@instructure/platform-assignment-review 0.4.9 → 0.4.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/index.js +16 -4
  2. package/package.json +2 -2
package/dist/index.js CHANGED
@@ -739,6 +739,13 @@ const vi = /* @__PURE__ */ new Set([
739
739
  "border-style",
740
740
  "border-width",
741
741
  "border-radius",
742
+ // Chrome's CSSOM expands border-radius to these four longhands when iterating
743
+ // element.style — the shorthand itself never appears in the iterator, so the
744
+ // hook would strip all four corners unless they are explicitly listed here.
745
+ "border-top-left-radius",
746
+ "border-top-right-radius",
747
+ "border-bottom-right-radius",
748
+ "border-bottom-left-radius",
742
749
  "border-collapse",
743
750
  "border-spacing",
744
751
  "border-top",
@@ -763,6 +770,9 @@ const vi = /* @__PURE__ */ new Set([
763
770
  "outline-color",
764
771
  "outline-style",
765
772
  "outline-width",
773
+ // outline-offset is not part of the `outline` shorthand, so it must be listed
774
+ // separately or it is stripped when authored on its own (focus-ring styling).
775
+ "outline-offset",
766
776
  // list
767
777
  "list-style",
768
778
  "list-style-image",
@@ -851,10 +861,11 @@ const vi = /* @__PURE__ */ new Set([
851
861
  "counter-increment",
852
862
  "content",
853
863
  // UI / interaction
854
- // pointer-events is included: RCE uses it legitimately (e.g. non-interactive
855
- // decorative overlays). It is not in the overlay-phishing class because it
856
- // cannot reposition elements — position/z-index remain blocked.
864
+ // pointer-events and z-index are safe: neither can reposition elements
865
+ // outside the container. The overlay-phishing risk comes from position:fixed/sticky,
866
+ // which SAFE_POSITION_VALUES strips.
857
867
  "pointer-events",
868
+ "z-index",
858
869
  "caret-color",
859
870
  "accent-color",
860
871
  "appearance"
@@ -912,7 +923,8 @@ const vi = /* @__PURE__ */ new Set([
912
923
  // expressions; `arg` labels sub-expressions referenced by intent.
913
924
  // These are plain string annotations — no URL-loading, no code execution.
914
925
  "intent",
915
- "arg"
926
+ "arg",
927
+ "loading"
916
928
  ],
917
929
  // Rails UJS turns data-method/data-remote/etc. on clickable elements into
918
930
  // state-changing requests carrying the victim's CSRF token. Strip them so
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-assignment-review",
3
- "version": "0.4.9",
3
+ "version": "0.4.11",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -39,7 +39,7 @@
39
39
  "graphql": "^16.0.0",
40
40
  "graphql-tag": "^2.12.0",
41
41
  "zod": "^3.23.8",
42
- "@instructure/platform-sanitize": "0.3.12"
42
+ "@instructure/platform-sanitize": "0.3.14"
43
43
  },
44
44
  "devDependencies": {
45
45
  "@testing-library/jest-dom": "^6.9.1",