src/lib/helper/shtml.ts
+const BUILD_IN_ON_TAG_ATTR = Symbol("buildInOnTagAttr");
+function shtml(val) {
+	if (typeof val !== "string") return val;
+	const securityOptions = this.ctx.securityOptions;
+	const shtmlConfig = {
+		...this.app.config.helper.shtml,
+		...securityOptions.shtml,
+		[BUILD_IN_ON_TAG_ATTR]: void 0
+	};
+	const domainWhiteList = this.app.config.security.domainWhiteList;
+	const app = this.app;
+	if (!shtmlConfig[BUILD_IN_ON_TAG_ATTR]) {
+		shtmlConfig[BUILD_IN_ON_TAG_ATTR] = (_tag, name, value, isWhiteAttr) => {
+			if (isWhiteAttr && (name === "href" || name === "src")) {
+				if (!value) return;
+				value = String(value);
+				if (value[0] === "/" || value[0] === "#") return;
+				const hostname = getFromUrl(value, "hostname");
+				if (!hostname) return;
+				if (!isSafeDomain(hostname, domainWhiteList)) if (shtmlConfig.domainWhiteList && shtmlConfig.domainWhiteList.length > 0) {
+					app.deprecate("[@eggjs/security/lib/helper/shtml] `config.helper.shtml.domainWhiteList` has been deprecate. Please use `config.security.domainWhiteList` instead.");
+					if (!isSafeDomain(hostname, shtmlConfig.domainWhiteList)) return "";
+				} else return "";
+			}
+		};
+		if (shtmlConfig.onTagAttr) {
+			const customOnTagAttrHandler = shtmlConfig.onTagAttr;
+			shtmlConfig.onTagAttr = function(tag, name, value, isWhiteAttr) {
+				const result = customOnTagAttrHandler.apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+				if (result !== void 0) return result;
+				return shtmlConfig[BUILD_IN_ON_TAG_ATTR].apply(this, [
+					tag,
+					name,
+					value,
+					isWhiteAttr
+				]);
+			};
+		} else shtmlConfig.onTagAttr = shtmlConfig[BUILD_IN_ON_TAG_ATTR];
+	}
+	return xss(val, shtmlConfig);
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2h0bWwuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zaHRtbC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFDQSxPQUFPLEdBQUcsTUFBTSxLQUFLLENBQUM7QUFHdEIsT0FBTyxFQUFFLFlBQVksRUFBRSxVQUFVLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFFdkQsTUFBTSxvQkFBb0IsR0FBRyxNQUFNLENBQUMsa0JBQWtCLENBQUMsQ0FBQztBQUV4RCxnRkFBZ0Y7QUFDaEYsd0NBQXdDO0FBQ3hDLGtEQUFrRDtBQUNsRCxtRkFBbUY7QUFDbkYsTUFBTSxDQUFDLE9BQU8sVUFBVSxLQUFLLENBQXlCLEdBQVc7SUFDL0QsSUFBSSxPQUFPLEdBQUcsS0FBSyxRQUFRLEVBQUUsQ0FBQztRQUM1QixPQUFPLEdBQUcsQ0FBQztJQUNiLENBQUM7SUFFRCxNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLGVBQWUsQ0FBQztJQUNqRCxNQUFNLFdBQVcsR0FBRztRQUNsQixHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLO