@ethisyscore/vite-plugin 1.0.0-alpha.12 → 1.0.0-alpha.13

package/dist/index.cjs

@@ -31,29 +31,46 @@ function slash(p) {
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
+function assertSafeRelativePath(value, label) {
+  const normalized = (0, import_node_path.normalize)(value);
+  if ((0, import_node_path.isAbsolute)(value) || (0, import_node_path.isAbsolute)(normalized)) {
+    throw new Error(
+      `[ethisys-manifest] ${label} "${value}" must be relative, not absolute.`
+    );
+  }
+  if (normalized.includes("..")) {
+    throw new Error(
+      `[ethisys-manifest] ${label} "${value}" must not contain path traversal.`
+    );
+  }
+}
 function ethisysManifestPlugin(options = {}) {
   const manifestRelPath = options.manifestPath ?? "../extension.manifest.json";
   const mountId = options.mountId ?? "root";
   let entries = [];
   let rootDir;
   let manifestAbsPath;
+  const htmlCache = /* @__PURE__ */ new Map();
   function generateHtml(entry) {
     if (entry.template) {
+      assertSafeRelativePath(entry.template, "Template path");
       const templatePath = (0, import_node_path.resolve)(rootDir, entry.template);
       if ((0, import_node_fs.existsSync)(templatePath)) {
         let html = (0, import_node_fs.readFileSync)(templatePath, "utf-8");
-        const mountPattern = new RegExp(`id=["']${mountId}["']`);
+        const safeMountId2 = escapeHtml(mountId);
+        const mountPattern = new RegExp(`id=["']${safeMountId2}["']`);
         if (!mountPattern.test(html)) {
           throw new Error(
             `[ethisys-manifest] Custom template "${entry.template}" must contain an element with id="${mountId}".`
           );
         }
-        html = html.replace("{{SOURCE}}", entry.source);
+        html = html.replaceAll("{{SOURCE}}", escapeHtml(entry.source));
         return html;
       }
     }
     const safeTitle = escapeHtml(entry.title ?? "Plugin");
     const safeSource = escapeHtml(entry.source);
+    const safeMountId = escapeHtml(mountId);
     return `<!doctype html>
 <html lang="en">
   <head>
@@ -62,7 +79,7 @@ function ethisysManifestPlugin(options = {}) {
     <title>${safeTitle}</title>
   </head>
   <body>
-    <div id="${mountId}"></div>
+    <div id="${safeMountId}"></div>
     <script type="module" src="${safeSource}"></script>
   </body>
 </html>`;
@@ -97,11 +114,7 @@ function ethisysManifestPlugin(options = {}) {
     const entrypointSources = /* @__PURE__ */ new Map();
     for (const entry of entries) {
       const source = entry.source;
-      if (source.includes("..") || source.startsWith("/")) {
-        throw new Error(
-          `[ethisys-manifest] Source path "${source}" must be relative with no traversal.`
-        );
-      }
+      assertSafeRelativePath(source, "Source path");
       const sourcePath = (0, import_node_path.resolve)(rootDir, source);
       if (!(0, import_node_fs.existsSync)(sourcePath)) {
         throw new Error(
@@ -163,8 +176,12 @@ function ethisysManifestPlugin(options = {}) {
             const filename = url === "/" || url === "/index.html" ? "index.html" : url.slice(1);
             const entry = entries.find((e) => e.entrypoint === filename);
             if (entry) {
-              let html = generateHtml(entry);
-              html = await server.transformIndexHtml(url, html);
+              const cacheKey = `entry:${filename}`;
+              if (!htmlCache.has(cacheKey)) {
+                const rawHtml = generateHtml(entry);
+                htmlCache.set(cacheKey, server.transformIndexHtml(url, rawHtml));
+              }
+              const html = await htmlCache.get(cacheKey);
               res.setHeader("Content-Type", "text/html");
               res.statusCode = 200;
               res.end(html);
@@ -176,8 +193,12 @@ function ethisysManifestPlugin(options = {}) {
               (e) => e.entrypoint === "index.html"
             );
             if (mainEntry) {
-              let html = generateHtml(mainEntry);
-              html = await server.transformIndexHtml(url, html);
+              const cacheKey = "spa:index.html";
+              if (!htmlCache.has(cacheKey)) {
+                const rawHtml = generateHtml(mainEntry);
+                htmlCache.set(cacheKey, server.transformIndexHtml("/", rawHtml));
+              }
+              const html = await htmlCache.get(cacheKey);
               res.setHeader("Content-Type", "text/html");
               res.statusCode = 200;
               res.end(html);
@@ -198,6 +219,7 @@ function ethisysManifestPlugin(options = {}) {
         try {
           entries = readManifest();
           validateEntries();
+          htmlCache.clear();
         } catch (e) {
           server.config.logger.error(String(e));
           return [];

