@f-o-t/ofx 2.2.0 → 2.3.1

package/README.md

@@ -464,36 +464,95 @@ type StreamEvent =
   | { type: "complete"; transactionCount: number };
 ```
 
-## Schemas
+## Validation & Schemas
 
-All Zod schemas are exported for custom validation:
+All parsing and generation functions use Zod schemas for runtime validation, ensuring type safety and data integrity.
+
+### Input Validation for Generation
+
+When generating OFX files, you can validate your inputs using the exported schemas:
 
 ```typescript
-import { schemas } from "@fot/ofx";
+import {
+  generateBankStatement,
+  generateBankStatementOptionsSchema,
+  type GenerateBankStatementOptions,
+} from "@fot/ofx";
+
+// Validate options before generating
+const options: GenerateBankStatementOptions = {
+  bankId: "123456",
+  accountId: "987654321",
+  accountType: "CHECKING",
+  currency: "USD",
+  startDate: new Date("2025-01-01"),
+  endDate: new Date("2025-01-31"),
+  transactions: [],
+};
+
+// Runtime validation
+const validatedOptions = generateBankStatementOptionsSchema.parse(options);
+const statement = generateBankStatement(validatedOptions);
+```
+
+### Available Schemas
 
-const customTransactionSchema = schemas.transaction.extend({
+All Zod schemas are exported for custom validation and extension:
+
+```typescript
+import {
+  transactionSchema,
+  bankAccountSchema,
+  ofxDocumentSchema,
+} from "@fot/ofx";
+
+// Extend schemas for custom validation
+const customTransactionSchema = transactionSchema.extend({
   customField: z.string(),
 });
 ```
 
-Available schemas:
-
-- `schemas.transaction`
-- `schemas.transactionType`
-- `schemas.transactionList`
-- `schemas.bankAccount`
-- `schemas.creditCardAccount`
-- `schemas.accountType`
-- `schemas.balance`
-- `schemas.status`
-- `schemas.financialInstitution`
-- `schemas.signOnResponse`
-- `schemas.bankStatementResponse`
-- `schemas.creditCardStatementResponse`
-- `schemas.ofxDocument`
-- `schemas.ofxHeader`
-- `schemas.ofxResponse`
-- `schemas.ofxDate`
+**Parsing Schemas:**
+- `ofxDocumentSchema` - Complete OFX document
+- `ofxHeaderSchema` - OFX file header
+- `ofxResponseSchema` - OFX response body
+- `transactionSchema` - Individual transaction
+- `transactionTypeSchema` - Transaction type enum
+- `transactionListSchema` - List of transactions
+- `bankAccountSchema` - Bank account information
+- `creditCardAccountSchema` - Credit card account information
+- `accountTypeSchema` - Account type enum
+- `balanceSchema` - Balance information
+- `statusSchema` - Status response
+- `financialInstitutionSchema` - Financial institution info
+- `signOnResponseSchema` - Sign-on response
+- `ofxDateSchema` - OFX date with timezone
+
+**Generation Schemas:**
+- `generateHeaderOptionsSchema` - OFX header generation options
+- `generateTransactionInputSchema` - Transaction input for generation
+- `generateBankStatementOptionsSchema` - Bank statement generation options
+- `generateCreditCardStatementOptionsSchema` - Credit card statement generation options
+
+## Security
+
+This library includes several security features to protect against malicious OFX files:
+
+### Prototype Pollution Protection
+
+The SGML parser is protected against prototype pollution attacks. Malicious OFX files attempting to inject `__proto__`, `constructor`, or `prototype` tags are safely ignored, preventing potential remote code execution.
