@kitajs/ts-html-plugin 4.1.4 → 5.0.0-next.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +64 -37
- package/bin/index.js +8 -0
- package/dist/cli.d.ts +1 -2
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +9 -8
- package/dist/cli.js.map +1 -1
- package/dist/errors.d.ts +4 -4
- package/dist/errors.d.ts.map +1 -1
- package/dist/errors.js +15 -18
- package/dist/errors.js.map +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/dist/util.d.ts +2 -4
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +101 -38
- package/dist/util.js.map +1 -1
- package/package.json +23 -15
- package/src/cli.ts +229 -0
- package/src/errors.ts +34 -0
- package/src/index.ts +43 -0
- package/src/util.ts +438 -0
- package/dist/tsconfig.build.tsbuildinfo +0 -1
package/README.md
CHANGED
|
@@ -45,11 +45,12 @@
|
|
|
45
45
|
- [Running as CLI](#running-as-cli)
|
|
46
46
|
- [Handling Warnings](#handling-warnings)
|
|
47
47
|
- [Vscode](#vscode)
|
|
48
|
+
- [tsgo Compatibility](#tsgo-compatibility)
|
|
48
49
|
- [Error codes](#error-codes)
|
|
49
|
-
- [
|
|
50
|
-
- [
|
|
51
|
-
- [
|
|
52
|
-
- [
|
|
50
|
+
- [TS88601](#ts88601)
|
|
51
|
+
- [TS88602](#ts88602)
|
|
52
|
+
- [TS88603](#ts88603)
|
|
53
|
+
- [TS88604](#ts88604)
|
|
53
54
|
- [JSX](#jsx)
|
|
54
55
|
- [Special cases](#special-cases)
|
|
55
56
|
|
|
@@ -80,9 +81,8 @@ manager, and put this inside your `tsconfig.json`.
|
|
|
80
81
|
|
|
81
82
|
{
|
|
82
83
|
"compilerOptions": {
|
|
83
|
-
"jsx": "react",
|
|
84
|
-
"
|
|
85
|
-
"jsxFragmentFactory": "Html.Fragment",
|
|
84
|
+
"jsx": "react-jsx",
|
|
85
|
+
"jsxImportSource": "@kitajs/html",
|
|
86
86
|
"plugins": [{ "name": "@kitajs/ts-html-plugin" }]
|
|
87
87
|
}
|
|
88
88
|
}
|
|
@@ -94,7 +94,7 @@ manager, and put this inside your `tsconfig.json`.
|
|
|
94
94
|
|
|
95
95
|
## Running as CLI
|
|
96
96
|
|
|
97
|
-
You can also run this project as a CLI tool. Which is a great way to
|
|
97
|
+
You can also run this project as a CLI tool. Which is a great way to ensure project-wide
|
|
98
98
|
security. Also it's a great way to integrate with your CI/CD pipeline.
|
|
99
99
|
|
|
100
100
|
```sh
|
|
@@ -137,27 +137,27 @@ Sometimes, the plugin may not detect that a string or variable is safe for use a
|
|
|
137
137
|
emit warnings, even when you are confident there are no security issues. Here are ways to
|
|
138
138
|
address this:
|
|
139
139
|
|
|
140
|
-
1. **Keep using
|
|
141
|
-
|
|
142
|
-
|
|
140
|
+
1. **Keep using the `safe` Attribute:** Even if you are certain that the content is free
|
|
141
|
+
from XSS vulnerabilities, you can still use the `safe` attribute for added assurance.
|
|
142
|
+
After all, what's the problem of being safe twice?
|
|
143
143
|
|
|
144
144
|
```tsx
|
|
145
|
-
const html = <div safe>{content}</div
|
|
145
|
+
const html = <div safe>{content}</div>
|
|
146
146
|
```
|
|
147
147
|
|
|
148
148
|
2. **Prepend the Variable with `safe`:** Indicate to the plugin that you are confident the
|
|
149
149
|
variable is safe to use by adding `safe` before it.
|
|
150
150
|
|
|
151
151
|
```tsx
|
|
152
|
-
const safeContent = ''
|
|
153
|
-
const html = <div>{safeContent}</div
|
|
152
|
+
const safeContent = ''
|
|
153
|
+
const html = <div>{safeContent}</div>
|
|
154
154
|
```
|
|
155
155
|
|
|
156
156
|
3. **Cast to `'safe'`:** When using raw values or function calls without saving them into
|
|
157
157
|
a variable, you can append `as 'safe'` to the expression to inform the plugin.
|
|
158
158
|
|
|
159
159
|
```tsx
|
|
160
|
-
const html = <div>{content as 'safe'}</div
|
|
160
|
+
const html = <div>{content as 'safe'}</div>
|
|
161
161
|
```
|
|
162
162
|
|
|
163
163
|
<br />
|
|
@@ -178,9 +178,29 @@ current project's typescript version.