package/dist/index.js

@@ -1,35 +1,52 @@
 // src/index.ts
 import { readFileSync, existsSync } from "fs";
-import { resolve, sep } from "path";
+import { isAbsolute, normalize, resolve, sep } from "path";
 function slash(p) {
   return sep === "\\" ? p.replace(/\\/g, "/") : p;
 }
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
+function assertSafeRelativePath(value, label) {
+  const normalized = normalize(value);
+  if (isAbsolute(value) || isAbsolute(normalized)) {
+    throw new Error(
+      `[ethisys-manifest] ${label} "${value}" must be relative, not absolute.`
+    );
+  }
+  if (normalized.includes("..")) {
+    throw new Error(
+      `[ethisys-manifest] ${label} "${value}" must not contain path traversal.`
+    );
+  }
+}
 function ethisysManifestPlugin(options = {}) {
   const manifestRelPath = options.manifestPath ?? "../extension.manifest.json";
   const mountId = options.mountId ?? "root";
   let entries = [];
   let rootDir;
   let manifestAbsPath;
+  const htmlCache = /* @__PURE__ */ new Map();
   function generateHtml(entry) {
     if (entry.template) {
+      assertSafeRelativePath(entry.template, "Template path");
       const templatePath = resolve(rootDir, entry.template);
       if (existsSync(templatePath)) {
         let html = readFileSync(templatePath, "utf-8");
-        const mountPattern = new RegExp(`id=["']${mountId}["']`);
+        const safeMountId2 = escapeHtml(mountId);
+        const mountPattern = new RegExp(`id=["']${safeMountId2}["']`);
         if (!mountPattern.test(html)) {
           throw new Error(
             `[ethisys-manifest] Custom template "${entry.template}" must contain an element with id="${mountId}".`
           );
         }
-        html = html.replace("{{SOURCE}}", entry.source);
+        html = html.replaceAll("{{SOURCE}}", escapeHtml(entry.source));
         return html;
       }
     }
     const safeTitle = escapeHtml(entry.title ?? "Plugin");
     const safeSource = escapeHtml(entry.source);
+    const safeMountId = escapeHtml(mountId);
     return `<!doctype html>
 <html lang="en">
   <head>
@@ -38,7 +55,7 @@ function ethisysManifestPlugin(options = {}) {
     <title>${safeTitle}</title>
   </head>
   <body>
-    <div id="${mountId}"></div>
+    <div id="${safeMountId}"></div>
     <script type="module" src="${safeSource}"></script>
   </body>
 </html>`;
@@ -73,11 +90,7 @@ function ethisysManifestPlugin(options = {}) {
     const entrypointSources = /* @__PURE__ */ new Map();
     for (const entry of entries) {
       const source = entry.source;
-      if (source.includes("..") || source.startsWith("/")) {
-        throw new Error(
-          `[ethisys-manifest] Source path "${source}" must be relative with no traversal.`
-        );
-      }
+      assertSafeRelativePath(source, "Source path");
       const sourcePath = resolve(rootDir, source);
       if (!existsSync(sourcePath)) {
         throw new Error(
@@ -139,8 +152,12 @@ function ethisysManifestPlugin(options = {}) {
             const filename = url === "/" || url === "/index.html" ? "index.html" : url.slice(1);
             const entry = entries.find((e) => e.entrypoint === filename);
             if (entry) {
-              let html = generateHtml(entry);
-              html = await server.transformIndexHtml(url, html);
+              const cacheKey = `entry:${filename}`;
+              if (!htmlCache.has(cacheKey)) {
+                const rawHtml = generateHtml(entry);
+                htmlCache.set(cacheKey, server.transformIndexHtml(url, rawHtml));
+              }
+              const html = await htmlCache.get(cacheKey);
               res.setHeader("Content-Type", "text/html");
               res.statusCode = 200;
               res.end(html);
@@ -152,8 +169,12 @@ function ethisysManifestPlugin(options = {}) {
               (e) => e.entrypoint === "index.html"
             );
             if (mainEntry) {
-              let html = generateHtml(mainEntry);
-              html = await server.transformIndexHtml(url, html);
+              const cacheKey = "spa:index.html";
+              if (!htmlCache.has(cacheKey)) {
+                const rawHtml = generateHtml(mainEntry);
+                htmlCache.set(cacheKey, server.transformIndexHtml("/", rawHtml));
+              }
+              const html = await htmlCache.get(cacheKey);
               res.setHeader("Content-Type", "text/html");
               res.statusCode = 200;
               res.end(html);
@@ -174,6 +195,7 @@ function ethisysManifestPlugin(options = {}) {
         try {
           entries = readManifest();
           validateEntries();
+          htmlCache.clear();
         } catch (e) {
           server.config.logger.error(String(e));
           return [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ethisyscore/vite-plugin",
-  "version": "1.0.0-alpha.12",
+  "version": "1.0.0-alpha.13",
   "description": "Vite plugin for manifest-driven HTML entry points in EthisysCore plugins. Reads feature.manifest.json and generates HTML shells in-memory — zero boilerplate HTML files needed.",
   "type": "module",
   "main": "dist/index.cjs",