@fileverse-dev/ddoc 4.1.11-patch-1 → 4.1.11-patch-3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{index-CqX0iYGN.mjs → index-CAQPA7Hs.mjs} +1 -1
- package/dist/{index-ES2pPSG6.mjs → index-k1yI08g6.mjs} +8644 -8618
- package/dist/index.es.js +1 -1
- package/dist/{markdown-source-pane-CL7ZPDWq.mjs → markdown-source-pane-BoxLMIir.mjs} +2 -2
- package/dist/package/utils/sanitize-css.d.ts +24 -24
- package/dist/{split-view-toolbar-Kh-dQ_qt.mjs → split-view-toolbar-ndChIJxD.mjs} +2 -2
- package/package.json +1 -1
package/dist/index.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { D as e, a as o, E as t, P as d, e as r, h as i, m as n, d as E, c as l, u, v as C } from "./index-
|
|
1
|
+
import { D as e, a as o, E as t, P as d, e as r, h as i, m as n, d as E, c as l, u, v as C } from "./index-k1yI08g6.mjs";
|
|
2
2
|
export {
|
|
3
3
|
e as DdocEditor,
|
|
4
4
|
o as DdocExportModal,
|
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
var Vr = Object.defineProperty;
|
|
2
2
|
var Wr = (t, e, O) => e in t ? Vr(t, e, { enumerable: !0, configurable: !0, writable: !0, value: O }) : t[e] = O;
|
|
3
3
|
var gt = (t, e, O) => Wr(t, typeof e != "symbol" ? e + "" : e, O);
|
|
4
|
-
import { j as Cr } from "./index-
|
|
4
|
+
import { j as Cr } from "./index-k1yI08g6.mjs";
|
|
5
5
|
import { useRef as pe, useEffect as St } from "react";
|
|
6
|
-
import { s as y, A as pO, T as dO, a as Gr, S as et, b as Lr, P as fO, E as j, i as QO, c as _, D as le, k as tt, F as Ar, M as Pt, W as Er, R as Ur, d as mO, N as oe, e as V, f as Mr, g as Ot, h as ce, p as $O, j as Y, t as h, l as Ir, I as rt, L as at, m as ye, n as ue, o as Qe, q as gO, r as te, u as SO, v as Br, w as Nr, x as PO, y as kO, z as Dr, B as Fr, C as Kr, G as Oe, H as ZO, J as Jr, K as kt, O as Hr, Q as ea, U as ta, V as Oa, X as ra, Y as aa, Z as ia, _ as sa, $ as na, a0 as la, a1 as oa, a2 as ca } from "./index-
|
|
6
|
+
import { s as y, A as pO, T as dO, a as Gr, S as et, b as Lr, P as fO, E as j, i as QO, c as _, D as le, k as tt, F as Ar, M as Pt, W as Er, R as Ur, d as mO, N as oe, e as V, f as Mr, g as Ot, h as ce, p as $O, j as Y, t as h, l as Ir, I as rt, L as at, m as ye, n as ue, o as Qe, q as gO, r as te, u as SO, v as Br, w as Nr, x as PO, y as kO, z as Dr, B as Fr, C as Kr, G as Oe, H as ZO, J as Jr, K as kt, O as Hr, Q as ea, U as ta, V as Oa, X as ra, Y as aa, Z as ia, _ as sa, $ as na, a0 as la, a1 as oa, a2 as ca } from "./index-CAQPA7Hs.mjs";
|
|
7
7
|
class ua {
|
|
8
8
|
/**
|
|
9
9
|
Create a new completion context. (Mostly useful for testing
|
|
@@ -1,45 +1,45 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Sanitize + validate author-supplied custom CSS before it is injected
|
|
3
|
-
* document.
|
|
2
|
+
* Sanitize + scope + validate author-supplied custom CSS before it is injected
|
|
3
|
+
* into the document.
|
|
4
4
|
*
|
|
5
|
-
*
|
|
6
|
-
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
5
|
+
* Authors write **normal, full-page CSS** — `body { … }`, `html body h1 { … }`,
|
|
6
|
+
* `h1 { … }`, `* { … }` — the way they'd style any web page. We transparently
|
|
7
|
+
* scope every rule to the document so it can't leak into the app, AND we map the
|
|
8
|
+
* page-root selectors (`html`, `body`, `:root`) onto the document root so that
|
|
9
|
+
* `body { background: … }` styles the doc surface and `html body h1 { … }`
|
|
10
|
+
* styles the doc's headings. No `.ProseMirror` prefix, no learning curve.