+
+### Input Validation
+
+All parsing functions validate input data against strict Zod schemas, rejecting malformed or invalid OFX data before processing. This prevents:
+- Type confusion attacks
+- Invalid date/number formats
+- Missing required fields
+- Unexpected data structures
+
+### Safe Entity Decoding
+
+HTML entities in OFX text fields are decoded using a whitelist approach, preventing XSS-style attacks through crafted entity sequences
 
 ## Performance
 

package/dist/index.d.ts

@@ -1616,74 +1616,160 @@ declare function getTransactions(document: OFXDocument): OFXTransaction[];
 declare function getAccountInfo(document: OFXDocument): (OFXBankAccount | OFXCreditCardAccount)[];
 declare function getBalance(document: OFXDocument): BalanceInfo[];
 declare function getSignOnInfo(document: OFXDocument): OFXSignOnResponse;
-interface GenerateHeaderOptions {
-	version?: string;
-	encoding?: string;
-	charset?: string;
-}
+import { z as z2 } from "zod";
+declare const generateHeaderOptionsSchema: z2.ZodOptional<z2.ZodObject<{
+	version: z2.ZodOptional<z2.ZodString>;
+	encoding: z2.ZodOptional<z2.ZodString>;
+	charset: z2.ZodOptional<z2.ZodString>;
+}, z2.core.$strip>>;
+type GenerateHeaderOptions = z2.infer<typeof generateHeaderOptionsSchema>;
 declare function generateHeader(options?: GenerateHeaderOptions): string;
-interface GenerateTransactionInput {
-	type: OFXTransactionType;
-	datePosted: Date;
-	amount: number;
-	fitId: string;
-	name?: string;
-	memo?: string;
-	checkNum?: string;
-	refNum?: string;
-}
-interface GenerateBankStatementOptions {
-	bankId: string;
-	accountId: string;
-	accountType: OFXAccountType;
-	currency: string;
-	startDate: Date;
-	endDate: Date;
-	transactions: GenerateTransactionInput[];
-	ledgerBalance?: {
-		amount: number;
-		asOfDate: Date;
-	};
-	availableBalance?: {
-		amount: number;
-		asOfDate: Date;
-	};
-	financialInstitution?: {
-		org?: string;
-		fid?: string;
-	};
-	language?: string;
-}
+declare const generateTransactionInputSchema: z2.ZodObject<{
+	type: z2.ZodEnum<{
+		CREDIT: "CREDIT";
+		DEBIT: "DEBIT";
+		INT: "INT";
+		DIV: "DIV";
+		FEE: "FEE";
+		SRVCHG: "SRVCHG";
+		DEP: "DEP";
+		ATM: "ATM";
+		POS: "POS";
+		XFER: "XFER";
+		CHECK: "CHECK";
+		PAYMENT: "PAYMENT";
+		CASH: "CASH";
+		DIRECTDEP: "DIRECTDEP";
+		DIRECTDEBIT: "DIRECTDEBIT";
+		REPEATPMT: "REPEATPMT";
+		HOLD: "HOLD";
+		OTHER: "OTHER";
+	}>;
+	datePosted: z2.ZodDate;
+	amount: z2.ZodNumber;
+	fitId: z2.ZodString;
+	name: z2.ZodOptional<z2.ZodString>;
+	memo: z2.ZodOptional<z2.ZodString>;
+	checkNum: z2.ZodOptional<z2.ZodString>;
+	refNum: z2.ZodOptional<z2.ZodString>;
+}, z2.core.$strip>;
+type GenerateTransactionInput = z2.infer<typeof generateTransactionInputSchema>;
+declare const generateBankStatementOptionsSchema: z2.ZodObject<{
+	bankId: z2.ZodString;
+	accountId: z2.ZodString;
+	accountType: z2.ZodEnum<{
+		CHECKING: "CHECKING";
+		SAVINGS: "SAVINGS";
+		MONEYMRKT: "MONEYMRKT";
+		CREDITLINE: "CREDITLINE";
+		CD: "CD";
+	}>;
+	currency: z2.ZodString;
+	startDate: z2.ZodDate;
+	endDate: z2.ZodDate;
+	transactions: z2.ZodArray<z2.ZodObject<{
+		type: z2.ZodEnum<{
+			CREDIT: "CREDIT";
+			DEBIT: "DEBIT";
+			INT: "INT";
+			DIV: "DIV";
+			FEE: "FEE";
+			SRVCHG: "SRVCHG";
+			DEP: "DEP";
+			ATM: "ATM";
+			POS: "POS";
+			XFER: "XFER";
+			CHECK: "CHECK";
+			PAYMENT: "PAYMENT";
+			CASH: "CASH";
+			DIRECTDEP: "DIRECTDEP";
+			DIRECTDEBIT: "DIRECTDEBIT";
+			REPEATPMT: "REPEATPMT";
+			HOLD: "HOLD";
+			OTHER: "OTHER";
+		}>;
+		datePosted: z2.ZodDate;
+		amount: z2.ZodNumber;
+		fitId: z2.ZodString;
+		name: z2.ZodOptional<z2.ZodString>;
+		memo: z2.ZodOptional<z2.ZodString>;
+		checkNum: z2.ZodOptional<z2.ZodString>;
+		refNum: z2.ZodOptional<z2.ZodString>;
+	}, z2.core.$strip>>;
+	ledgerBalance: z2.ZodOptional<z2.ZodObject<{
+		amount: z2.ZodNumber;
+		asOfDate: z2.ZodDate;
+	}, z2.core.$strip>>;
+	availableBalance: z2.ZodOptional<z2.ZodObject<{
