@floegence/flowersec-core 0.19.2 → 0.19.3

package/dist/proxy/serviceWorker.js

@@ -13,6 +13,28 @@ function normalizePathPrefix(name, v) {
         throw new Error(`${name} must not include scheme/host`);
     return s;
 }
+function normalizeRootRelativeScriptURL(name, v) {
+    if (typeof v !== "string")
+        throw new Error(`${name} must be a string`);
+    const s = v.trim();
+    if (s === "")
+        throw new Error(`${name} must be non-empty`);
+    if (s !== v)
+        throw new Error(`${name} must not contain leading or trailing whitespace`);
+    if (!s.startsWith("/"))
+        throw new Error(`${name} must start with "/"`);
+    if (s.startsWith("//"))
+        throw new Error(`${name} must not start with "//"`);
+    if (s.includes("://"))
+        throw new Error(`${name} must not include scheme/host`);
+    if (s.includes("\\"))
+        throw new Error(`${name} must not contain backslash`);
+    if (/[\s\u0000-\u001f\u007f]/.test(s))
+        throw new Error(`${name} must not contain whitespace or control characters`);
+    if (/[<>"'`]/.test(s))
+        throw new Error(`${name} must not contain HTML attribute delimiters`);
+    return s;
+}
 function normalizePathList(name, input) {
     const out = [];
     if (input == null || input.length === 0)
@@ -116,13 +138,9 @@ export function createProxyServiceWorkerScript(opts = {}) {
             }
         }
         else {
-            injectScriptUrl =
-                "scriptUrl" in injectHTML && typeof injectHTML.scriptUrl === "string"
-                    ? injectHTML.scriptUrl.trim()
-                    : "";
-            if (injectScriptUrl === "") {
+            if (!("scriptUrl" in injectHTML))
                 throw new Error("injectHTML.scriptUrl must be non-empty");
-            }
+            injectScriptUrl = normalizeRootRelativeScriptURL("injectHTML.scriptUrl", injectHTML.scriptUrl);
         }
     }
     return `// Generated by @floegence/flowersec-core/proxy
@@ -315,16 +333,16 @@ function injectBootstrap(html) {
   } else if (INJECT_MODE === "external_module") {
     snippet =
       '<script type="module" src="' +
-      INJECT_SCRIPT_URL +
+      escapeHTMLAttributeValue(INJECT_SCRIPT_URL) +
       '"' +
-      (RUNTIME_GLOBAL ? ' data-flowersec-runtime-global="' + RUNTIME_GLOBAL + '"' : "") +
+      (RUNTIME_GLOBAL ? ' data-flowersec-runtime-global="' + escapeHTMLAttributeValue(RUNTIME_GLOBAL) + '"' : "") +
       "></script>";
   } else if (INJECT_MODE === "external_script") {
     snippet =
       '<script src="' +
-      INJECT_SCRIPT_URL +
+      escapeHTMLAttributeValue(INJECT_SCRIPT_URL) +
       '"' +
-      (RUNTIME_GLOBAL ? ' data-flowersec-runtime-global="' + RUNTIME_GLOBAL + '"' : "") +
+      (RUNTIME_GLOBAL ? ' data-flowersec-runtime-global="' + escapeHTMLAttributeValue(RUNTIME_GLOBAL) + '"' : "") +
       "></script>";
   }
 
@@ -341,6 +359,21 @@ function injectBootstrap(html) {
   return snippet + html;
 }
 
+function escapeHTMLAttributeValue(value) {
+  return String(value).replace(/[&<>"'\`=]/g, (ch) => {
+    switch (ch) {
+      case "&": return "&amp;";
+      case "<": return "&lt;";
+      case ">": return "&gt;";
+      case '"': return "&quot;";
+      case "'": return "&#39;";
+      case "\`": return "&#96;";
+      case "=": return "&#61;";
+      default: return ch;
+    }
+  });
+}
+
 self.addEventListener("fetch", (event) => {
   const url = new URL(event.request.url);
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floegence/flowersec-core",
-  "version": "0.19.2",
+  "version": "0.19.3",
   "description": "Flowersec core TypeScript library (browser-friendly E2EE + multiplexing over WebSocket).",
   "license": "MIT",
   "repository": {