1FBQy9CLEdBQUcsZUFBZSxDQUFDLEtBQUs7UUFDeEIsQ0FBQyxvQkFBb0IsQ0FBQyxFQUFFLFNBQXVEO0tBQ2hGLENBQUM7SUFDRixNQUFNLGVBQWUsR0FBRyxJQUFJLENBQUMsR0FBRyxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsZUFBZSxDQUFDO0lBQ2pFLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUM7SUFDckIsNERBQTREO0lBQzVELElBQUksQ0FBQyxXQUFXLENBQUMsb0JBQW9CLENBQUMsRUFBRSxDQUFDO1FBQ3ZDLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBQyxHQUFHLENBQ2xDLElBQVksRUFDWixJQUFZLEVBQ1osS0FBYSxFQUNiLFdBQW9CLEVBQ0wsRUFBRTtZQUNqQixJQUFJLFdBQVcsSUFBSSxDQUFDLElBQUksS0FBSyxNQUFNLElBQUksSUFBSSxLQUFLLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQ3ZELElBQUksQ0FBQyxLQUFLLEVBQUUsQ0FBQztvQkFDWCxPQUFPO2dCQUNULENBQUM7Z0JBRUQsS0FBSyxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDdEIsSUFBSSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssR0FBRyxJQUFJLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxHQUFHLEVBQUUsQ0FBQztvQkFDekMsT0FBTztnQkFDVCxDQUFDO2dCQUVELE1BQU0sUUFBUSxHQUFHLFVBQVUsQ0FBQyxLQUFLLEVBQUUsVUFBVSxDQUFDLENBQUM7Z0JBQy9DLElBQUksQ0FBQyxRQUFRLEVBQUUsQ0FBQztvQkFDZCxPQUFPO2dCQUNULENBQUM7Z0JBRUQscUVBQXFFO2dCQUNyRSxvRUFBb0U7Z0JBQ3BFLElBQUksQ0FBQyxZQUFZLENBQUMsUUFBUSxFQUFFLGVBQWUsQ0FBQyxFQUFFLENBQUM7b0JBQzdDLGlFQUFpRTtvQkFDakUsSUFBSSxXQUFXLENBQUMsZUFBZSxJQUFJLFdBQVcsQ0FBQyxlQUFlLENBQUMsTUFBTSxHQUFHLENBQUMsRUFBRSxDQUFDO3dCQUMxRSxHQUFHLENBQUMsU0FBUyxDQUNYLG9KQUFvSixDQUNySixDQUFDO3dCQUNGLElBQUksQ0FBQyxZQUFZLENBQUMsUUFBUSxFQUFFLFdBQVcsQ0FBQyxlQUFlLENBQUMsRUFBRSxDQUFDOzRCQUN6RCxPQUFPLEVBQUUsQ0FBQzt3QkFDWixDQUFDO29CQUNILENBQUM7eUJBQU0sQ0FBQzt3QkFDTixPQUFPLEVBQUUsQ0FBQztvQkFDWixDQUFDO2dCQUNILENBQUM7WUFDSCxDQUFDO1FBQ0gsQ0FBQyxDQUFDO1FBRUYsa0RBQWtEO1FBQ2xELElBQUksV0FBVyxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQzFCLE1BQU0sc0JBQXNCLEdBQUcsV0FBVyxDQUFDLFNBQVMsQ0FBQztZQUNyRCxXQUFXLENBQUMsU0FBUyxHQUFHLFVBQVUsR0FBVyxFQUFFLElBQVksRUFBRSxLQUFhLEVBQUUsV0FBb0I7Z0JBQzlGLE1BQU0sTUFBTSxHQUFHLHNCQUFzQixDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO2dCQUNuRixJQUFJLE1BQU0sS0FBSyxTQUFTLEVBQUUsQ0FBQztvQkFDekIsT0FBTyxNQUFNLENBQUM7Z0JBQ2hCLENBQUM7Z0JBQ0QsK0JBQStCO2dCQUMvQixPQUFPLFdBQVcsQ0FBQyxvQkFBb0IsQ0FBRSxDQUFDLEtBQUssQ0FBQyxJQUFJLEVBQUUsQ0FBQyxHQUFHLEVBQUUsSUFBSSxFQUFFLEtBQUssRUFBRSxXQUFXLENBQUMsQ0FBQyxDQUFDO1lBQ3pGLENBQUMsQ0FBQztRQUNKLENBQUM7YUFBTSxDQUFDO1lBQ04sV0FBVyxDQUFDLFNBQVMsR0FBRyxXQUFXLENBQUMsb0JBQW9CLENBQUMsQ0FBQztRQUM1RCxDQUFDO0lBQ0gsQ0FBQztJQUVELE9BQU8sR0FBRyxDQUFDLEdBQUcsRUFBRSxXQUFXLENBQUMsQ0FBQztBQUMvQixDQUFDIn0=
+
+//#endregion
+export { shtml as default };