+		amount: z2.ZodNumber;
+		asOfDate: z2.ZodDate;
+	}, z2.core.$strip>>;
+	financialInstitution: z2.ZodOptional<z2.ZodObject<{
+		org: z2.ZodOptional<z2.ZodString>;
+		fid: z2.ZodOptional<z2.ZodString>;
+	}, z2.core.$strip>>;
+	language: z2.ZodOptional<z2.ZodString>;
+}, z2.core.$strip>;
+type GenerateBankStatementOptions = z2.infer<typeof generateBankStatementOptionsSchema>;
 declare function generateBankStatement(options: GenerateBankStatementOptions): string;
-interface GenerateCreditCardStatementOptions {
-	accountId: string;
-	currency: string;
-	startDate: Date;
-	endDate: Date;
-	transactions: GenerateTransactionInput[];
-	ledgerBalance?: {
-		amount: number;
-		asOfDate: Date;
-	};
-	availableBalance?: {
-		amount: number;
-		asOfDate: Date;
-	};
-	financialInstitution?: {
-		org?: string;
-		fid?: string;
-	};
-	language?: string;
-}
+declare const generateCreditCardStatementOptionsSchema: z2.ZodObject<{
+	accountId: z2.ZodString;
+	currency: z2.ZodString;
+	startDate: z2.ZodDate;
+	endDate: z2.ZodDate;
+	transactions: z2.ZodArray<z2.ZodObject<{
+		type: z2.ZodEnum<{
+			CREDIT: "CREDIT";
+			DEBIT: "DEBIT";
+			INT: "INT";
+			DIV: "DIV";
+			FEE: "FEE";
+			SRVCHG: "SRVCHG";
+			DEP: "DEP";
+			ATM: "ATM";
+			POS: "POS";
+			XFER: "XFER";
+			CHECK: "CHECK";
+			PAYMENT: "PAYMENT";
+			CASH: "CASH";
+			DIRECTDEP: "DIRECTDEP";
+			DIRECTDEBIT: "DIRECTDEBIT";
+			REPEATPMT: "REPEATPMT";
+			HOLD: "HOLD";
+			OTHER: "OTHER";
+		}>;
+		datePosted: z2.ZodDate;
+		amount: z2.ZodNumber;
+		fitId: z2.ZodString;
+		name: z2.ZodOptional<z2.ZodString>;
+		memo: z2.ZodOptional<z2.ZodString>;
+		checkNum: z2.ZodOptional<z2.ZodString>;
+		refNum: z2.ZodOptional<z2.ZodString>;
+	}, z2.core.$strip>>;
+	ledgerBalance: z2.ZodOptional<z2.ZodObject<{
+		amount: z2.ZodNumber;
+		asOfDate: z2.ZodDate;
+	}, z2.core.$strip>>;
+	availableBalance: z2.ZodOptional<z2.ZodObject<{
+		amount: z2.ZodNumber;
+		asOfDate: z2.ZodDate;
+	}, z2.core.$strip>>;
+	financialInstitution: z2.ZodOptional<z2.ZodObject<{
+		org: z2.ZodOptional<z2.ZodString>;
+		fid: z2.ZodOptional<z2.ZodString>;
+	}, z2.core.$strip>>;
+	language: z2.ZodOptional<z2.ZodString>;
+}, z2.core.$strip>;
+type GenerateCreditCardStatementOptions = z2.infer<typeof generateCreditCardStatementOptionsSchema>;
 declare function generateCreditCardStatement(options: GenerateCreditCardStatementOptions): string;
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 declare function getEncodingFromCharset(charset?: string): string;
 type ParseResult<T> = {
 	success: true;
 	data: T;
 } | {
 	success: false;
-	error: z2.ZodError;
+	error: z3.ZodError;
 };
 declare function parse(content: string): ParseResult<OFXDocument>;
 declare function parseOrThrow(content: string): OFXDocument;
@@ -1797,4 +1883,4 @@ declare function formatOfxDate(date: Date, timezone?: {
 	offset: number;
 	name: string;
 }): string;
-export { parseStreamToArray, parseStream, parseOrThrow, parseBufferOrThrow, parseBuffer, parseBatchStreamToArray, parseBatchStream, parse, getTransactions, getSignOnInfo, getEncodingFromCharset, getBalance, getAccountInfo, generateHeader, generateCreditCardStatement, generateBankStatement, formatOfxDate, StreamOptions, StreamEvent, ParseResult, OFXTransactionType, OFXTransactionList, OFXTransaction, OFXStatus, OFXSignOnResponse, OFXSignOnMessageSetResponse, OFXResponse, OFXHeader, OFXFinancialInstitution, OFXDocument, OFXDate, OFXCreditCardStatementTransactionResponse, OFXCreditCardStatementResponse, OFXCreditCardMessageSetResponse, OFXCreditCardAccount, OFXBankStatementTransactionResponse, OFXBankStatementResponse, OFXBankMessageSetResponse, OFXBankAccount, OFXBalance, OFXAccountType, GenerateTransactionInput, GenerateHeaderOptions, GenerateCreditCardStatementOptions, GenerateBankStatementOptions, BatchStreamEvent, BatchParsedFile, BatchFileInput, BalanceInfo };
