@instructure/platform-assignment-review 0.4.10 → 0.4.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +6 -4
  2. package/package.json +2 -2
package/dist/index.js CHANGED
@@ -861,10 +861,11 @@ const vi = /* @__PURE__ */ new Set([
861
861
  "counter-increment",
862
862
  "content",
863
863
  // UI / interaction
864
- // pointer-events is included: RCE uses it legitimately (e.g. non-interactive
865
- // decorative overlays). It is not in the overlay-phishing class because it
866
- // cannot reposition elements — position/z-index remain blocked.
864
+ // pointer-events and z-index are safe: neither can reposition elements
865
+ // outside the container. The overlay-phishing risk comes from position:fixed/sticky,
866
+ // which SAFE_POSITION_VALUES strips.
867
867
  "pointer-events",
868
+ "z-index",
868
869
  "caret-color",
869
870
  "accent-color",
870
871
  "appearance"
@@ -922,7 +923,8 @@ const vi = /* @__PURE__ */ new Set([
922
923
  // expressions; `arg` labels sub-expressions referenced by intent.
923
924
  // These are plain string annotations — no URL-loading, no code execution.
924
925
  "intent",
925
- "arg"
926
+ "arg",
927
+ "loading"
926
928
  ],
927
929
  // Rails UJS turns data-method/data-remote/etc. on clickable elements into
928
930
  // state-changing requests carrying the victim's CSRF token. Strip them so
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-assignment-review",
3
- "version": "0.4.10",
3
+ "version": "0.4.11",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -39,7 +39,7 @@
39
39
  "graphql": "^16.0.0",
40
40
  "graphql-tag": "^2.12.0",
41
41
  "zod": "^3.23.8",
42
- "@instructure/platform-sanitize": "0.3.13"
42
+ "@instructure/platform-sanitize": "0.3.14"
43
43
  },
44
44
  "devDependencies": {
45
45
  "@testing-library/jest-dom": "^6.9.1",