package/dist/lib/helper/sjs.d.ts

@@ -1,4 +1,4 @@
-/**
- * Escape JavaScript to \xHH format
- */
-export default function escapeJavaScript(text: string): string;
+//#region src/lib/helper/sjs.d.ts
+declare function escapeJavaScript(text: string): string;
+//#endregion
+export { escapeJavaScript as default };

package/dist/lib/helper/sjs.js

@@ -1,49 +1,36 @@
+//#region src/lib/helper/sjs.ts
 /**
- * Escape JavaScript to \xHH format
- */
-// escape \x00-\x7f
-// except 0-9,A-Z,a-z(\x2f-\x3a \x40-\x5b \x60-\x7b)
-// eslint-disable-next-line
+* Escape JavaScript to \xHH format
+*/
 const MATCH_VULNERABLE_REGEXP = /[\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f]/;
-// eslint-enable-next-line
-const BASIC_ALPHABETS = new Set('abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ'.split(''));
+const BASIC_ALPHABETS = new Set("abcdefghijklmnopqrstuvwxyz1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ".split(""));
 const map = {
-    '\t': '\\t',
-    '\n': '\\n',
-    '\r': '\\r',
+	"	": "\\t",
+	"\n": "\\n",
+	"\r": "\\r"
 };
-export default function escapeJavaScript(text) {
-    const str = '' + text;
-    const match = MATCH_VULNERABLE_REGEXP.exec(str);
-    if (!match) {
-        return str;
-    }
-    let res = '';
-    let index = 0;
-    let lastIndex = 0;
-    let ascii;
-    for (index = match.index; index < str.length; index++) {
-        ascii = str[index];
-        if (BASIC_ALPHABETS.has(ascii)) {
-            continue;
-        }
-        else {
-            if (map[ascii] === undefined) {
-                const code = ascii.charCodeAt(0);
-                if (code > 127) {
-                    continue;
-                }
-                else {
-                    map[ascii] = '\\x' + code.toString(16);
-                }
-            }
-        }
-        if (lastIndex !== index) {
-            res += str.substring(lastIndex, index);
-        }
-        lastIndex = index + 1;
-        res += map[ascii];
-    }
-    return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
+function escapeJavaScript(text) {
+	const str = "" + text;
+	const match = MATCH_VULNERABLE_REGEXP.exec(str);
+	if (!match) return str;
+	let res = "";
+	let index = 0;
+	let lastIndex = 0;
+	let ascii;
+	for (index = match.index; index < str.length; index++) {
+		ascii = str[index];
+		if (BASIC_ALPHABETS.has(ascii)) continue;
+		else if (map[ascii] === void 0) {
+			const code = ascii.charCodeAt(0);
+			if (code > 127) continue;
