@getforma/core 1.0.9 → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/chunk-263HW3KN.cjs +35 -0
- package/dist/chunk-263HW3KN.cjs.map +1 -0
- package/dist/chunk-2QQBKQIF.js +30 -0
- package/dist/chunk-2QQBKQIF.js.map +1 -0
- package/dist/forma-runtime-csp.js +40 -2
- package/dist/forma-runtime.js +40 -2
- package/dist/formajs-runtime-hardened.global.js +40 -2
- package/dist/formajs-runtime-hardened.global.js.map +1 -1
- package/dist/formajs-runtime.global.js +40 -2
- package/dist/formajs-runtime.global.js.map +1 -1
- package/dist/runtime-hardened.cjs +40 -2
- package/dist/runtime-hardened.cjs.map +1 -1
- package/dist/runtime-hardened.js +40 -2
- package/dist/runtime-hardened.js.map +1 -1
- package/dist/runtime.cjs +18 -2
- package/dist/runtime.cjs.map +1 -1
- package/dist/runtime.js +18 -2
- package/dist/runtime.js.map +1 -1
- package/dist/ssr/index.cjs +23 -42
- package/dist/ssr/index.cjs.map +1 -1
- package/dist/ssr/index.js +23 -42
- package/dist/ssr/index.js.map +1 -1
- package/package.json +2 -2
package/dist/runtime-hardened.js
CHANGED
|
@@ -605,7 +605,35 @@ function createReconciler(config) {
|
|
|
605
605
|
};
|
|
606
606
|
}
|
|
607
607
|
|
|
608
|
+
// src/security/url-safety.ts
|
|
609
|
+
var URL_IGNORED_CHARS_RE = /[\u0000-\u0020\u007F-\u009F]/g;
|
|
610
|
+
var DANGEROUS_SCHEME_RE = /^(?:javascript|vbscript|data:text\/html)/i;
|
|
611
|
+
var URL_ATTRS = /* @__PURE__ */ new Set([
|
|
612
|
+
"href",
|
|
613
|
+
"src",
|
|
614
|
+
"action",
|
|
615
|
+
"formaction",
|
|
616
|
+
"xlink:href",
|
|
617
|
+
"poster",
|
|
618
|
+
"background"
|
|
619
|
+
]);
|
|
620
|
+
function isUrlAttr(name) {
|
|
621
|
+
return URL_ATTRS.has(name.toLowerCase());
|
|
622
|
+
}
|
|
623
|
+
function isDangerousUrl(value2) {
|
|
624
|
+
const normalized = value2.replace(URL_IGNORED_CHARS_RE, "");
|
|
625
|
+
return DANGEROUS_SCHEME_RE.test(normalized);
|
|
626
|
+
}
|
|
627
|
+
function isEventHandlerAttr(name) {
|
|
628
|
+
return /^on/i.test(name);
|
|
629
|
+
}
|
|
630
|
+
|
|
608
631
|
// src/runtime.ts
|
|
632
|
+
function isUnsafeAttrBinding(name, value2) {
|
|
633
|
+
if (isEventHandlerAttr(name)) return true;
|
|
634
|
+
if (isUrlAttr(name) && isDangerousUrl(value2)) return true;
|
|
635
|
+
return false;
|
|
636
|
+
}
|
|
609
637
|
var _refetchRegistry = /* @__PURE__ */ new Map();
|
|
610
638
|
function $refetch(id) {
|
|
611
639
|
const fn = _refetchRegistry.get(id);
|
|
@@ -1570,7 +1598,12 @@ function cloneAttributeTemplates(el, item) {
|
|
|
1570
1598
|
if (attr.value.includes("{item")) {
|
|
1571
1599
|
const compiled = compileTemplate(attr.value);
|
|
1572
1600
|
entries.push({ attr: attr.name, compiled });
|
|
1573
|
-
|
|
1601
|
+
const value2 = evaluateCompiledTemplate(compiled, item);
|
|
1602
|
+
if (isUnsafeAttrBinding(attr.name, value2)) {
|
|
1603
|
+
node.removeAttribute(attr.name);
|
|
1604
|
+
} else {
|
|
1605
|
+
node.setAttribute(attr.name, value2);
|
|
1606
|
+
}
|
|
1574
1607
|
}
|
|
1575
1608
|
}
|
|
1576
1609
|
if (entries.length > 0) {
|
|
@@ -2342,7 +2375,12 @@ function bindElement(el, scope, disposers) {
|
|
|
2342
2375
|
if (val == null || val === false) {
|
|
2343
2376
|
el.removeAttribute(attrName);
|
|
2344
2377
|
} else {
|
|
2345
|
-
|
|
2378
|
+
const str = String(val);
|
|
2379
|
+
if (isUnsafeAttrBinding(attrName, str)) {
|
|
2380
|
+
el.removeAttribute(attrName);
|
|
2381
|
+
} else {
|
|
2382
|
+
el.setAttribute(attrName, str);
|
|
2383
|
+
}
|
|
2346
2384
|
}
|
|
2347
2385
|
});
|
|
2348
2386
|
disposers.push(dispose);
|