+export { parseStreamToArray, parseStream, parseOrThrow, parseBufferOrThrow, parseBuffer, parseBatchStreamToArray, parseBatchStream, parse, getTransactions, getSignOnInfo, getEncodingFromCharset, getBalance, getAccountInfo, generateTransactionInputSchema, generateHeaderOptionsSchema, generateHeader, generateCreditCardStatementOptionsSchema, generateCreditCardStatement, generateBankStatementOptionsSchema, generateBankStatement, formatOfxDate, StreamOptions, StreamEvent, ParseResult, OFXTransactionType, OFXTransactionList, OFXTransaction, OFXStatus, OFXSignOnResponse, OFXSignOnMessageSetResponse, OFXResponse, OFXHeader, OFXFinancialInstitution, OFXDocument, OFXDate, OFXCreditCardStatementTransactionResponse, OFXCreditCardStatementResponse, OFXCreditCardMessageSetResponse, OFXCreditCardAccount, OFXBankStatementTransactionResponse, OFXBankStatementResponse, OFXBankMessageSetResponse, OFXBankAccount, OFXBalance, OFXAccountType, GenerateTransactionInput, GenerateHeaderOptions, GenerateCreditCardStatementOptions, GenerateBankStatementOptions, BatchStreamEvent, BatchParsedFile, BatchFileInput, BalanceInfo };

package/dist/index.js

@@ -1,5 +1,18 @@
 // src/utils.ts
 var toArray = (value) => Array.isArray(value) ? value : [value];
+var ENTITY_MAP = {
+  "&": "&",
+  "'": "'",
+  ">": ">",
+  "&lt;": "<",
+  "&quot;": '"'
+};
+var ENTITY_REGEX = /&(?:amp|lt|gt|quot|apos);/g;
+function decodeEntities(text) {
+  if (!text.includes("&"))
+    return text;
+  return text.replace(ENTITY_REGEX, (match) => ENTITY_MAP[match] ?? match);
+}
 var pad = (n, width = 2) => n.toString().padStart(width, "0");
 function escapeOfxText(text) {
   if (!text.includes("&") && !text.includes("<") && !text.includes(">")) {
@@ -95,182 +108,19 @@ function getSignOnInfo(document) {
   return document.OFX.SIGNONMSGSRSV1.SONRS;
 }
 // src/generator.ts
-function generateHeader(options) {
-  const version = options?.version ?? "100";
-  const encoding = options?.encoding ?? "USASCII";
-  const charset = options?.charset ?? "1252";
-  return [
-    "OFXHEADER:100",
-    "DATA:OFXSGML",
-    `VERSION:${version}`,
-    "SECURITY:NONE",
-    `ENCODING:${encoding}`,
-    `CHARSET:${charset}`,
-    "COMPRESSION:NONE",
-    "OLDFILEUID:NONE",
-    "NEWFILEUID:NONE",
-    ""
-  ].join(`
-`);
-}
-function generateTransaction(trn) {
-  const lines = [
-    "<STMTTRN>",
-    `<TRNTYPE>${trn.type}`,
-    `<DTPOSTED>${formatOfxDate(trn.datePosted)}`,
-    `<TRNAMT>${formatAmount(trn.amount)}`,
-    `<FITID>${escapeOfxText(trn.fitId)}`
-  ];
-  if (trn.name) {
-    lines.push(`<NAME>${escapeOfxText(trn.name)}`);
-  }
-  if (trn.memo) {
-    lines.push(`<MEMO>${escapeOfxText(trn.memo)}`);
-  }
-  if (trn.checkNum) {
-    lines.push(`<CHECKNUM>${escapeOfxText(trn.checkNum)}`);
-  }
-  if (trn.refNum) {
-    lines.push(`<REFNUM>${escapeOfxText(trn.refNum)}`);
-  }
-  lines.push("</STMTTRN>");
-  return lines.join(`
-`);
-}
-function generateBankStatement(options) {
-  const parts = [generateHeader()];
-  const serverDate = formatOfxDate(new Date);
-  const language = options.language ?? "POR";
-  parts.push(`<OFX>
-<SIGNONMSGSRSV1>
-<SONRS>
-<STATUS>
-<CODE>0
-<SEVERITY>INFO
-</STATUS>
-<DTSERVER>${serverDate}
-<LANGUAGE>${language}`);
-  if (options.financialInstitution) {
-    parts.push("<FI>");
-    if (options.financialInstitution.org) {
-      parts.push(`<ORG>${escapeOfxText(options.financialInstitution.org)}`);
-    }
-    if (options.financialInstitution.fid) {
-      parts.push(`<FID>${escapeOfxText(options.financialInstitution.fid)}`);
-    }
-    parts.push("</FI>");
-  }
-  parts.push(`</SONRS>
-</SIGNONMSGSRSV1>
-<BANKMSGSRSV1>
-<STMTTRNRS>
-<TRNUID>0
-<STATUS>
-<CODE>0
-<SEVERITY>INFO
-</STATUS>
-<STMTRS>
-<CURDEF>${options.currency}
-<BANKACCTFROM>
-<BANKID>${escapeOfxText(options.bankId)}
-<ACCTID>${escapeOfxText(options.accountId)}
-<ACCTTYPE>${options.accountType}
-</BANKACCTFROM>
-<BANKTRANLIST>
-<DTSTART>${formatOfxDate(options.startDate)}