+			else map[ascii] = "\\x" + code.toString(16);
+		}
+		if (lastIndex !== index) res += str.substring(lastIndex, index);
+		lastIndex = index + 1;
+		res += map[ascii];
+	}
+	return lastIndex !== index ? res + str.substring(lastIndex, index) : res;
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL2xpYi9oZWxwZXIvc2pzLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOztHQUVHO0FBRUgsbUJBQW1CO0FBQ25CLG9EQUFvRDtBQUVwRCwyQkFBMkI7QUFDM0IsTUFBTSx1QkFBdUIsR0FBRyx3Q0FBd0MsQ0FBQztBQUN6RSwwQkFBMEI7QUFFMUIsTUFBTSxlQUFlLEdBQUcsSUFBSSxHQUFHLENBQUMsZ0VBQWdFLENBQUMsS0FBSyxDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUM7QUFFNUcsTUFBTSxHQUFHLEdBQTJCO0lBQ2xDLElBQUksRUFBRSxLQUFLO0lBQ1gsSUFBSSxFQUFFLEtBQUs7SUFDWCxJQUFJLEVBQUUsS0FBSztDQUNaLENBQUM7QUFFRixNQUFNLENBQUMsT0FBTyxVQUFVLGdCQUFnQixDQUFDLElBQVk7SUFDbkQsTUFBTSxHQUFHLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQztJQUN0QixNQUFNLEtBQUssR0FBRyx1QkFBdUIsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFFaEQsSUFBSSxDQUFDLEtBQUssRUFBRSxDQUFDO1FBQ1gsT0FBTyxHQUFHLENBQUM7SUFDYixDQUFDO0lBRUQsSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2IsSUFBSSxLQUFLLEdBQUcsQ0FBQyxDQUFDO0lBQ2QsSUFBSSxTQUFTLEdBQUcsQ0FBQyxDQUFDO0lBQ2xCLElBQUksS0FBSyxDQUFDO0lBRVYsS0FBSyxLQUFLLEdBQUcsS0FBSyxDQUFDLEtBQUssRUFBRSxLQUFLLEdBQUcsR0FBRyxDQUFDLE1BQU0sRUFBRSxLQUFLLEVBQUUsRUFBRSxDQUFDO1FBQ3RELEtBQUssR0FBRyxHQUFHLENBQUMsS0FBSyxDQUFDLENBQUM7UUFDbkIsSUFBSSxlQUFlLENBQUMsR0FBRyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDL0IsU0FBUztRQUNYLENBQUM7YUFBTSxDQUFDO1lBQ04sSUFBSSxHQUFHLENBQUMsS0FBSyxDQUFDLEtBQUssU0FBUyxFQUFFLENBQUM7Z0JBQzdCLE1BQU0sSUFBSSxHQUFHLEtBQUssQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUM7Z0JBQ2pDLElBQUksSUFBSSxHQUFHLEdBQUcsRUFBRSxDQUFDO29CQUNmLFNBQVM7Z0JBQ1gsQ0FBQztxQkFBTSxDQUFDO29CQUNOLEdBQUcsQ0FBQyxLQUFLLENBQUMsR0FBRyxLQUFLLEdBQUcsSUFBSSxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUMsQ0FBQztnQkFDekMsQ0FBQztZQUNILENBQUM7UUFDSCxDQUFDO1FBRUQsSUFBSSxTQUFTLEtBQUssS0FBSyxFQUFFLENBQUM7WUFDeEIsR0FBRyxJQUFJLEdBQUcsQ0FBQyxTQUFTLENBQUMsU0FBUyxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ3pDLENBQUM7UUFFRCxTQUFTLEdBQUcsS0FBSyxHQUFHLENBQUMsQ0FBQztRQUN0QixHQUFHLElBQUksR0FBRyxDQUFDLEtBQUssQ0FBQyxDQUFDO0lBQ3BCLENBQUM7SUFFRCxPQUFPLFNBQVMsS0FBSyxLQUFLLENBQUMsQ0FBQyxDQUFDLEdBQUcsR0FBRyxHQUFHLENBQUMsU0FBUyxDQUFDLFNBQVMsRUFBRSxLQUFLLENBQUMsQ0FBQyxDQUFDLENBQUMsR0FBRyxDQUFDO0FBQzNFLENBQUMifQ==
+
+//#endregion
+export { escapeJavaScript as default };