|
|
11
|
+
*
|
|
12
|
+
* Because the raw string reaches VIEWERS of a published doc, it is untrusted.
|
|
13
|
+
* Every selector is force-scoped (so a `}` breakout is neutralised — the escaped
|
|
14
|
+
* rule is simply scoped too), and dangerous declarations are stripped:
|
|
15
|
+
* - external resource loads / exfiltration: `url(…)`, `@import`;
|
|
16
|
+
* - clickjacking / UI redressing: `position: fixed | sticky`;
|
|
13
17
|
* - legacy script vectors: `expression()`, `-moz-binding`, `behavior:`.
|
|
14
18
|
*
|
|
15
|
-
*
|
|
16
|
-
*
|
|
17
|
-
*
|
|
18
|
-
* extra top-level rules with other selectors — we keep only `scope` rules and
|
|
19
|
-
* drop the rest. Dangerous declarations are stripped at every nesting level.
|
|
20
|
-
* The kept rules are re-serialized by the engine, so the output is always a
|
|
21
|
-
* valid, balanced stylesheet.
|
|
19
|
+
* We parse with the browser's own CSS engine (no dependency), rewrite each
|
|
20
|
+
* selector, strip dangerous declarations at every nesting level, and let the
|
|
21
|
+
* engine re-serialise — so the output is always a valid, balanced stylesheet.
|
|
22
22
|
*
|
|
23
|
-
* The sanitizer knows exactly what it removed, so it
|
|
24
|
-
* `diagnostics
|
|
25
|
-
*
|
|
23
|
+
* The sanitizer knows exactly what it removed, so it returns non-blocking
|
|
24
|
+
* `diagnostics`; the editing UI surfaces them (CSS is forgiving — we warn,
|
|
25
|
+
* never block).
|
|
26
26
|
*/
|
|
27
27
|
export interface CssDiagnostic {
|
|
28
28
|
level: 'warning' | 'error';
|
|
29
29
|
message: string;
|
|
30
30
|
}
|
|
31
31
|
export interface CssValidationResult {
|
|
32
|
-
/** Sanitized,
|
|
32
|
+
/** Sanitized, scoped CSS, safe to inject. '' when nothing survives. */
|
|
33
33
|
css: string;
|
|
34
34
|
/** What was stripped/ignored, deduped. Empty when the CSS was fully clean. */
|
|
35
35
|
diagnostics: CssDiagnostic[];
|
|
36
36
|
}
|
|
37
37
|
/**
|
|
38
|
-
* Sanitize AND report. Use this from the editing UI
|
|
38
|
+
* Sanitize + scope AND report. Use this from the editing UI for diagnostics.
|
|
39
39
|
*/
|
|
40
40
|
export declare const validateCustomCss: (raw: string | undefined | null, scope?: string) => CssValidationResult;
|
|
41
41
|
/**
|
|
42
|
-
* Sanitized CSS only — used at injection/export sinks that just need
|
|
43
|
-
* string. Diagnostics are surfaced separately via validateCustomCss.
|
|
42
|
+
* Sanitized + scoped CSS only — used at injection/export sinks that just need
|
|
43
|
+
* the safe string. Diagnostics are surfaced separately via validateCustomCss.
|
|
44
44
|
*/
|
|
45
45
|
export declare const sanitizeCustomCss: (raw: string | undefined | null, scope?: string) => string;
|
|
@@ -1,7 +1,7 @@
|
|
|
1
|
-
import { j as d } from "./index-
|
|
1
|
+
import { j as d } from "./index-k1yI08g6.mjs";
|
|
2
2
|
import { useRef as I, useState as N, useEffect as D } from "react";
|
|
3
3
|
import { DynamicDropdown as E, Tooltip as R, IconButton as O } from "@fileverse/ui";
|
|
4
|
-
import { a3 as A, a4 as P, c as y } from "./index-
|
|
4
|
+
import { a3 as A, a4 as P, c as y } from "./index-CAQPA7Hs.mjs";
|
|
5
5
|
const p = (e, t, o = t) => {
|
|
6
6
|
const { state: s } = e, l = s.changeByRange((n) => {
|
|
7
7
|
const u = s.sliceDoc(n.from, n.to), r = s.sliceDoc(
|