-<DTEND>${formatOfxDate(options.endDate)}`);
-  for (const trn of options.transactions) {
-    parts.push(generateTransaction(trn));
-  }
-  parts.push("</BANKTRANLIST>");
-  if (options.ledgerBalance) {
-    parts.push(`<LEDGERBAL>
-<BALAMT>${formatAmount(options.ledgerBalance.amount)}
-<DTASOF>${formatOfxDate(options.ledgerBalance.asOfDate)}
-</LEDGERBAL>`);
-  }
-  if (options.availableBalance) {
-    parts.push(`<AVAILBAL>
-<BALAMT>${formatAmount(options.availableBalance.amount)}
-<DTASOF>${formatOfxDate(options.availableBalance.asOfDate)}
-</AVAILBAL>`);
-  }
-  parts.push(`</STMTRS>
-</STMTTRNRS>
-</BANKMSGSRSV1>
-</OFX>`);
-  return parts.join(`
-`);
-}
-function generateCreditCardStatement(options) {
-  const parts = [generateHeader()];
-  const serverDate = formatOfxDate(new Date);
-  const language = options.language ?? "POR";
-  parts.push(`<OFX>
-<SIGNONMSGSRSV1>
-<SONRS>
-<STATUS>
-<CODE>0
-<SEVERITY>INFO
-</STATUS>
-<DTSERVER>${serverDate}
-<LANGUAGE>${language}`);
-  if (options.financialInstitution) {
-    parts.push("<FI>");
-    if (options.financialInstitution.org) {
-      parts.push(`<ORG>${escapeOfxText(options.financialInstitution.org)}`);
-    }
-    if (options.financialInstitution.fid) {
-      parts.push(`<FID>${escapeOfxText(options.financialInstitution.fid)}`);
-    }
-    parts.push("</FI>");
-  }
-  parts.push(`</SONRS>
-</SIGNONMSGSRSV1>
-<CREDITCARDMSGSRSV1>
-<CCSTMTTRNRS>
-<TRNUID>0
-<STATUS>
-<CODE>0
-<SEVERITY>INFO
-</STATUS>
-<CCSTMTRS>
-<CURDEF>${options.currency}
-<CCACCTFROM>
-<ACCTID>${escapeOfxText(options.accountId)}
-</CCACCTFROM>
-<BANKTRANLIST>
-<DTSTART>${formatOfxDate(options.startDate)}
-<DTEND>${formatOfxDate(options.endDate)}`);
-  for (const trn of options.transactions) {
-    parts.push(generateTransaction(trn));
-  }
-  parts.push("</BANKTRANLIST>");
-  if (options.ledgerBalance) {
-    parts.push(`<LEDGERBAL>
-<BALAMT>${formatAmount(options.ledgerBalance.amount)}
-<DTASOF>${formatOfxDate(options.ledgerBalance.asOfDate)}
-</LEDGERBAL>`);
-  }
-  if (options.availableBalance) {
-    parts.push(`<AVAILBAL>
-<BALAMT>${formatAmount(options.availableBalance.amount)}
-<DTASOF>${formatOfxDate(options.availableBalance.asOfDate)}
-</AVAILBAL>`);
-  }
-  parts.push(`</CCSTMTRS>
-</CCSTMTTRNRS>
-</CREDITCARDMSGSRSV1>
-</OFX>`);
-  return parts.join(`
-`);
-}
-// src/parser.ts
 import { z as z2 } from "zod";
 
 // src/schemas.ts
 import { z } from "zod";
 var toFloat = (val) => Number.parseFloat(val);
+var dateComponentsSchema = z.object({
+  year: z.number(),
+  month: z.number(),
+  day: z.number(),
+  hour: z.number(),
+  minute: z.number(),
+  second: z.number()
+});
 var DATE_REGEX = /^(\d{4})(\d{2})(\d{2})(\d{2})?(\d{2})?(\d{2})?/;
 var TIMEZONE_REGEX = /\[([+-]?\d+):(\w+)\]/;
 function parseDateComponents(val) {
@@ -463,15 +313,234 @@ var ofxDocumentSchema = z.object({
   OFX: ofxResponseSchema
 });
 
+// src/generator.ts
+var generateHeaderOptionsSchema = z2.object({
+  version: z2.string().optional(),
+  encoding: z2.string().optional(),
+  charset: z2.string().optional()
+}).optional();
+function generateHeader(options) {
+  const version = options?.version ?? "100";
+  const encoding = options?.encoding ?? "USASCII";
+  const charset = options?.charset ?? "1252";
+  return [
+    "OFXHEADER:100",
+    "DATA:OFXSGML",
+    `VERSION:${version}`,
+    "SECURITY:NONE",
+    `ENCODING:${encoding}`,
+    `CHARSET:${charset}`,
+    "COMPRESSION:NONE",
+    "OLDFILEUID:NONE",
+    "NEWFILEUID:NONE",
+    ""
+  ].join(`
+`);
+}
+var generateTransactionInputSchema = z2.object({
+  type: transactionTypeSchema,
+  datePosted: z2.date(),
+  amount: z2.number(),
+  fitId: z2.string().min(1),
+  name: z2.string().optional(),
+  memo: z2.string().optional(),
+  checkNum: z2.string().optional(),
+  refNum: z2.string().optional()
+});
+function generateTransaction(trn) {
+  const lines = [
+    "<STMTTRN>",