package/dist/lib/helper/sjson.d.ts

@@ -1 +1,4 @@
-export default function jsonEscape(obj: any): string;
+//#region src/lib/helper/sjson.d.ts
+declare function jsonEscape(obj: any): string;
+//#endregion
+export { jsonEscape as default };

package/dist/lib/helper/sjson.js

@@ -1,39 +1,32 @@
-import sjs from "./sjs.js";
+import escapeJavaScript from "./sjs.js";
+
+//#region src/lib/helper/sjson.ts
 /**
- * escape json
- * for output json in script
- */
+* escape json
+* for output json in script
+*/
 function sanitizeKey(obj) {
-    if (typeof obj !== 'object')
-        return obj;
-    if (Array.isArray(obj))
-        return obj;
-    if (obj === null)
-        return null;
-    if (typeof obj === 'boolean')
-        return obj;
-    if (typeof obj === 'number')
-        return obj;
-    if (Buffer.isBuffer(obj))
-        return obj.toString();
-    for (const k in obj) {
-        const escapedK = sjs(k);
-        if (escapedK !== k) {
-            obj[escapedK] = sanitizeKey(obj[k]);
-            obj[k] = undefined;
-        }
-        else {
-            obj[k] = sanitizeKey(obj[k]);
-        }
-    }
-    return obj;
+	if (typeof obj !== "object") return obj;
+	if (Array.isArray(obj)) return obj;
+	if (obj === null) return null;
+	if (typeof obj === "boolean") return obj;
+	if (typeof obj === "number") return obj;
+	if (Buffer.isBuffer(obj)) return obj.toString();
+	for (const k in obj) {
+		const escapedK = escapeJavaScript(k);
+		if (escapedK !== k) {
+			obj[escapedK] = sanitizeKey(obj[k]);
+			obj[k] = void 0;
+		} else obj[k] = sanitizeKey(obj[k]);
+	}
+	return obj;
 }
-export default function jsonEscape(obj) {
-    return JSON.stringify(sanitizeKey(obj), (_k, v) => {
-        if (typeof v === 'string') {
-            return sjs(v);
-        }
-        return v;
-    });
+function jsonEscape(obj) {
+	return JSON.stringify(sanitizeKey(obj), (_k, v) => {
+		if (typeof v === "string") return escapeJavaScript(v);
+		return v;
+	});
 }
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2pzb24uanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvbGliL2hlbHBlci9zanNvbi50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQSxPQUFPLEdBQUcsTUFBTSxVQUFVLENBQUM7QUFFM0I7OztHQUdHO0FBRUgsU0FBUyxXQUFXLENBQUMsR0FBUTtJQUMzQixJQUFJLE9BQU8sR0FBRyxLQUFLLFFBQVE7UUFBRSxPQUFPLEdBQUcsQ0FBQztJQUN4QyxJQUFJLEtBQUssQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQUUsT0FBTyxHQUFHLENBQUM7SUFDbkMsSUFBSSxHQUFHLEtBQUssSUFBSTtRQUFFLE9BQU8sSUFBSSxDQUFDO0lBQzlCLElBQUksT0FBTyxHQUFHLEtBQUssU0FBUztRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3pDLElBQUksT0FBTyxHQUFHLEtBQUssUUFBUTtRQUFFLE9BQU8sR0FBRyxDQUFDO0lBQ3hDLElBQUksTUFBTSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUM7UUFBRSxPQUFPLEdBQUcsQ0FBQyxRQUFRLEVBQUUsQ0FBQztJQUVoRCxLQUFLLE1BQU0sQ0FBQyxJQUFJLEdBQUcsRUFBRSxDQUFDO1FBQ3BCLE1BQU0sUUFBUSxHQUFHLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN4QixJQUFJLFFBQVEsS0FBSyxDQUFDLEVBQUUsQ0FBQztZQUNuQixHQUFHLENBQUMsUUFBUSxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1lBQ3BDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUM7UUFDckIsQ0FBQzthQUFNLENBQUM7WUFDTixHQUFHLENBQUMsQ0FBQyxDQUFDLEdBQUcsV0FBVyxDQUFDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQy9CLENBQUM7SUFDSCxDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDO0FBRUQsTUFBTSxDQUFDLE9BQU8sVUFBVSxVQUFVLENBQUMsR0FBUTtJQUN6QyxPQUFPLElBQUksQ0FBQyxTQUFTLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxFQUFFO1FBQ2hELElBQUksT0FBTyxDQUFDLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDMUIsT0FBTyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEIsQ0FBQztRQUNELE9BQU8sQ0FBQyxDQUFDO0lBQ1gsQ0FBQyxDQUFDLENBQUM7QUFDTCxDQUFDIn0=
+
+//#endregion
+export { jsonEscape as default };

package/dist/lib/helper/spath.d.ts

@@ -1,5 +1,7 @@
-/**
- * File Inclusion
- */
-import type { BaseContextClass } from 'egg';
-export default function pathFilter(this: BaseContextClass, path: string): string | null;
+import { BaseContextClass } from "egg";
+
+//#region src/lib/helper/spath.d.ts
+
+declare function pathFilter(this: BaseContextClass, path: string): string | null;
+//#endregion
+export { pathFilter as default };