@getforma/core 1.0.9 → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/chunk-263HW3KN.cjs +35 -0
- package/dist/chunk-263HW3KN.cjs.map +1 -0
- package/dist/chunk-2QQBKQIF.js +30 -0
- package/dist/chunk-2QQBKQIF.js.map +1 -0
- package/dist/forma-runtime-csp.js +40 -2
- package/dist/forma-runtime.js +40 -2
- package/dist/formajs-runtime-hardened.global.js +40 -2
- package/dist/formajs-runtime-hardened.global.js.map +1 -1
- package/dist/formajs-runtime.global.js +40 -2
- package/dist/formajs-runtime.global.js.map +1 -1
- package/dist/runtime-hardened.cjs +40 -2
- package/dist/runtime-hardened.cjs.map +1 -1
- package/dist/runtime-hardened.js +40 -2
- package/dist/runtime-hardened.js.map +1 -1
- package/dist/runtime.cjs +18 -2
- package/dist/runtime.cjs.map +1 -1
- package/dist/runtime.js +18 -2
- package/dist/runtime.js.map +1 -1
- package/dist/ssr/index.cjs +23 -42
- package/dist/ssr/index.cjs.map +1 -1
- package/dist/ssr/index.js +23 -42
- package/dist/ssr/index.js.map +1 -1
- package/package.json +2 -2
|
@@ -607,7 +607,35 @@ function createReconciler(config) {
|
|
|
607
607
|
};
|
|
608
608
|
}
|
|
609
609
|
|
|
610
|
+
// src/security/url-safety.ts
|
|
611
|
+
var URL_IGNORED_CHARS_RE = /[\u0000-\u0020\u007F-\u009F]/g;
|
|
612
|
+
var DANGEROUS_SCHEME_RE = /^(?:javascript|vbscript|data:text\/html)/i;
|
|
613
|
+
var URL_ATTRS = /* @__PURE__ */ new Set([
|
|
614
|
+
"href",
|
|
615
|
+
"src",
|
|
616
|
+
"action",
|
|
617
|
+
"formaction",
|
|
618
|
+
"xlink:href",
|
|
619
|
+
"poster",
|
|
620
|
+
"background"
|
|
621
|
+
]);
|
|
622
|
+
function isUrlAttr(name) {
|
|
623
|
+
return URL_ATTRS.has(name.toLowerCase());
|
|
624
|
+
}
|
|
625
|
+
function isDangerousUrl(value2) {
|
|
626
|
+
const normalized = value2.replace(URL_IGNORED_CHARS_RE, "");
|
|
627
|
+
return DANGEROUS_SCHEME_RE.test(normalized);
|
|
628
|
+
}
|
|
629
|
+
function isEventHandlerAttr(name) {
|
|
630
|
+
return /^on/i.test(name);
|
|
631
|
+
}
|
|
632
|
+
|
|
610
633
|
// src/runtime.ts
|
|
634
|
+
function isUnsafeAttrBinding(name, value2) {
|
|
635
|
+
if (isEventHandlerAttr(name)) return true;
|
|
636
|
+
if (isUrlAttr(name) && isDangerousUrl(value2)) return true;
|
|
637
|
+
return false;
|
|
638
|
+
}
|
|
611
639
|
var _refetchRegistry = /* @__PURE__ */ new Map();
|
|
612
640
|
function $refetch(id) {
|
|
613
641
|
const fn = _refetchRegistry.get(id);
|
|
@@ -1572,7 +1600,12 @@ function cloneAttributeTemplates(el, item) {
|
|
|
1572
1600
|
if (attr.value.includes("{item")) {
|
|
1573
1601
|
const compiled = compileTemplate(attr.value);
|
|
1574
1602
|
entries.push({ attr: attr.name, compiled });
|
|
1575
|
-
|
|
1603
|
+
const value2 = evaluateCompiledTemplate(compiled, item);
|
|
1604
|
+
if (isUnsafeAttrBinding(attr.name, value2)) {
|
|
1605
|
+
node.removeAttribute(attr.name);
|
|
1606
|
+
} else {
|
|
1607
|
+
node.setAttribute(attr.name, value2);
|
|
1608
|
+
}
|
|
1576
1609
|
}
|
|
1577
1610
|
}
|
|
1578
1611
|
if (entries.length > 0) {
|
|
@@ -2344,7 +2377,12 @@ function bindElement(el, scope, disposers) {
|
|
|
2344
2377
|
if (val == null || val === false) {
|
|
2345
2378
|
el.removeAttribute(attrName);
|
|
2346
2379
|
} else {
|
|
2347
|
-
|
|
2380
|
+
const str = String(val);
|
|
2381
|
+
if (isUnsafeAttrBinding(attrName, str)) {
|
|
2382
|
+
el.removeAttribute(attrName);
|
|
2383
|
+
} else {
|
|
2384
|
+
el.setAttribute(attrName, str);
|
|
2385
|
+
}
|
|
2348
2386
|
}
|
|
2349
2387
|
});
|
|
2350
2388
|
disposers.push(dispose);
|