+    `<TRNTYPE>${trn.type}`,
+    `<DTPOSTED>${formatOfxDate(trn.datePosted)}`,
+    `<TRNAMT>${formatAmount(trn.amount)}`,
+    `<FITID>${escapeOfxText(trn.fitId)}`
+  ];
+  if (trn.name) {
+    lines.push(`<NAME>${escapeOfxText(trn.name)}`);
+  }
+  if (trn.memo) {
+    lines.push(`<MEMO>${escapeOfxText(trn.memo)}`);
+  }
+  if (trn.checkNum) {
+    lines.push(`<CHECKNUM>${escapeOfxText(trn.checkNum)}`);
+  }
+  if (trn.refNum) {
+    lines.push(`<REFNUM>${escapeOfxText(trn.refNum)}`);
+  }
+  lines.push("</STMTTRN>");
+  return lines.join(`
+`);
+}
+var balanceSchema2 = z2.object({
+  amount: z2.number(),
+  asOfDate: z2.date()
+});
+var financialInstitutionSchema2 = z2.object({
+  org: z2.string().optional(),
+  fid: z2.string().optional()
+});
+var generateBankStatementOptionsSchema = z2.object({
+  bankId: z2.string().min(1),
+  accountId: z2.string().min(1),
+  accountType: accountTypeSchema,
+  currency: z2.string().min(1),
+  startDate: z2.date(),
+  endDate: z2.date(),
+  transactions: z2.array(generateTransactionInputSchema),
+  ledgerBalance: balanceSchema2.optional(),
+  availableBalance: balanceSchema2.optional(),
+  financialInstitution: financialInstitutionSchema2.optional(),
+  language: z2.string().optional()
+});
+function generateBankStatement(options) {
+  const parts = [generateHeader()];
+  const serverDate = formatOfxDate(new Date);
+  const language = options.language ?? "POR";
+  parts.push(`<OFX>
+<SIGNONMSGSRSV1>
+<SONRS>
+<STATUS>
+<CODE>0
+<SEVERITY>INFO
+</STATUS>
+<DTSERVER>${serverDate}
+<LANGUAGE>${language}`);
+  if (options.financialInstitution) {
+    parts.push("<FI>");
+    if (options.financialInstitution.org) {
+      parts.push(`<ORG>${escapeOfxText(options.financialInstitution.org)}`);
+    }
+    if (options.financialInstitution.fid) {
+      parts.push(`<FID>${escapeOfxText(options.financialInstitution.fid)}`);
+    }
+    parts.push("</FI>");
+  }
+  parts.push(`</SONRS>
+</SIGNONMSGSRSV1>
+<BANKMSGSRSV1>
+<STMTTRNRS>
+<TRNUID>0
+<STATUS>
+<CODE>0
+<SEVERITY>INFO
+</STATUS>
+<STMTRS>
+<CURDEF>${options.currency}
+<BANKACCTFROM>
+<BANKID>${escapeOfxText(options.bankId)}
+<ACCTID>${escapeOfxText(options.accountId)}
+<ACCTTYPE>${options.accountType}
+</BANKACCTFROM>
+<BANKTRANLIST>
+<DTSTART>${formatOfxDate(options.startDate)}
+<DTEND>${formatOfxDate(options.endDate)}`);
+  for (const trn of options.transactions) {
+    parts.push(generateTransaction(trn));
+  }
+  parts.push("</BANKTRANLIST>");
+  if (options.ledgerBalance) {
+    parts.push(`<LEDGERBAL>
+<BALAMT>${formatAmount(options.ledgerBalance.amount)}
+<DTASOF>${formatOfxDate(options.ledgerBalance.asOfDate)}
+</LEDGERBAL>`);
+  }
+  if (options.availableBalance) {
+    parts.push(`<AVAILBAL>
+<BALAMT>${formatAmount(options.availableBalance.amount)}
+<DTASOF>${formatOfxDate(options.availableBalance.asOfDate)}
+</AVAILBAL>`);
+  }
+  parts.push(`</STMTRS>
+</STMTTRNRS>
+</BANKMSGSRSV1>
+</OFX>`);
+  return parts.join(`
+`);
+}
+var generateCreditCardStatementOptionsSchema = z2.object({
+  accountId: z2.string().min(1),
+  currency: z2.string().min(1),
+  startDate: z2.date(),
+  endDate: z2.date(),
+  transactions: z2.array(generateTransactionInputSchema),
+  ledgerBalance: balanceSchema2.optional(),
+  availableBalance: balanceSchema2.optional(),
+  financialInstitution: financialInstitutionSchema2.optional(),
+  language: z2.string().optional()
+});
+function generateCreditCardStatement(options) {
+  const parts = [generateHeader()];
+  const serverDate = formatOfxDate(new Date);
+  const language = options.language ?? "POR";
+  parts.push(`<OFX>
+<SIGNONMSGSRSV1>
+<SONRS>
+<STATUS>
+<CODE>0
+<SEVERITY>INFO
+</STATUS>
+<DTSERVER>${serverDate}
+<LANGUAGE>${language}`);
+  if (options.financialInstitution) {
+    parts.push("<FI>");
+    if (options.financialInstitution.org) {
+      parts.push(`<ORG>${escapeOfxText(options.financialInstitution.org)}`);
+    }
+    if (options.financialInstitution.fid) {
+      parts.push(`<FID>${escapeOfxText(options.financialInstitution.fid)}`);
+    }
+    parts.push("</FI>");
+  }
+  parts.push(`</SONRS>
+</SIGNONMSGSRSV1>
+<CREDITCARDMSGSRSV1>
+<CCSTMTTRNRS>
+<TRNUID>0
+<STATUS>
+<CODE>0
+<SEVERITY>INFO
+</STATUS>
+<CCSTMTRS>
+<CURDEF>${options.currency}
+<CCACCTFROM>
+<ACCTID>${escapeOfxText(options.accountId)}
+</CCACCTFROM>
+<BANKTRANLIST>
+<DTSTART>${formatOfxDate(options.startDate)}
+<DTEND>${formatOfxDate(options.endDate)}`);
+  for (const trn of options.transactions) {
+    parts.push(generateTransaction(trn));
+  }
+  parts.push("</BANKTRANLIST>");
+  if (options.ledgerBalance) {
+    parts.push(`<LEDGERBAL>
+<BALAMT>${formatAmount(options.ledgerBalance.amount)}
+<DTASOF>${formatOfxDate(options.ledgerBalance.asOfDate)}
+</LEDGERBAL>`);
+  }
+  if (options.availableBalance) {
+    parts.push(`<AVAILBAL>
+<BALAMT>${formatAmount(options.availableBalance.amount)}
+<DTASOF>${formatOfxDate(options.availableBalance.asOfDate)}
+</AVAILBAL>`);
+  }
+  parts.push(`</CCSTMTRS>
+</CCSTMTTRNRS>
+</CREDITCARDMSGSRSV1>
+</OFX>`);
+  return parts.join(`
+`);
+}
 // src/parser.ts
+import { z as z3 } from "zod";
 var CHARSET_MAP = {
   "1252": "windows-1252",
   "WINDOWS-1252": "windows-1252",
   CP1252: "windows-1252",
-  "8859-1": "iso-8859-1",
-  "ISO-8859-1": "iso-8859-1",
-  LATIN1: "iso-8859-1",
-  "LATIN-1": "iso-8859-1",
+  "8859-1": "windows-1252",
+  "ISO-8859-1": "windows-1252",
+  LATIN1: "windows-1252",
+  "LATIN-1": "windows-1252",
   "UTF-8": "utf-8",
   UTF8: "utf-8",
   NONE: "utf-8",
@@ -483,18 +552,10 @@ function getEncodingFromCharset(charset) {
   const normalized = charset.toUpperCase().trim();
   return CHARSET_MAP[normalized] ?? "windows-1252";
 }
-var ENTITY_MAP = {
-  "&amp;": "&",
-  "&apos;": "'",
-  "&gt;": ">",
-  "&lt;": "<",
-  "&quot;": '"'
-};
-var ENTITY_REGEX = /&(?:amp|lt|gt|quot|apos);/g;
-function decodeEntities(text) {
-  return text.replace(ENTITY_REGEX, (match) => ENTITY_MAP[match] ?? match);
-}
 function addToContent(content, key, value) {
+  if (key === "__proto__" || key === "constructor" || key === "prototype") {
+    return;
+  }
   const existing = content[key];
   if (existing !== undefined) {
     if (Array.isArray(existing)) {
@@ -558,7 +619,7 @@ function generateFitId(txn, index) {
   let hash = 0;
   for (let i = 0;i < input.length; i++) {
     hash = (hash << 5) - hash + input.charCodeAt(i);
-    hash = hash & hash;
+    hash = hash | 0;
   }
   return `AUTO${Math.abs(hash).toString(16).toUpperCase().padStart(8, "0")}`;
 }
@@ -642,7 +703,7 @@ function parse(content) {
   try {
     if (typeof content !== "string") {
       return {
-        error: new z2.ZodError([
+        error: new z3.ZodError([
           {
             code: "invalid_type",
             expected: "string",
@@ -655,7 +716,7 @@ function parse(content) {
     }
     if (content.trim() === "") {
       return {
-        error: new z2.ZodError([
+        error: new z3.ZodError([
           {
             code: "custom",
             message: "Content cannot be empty",
@@ -677,7 +738,7 @@ function parse(content) {
       success: true
     };
   } catch (err) {
-    if (err instanceof z2.ZodError) {
+    if (err instanceof z3.ZodError) {
       return { error: err, success: false };
     }
     throw err;
@@ -733,7 +794,7 @@ function hasUtf8MultiByte(buffer) {
 }
 function parseHeaderFromBuffer(buffer) {
   const maxHeaderSize = Math.min(buffer.length, 1000);
-  const headerSection = new TextDecoder("iso-8859-1").decode(buffer.slice(0, maxHeaderSize));
+  const headerSection = new TextDecoder("windows-1252").decode(buffer.slice(0, maxHeaderSize));
   const header = {};
   const singleLineMatch = headerSection.match(/^(OFXHEADER:\d+.*?)(?=<OFX|<\?xml)/is);
   if (singleLineMatch?.[1]) {
@@ -775,7 +836,7 @@ function parseBuffer(buffer) {
   try {
     if (!(buffer instanceof Uint8Array)) {
       return {
-        error: new z2.ZodError([
+        error: new z3.ZodError([
           {
             code: "invalid_type",
             expected: "object",
@@ -788,7 +849,7 @@ function parseBuffer(buffer) {
     }
     if (buffer.length === 0) {
       return {
-        error: new z2.ZodError([
+        error: new z3.ZodError([
           {
             code: "custom",
             message: "Buffer cannot be empty",
@@ -803,7 +864,7 @@ function parseBuffer(buffer) {
     const content = decoder.decode(buffer);
     return parse(content);
   } catch (err) {
-    if (err instanceof z2.ZodError) {
+    if (err instanceof z3.ZodError) {
       return { error: err, success: false };
     }
     throw err;
@@ -817,19 +878,6 @@ function parseBufferOrThrow(buffer) {
   return result.data;
 }
 // src/stream.ts
-var ENTITY_MAP2 = {
-  "&amp;": "&",
-  "&apos;": "'",
-  "&gt;": ">",
-  "&lt;": "<",
-  "&quot;": '"'
-};
-var ENTITY_REGEX2 = /&(?:amp|lt|gt|quot|apos);/g;
-function decodeEntities2(text) {
-  if (!text.includes("&"))
-    return text;
-  return text.replace(ENTITY_REGEX2, (match) => ENTITY_MAP2[match] ?? match);
-}
 function parseHeaderFromBuffer2(buffer) {
   const lines = buffer.split(/\r?\n/);
   const header = {};
@@ -966,7 +1014,7 @@ async function* parseStream(input, options) {
           state.objectStack.length = Math.max(pathIndex + 1, 1);
         }
       } else if (textContent) {
-        const decoded = decodeEntities2(textContent);
+        const decoded = decodeEntities(textContent);
         const existing = currentObj[tagName];
         if (existing !== undefined) {
           if (Array.isArray(existing)) {
@@ -1015,7 +1063,7 @@ async function* parseStream(input, options) {
           combined.set(chunk, offset);
           offset += chunk.length;
         }
-        const headerSection = new TextDecoder("iso-8859-1").decode(combined.slice(0, Math.min(combined.length, 1000)));
+        const headerSection = new TextDecoder("windows-1252").decode(combined.slice(0, Math.min(combined.length, 1000)));
         if (headerSection.includes("<OFX") || headerSection.includes("<?xml")) {
           const charsetMatch = headerSection.match(/CHARSET:(\S+)/i);
           if (charsetMatch && !detectedEncoding) {
@@ -1088,7 +1136,7 @@ async function* parseBatchStream(files, options) {
     yield { type: "file_start", fileIndex: i, filename: file.filename };
     try {
       let fileTransactionCount = 0;
-      const headerSection = new TextDecoder("iso-8859-1").decode(file.buffer.slice(0, Math.min(file.buffer.length, 1000)));
+      const headerSection = new TextDecoder("windows-1252").decode(file.buffer.slice(0, Math.min(file.buffer.length, 1000)));
       const charsetMatch = headerSection.match(/CHARSET:(\S+)/i);
       const encoding = charsetMatch ? getEncodingFromCharset(charsetMatch[1]) : options?.encoding ?? "utf-8";
       const decoder = new TextDecoder(encoding);
@@ -1196,8 +1244,12 @@ export {
   getEncodingFromCharset,
   getBalance,
   getAccountInfo,
+  generateTransactionInputSchema,
+  generateHeaderOptionsSchema,
   generateHeader,
+  generateCreditCardStatementOptionsSchema,
   generateCreditCardStatement,
+  generateBankStatementOptionsSchema,
   generateBankStatement,
   formatOfxDate
 };

package/package.json

@@ -3,14 +3,14 @@
       "url": "https://github.com/F-O-T/montte-nx/issues"
    },
    "dependencies": {
-      "zod": "4.1.13"
+      "zod": "4.2.1"
    },
    "description": "Typesafe ofx handling",
    "devDependencies": {
-      "@biomejs/biome": "2.3.8",
-      "@types/bun": "1.3.3",
+      "@biomejs/biome": "2.3.10",
+      "@types/bun": "1.3.5",
       "bumpp": "10.3.2",
-      "bunup": "0.16.10",
+      "bunup": "0.16.11",
       "typescript": "5.9.3"
    },
    "exports": {
@@ -59,5 +59,5 @@
    },
    "type": "module",
    "types": "./dist/index.d.ts",
-   "version": "2.2.0"
+   "version": "2.3.1"
 }