|
|
|
178
178
|
|
|
179
179
|
<br />
|
|
180
180
|
|
|
181
|
+
## tsgo Compatibility
|
|
182
|
+
|
|
183
|
+
[tsgo](https://github.com/microsoft/typescript-go) (the native TypeScript compiler
|
|
184
|
+
preview) does not currently implement support for Language Service Plugins. This means
|
|
185
|
+
that when using tsgo, your IDE will not show XSS warnings and errors from this plugin.
|
|
186
|
+
|
|
187
|
+
However, the `xss-scan` CLI tool will continue to work normally, as it uses the standard
|
|
188
|
+
TypeScript compiler APIs. You can still use `xss-scan` in your CI/CD pipeline to catch XSS
|
|
189
|
+
vulnerabilities even when developing with tsgo.
|
|
190
|
+
|
|
191
|
+
```sh
|
|
192
|
+
# This works regardless of whether you use tsgo or tsc
|
|
193
|
+
xss-scan
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
<br />
|
|
197
|
+
|
|
181
198
|
## Error codes
|
|
182
199
|
|
|
183
|
-
###
|
|
200
|
+
### TS88601
|
|
201
|
+
|
|
202
|
+
**Content may introduce an XSS vulnerability and must be marked with the `safe`
|
|
203
|
+
attribute.**
|
|
184
204
|
|
|
185
205
|
Usage of JSX expression without safe attribute. This could lead to XSS vulnerabilities.
|
|
186
206
|
Please use the safe attribute on the JSX element or prepend your variable with `safe`.
|
|
@@ -188,22 +208,24 @@ Please use the safe attribute on the JSX element or prepend your variable with `
|
|
|
188
208
|
```tsx
|
|
189
209
|
// ❌ Content variable may have a value of `<script>alert('xss')</script>`
|
|
190
210
|
// which will lead to XSS vulnerabilities.
|
|
191
|
-
const html = <div>{content}</div
|
|
211
|
+
const html = <div>{content}</div>
|
|
192
212
|
|
|
193
213
|
// ✅ Content variable may have a value of `<script>alert('xss')</script>`,
|
|
194
214
|
// but it's safe to use because it will get escaped to =
|
|
195
215
|
// `<script>alert('xss')</script>`.
|
|
196
|
-
const html = <div safe>{content}</div
|
|
216
|
+
const html = <div safe>{content}</div>
|
|
197
217
|
|
|
198
218
|
// ⚠️ Content variable may have a value of `<script>alert('xss')</script>`,
|
|
199
219
|
// but variable starts with safe, so the error is suppressed.
|
|
200
|
-
const safeContent = content
|
|
201
|
-
const html = <div>{safeContent}</div
|
|
220
|
+
const safeContent = content
|
|
221
|
+
const html = <div>{safeContent}</div>
|
|
202
222
|
```
|
|
203
223
|
|
|
204
224
|
<br />
|
|
205
225
|
|
|
206
|
-
###
|
|
226
|
+
### TS88602
|
|
227
|
+
|
|
228
|
+
**The `safe` attribute causes this content to be escaped more than once.**
|
|
207
229
|
|
|
208
230
|
Usage of safe attribute on a JSX element whose children contains other JSX elements. It
|
|
209
231
|
will lead to double escaping. If this is intended behavior, please extract the children
|
|
@@ -217,7 +239,7 @@ const html = (
|
|
|
217
239
|
<a safe>
|
|
218
240
|
<b>1</b>
|
|
219
241
|
</a>
|
|
220
|
-
)
|
|
242
|
+
)
|
|
221
243
|
|
|
222
244
|
// ✅ Safe attribute in the inner element will escape only the inner element.
|
|
223
245
|
// In this case the <b> tag will be escaped, resulting into
|
|
@@ -226,37 +248,42 @@ const html = (
|
|
|
226
248
|
<a>
|
|
227
249
|
<b safe>1</b>
|
|
228
250
|
</a>
|
|
229
|
-
)
|
|
251
|
+
)
|
|
230
252
|
```
|
|
231
253
|
|
|
232
254
|
<br />
|
|
233
255
|
|
|
234
|
-
###
|
|
256
|
+
### TS88603
|
|
257
|
+
|
|
258
|
+
**Content inside a Component must be escaped using escapeHtml().**
|
|
235
259
|
|
|
236
260
|
You are using a xss-prone element as a children of a component. Please wrap it into a
|
|
237
261
|
Html.escapeHtml() call or prepend it as a variable starting with `safe`.
|
|
238
262
|
|
|
239
|
-
This error is similar to [
|
|
240
|
-
need to use `Html.escapeHtml()` function because its a component and not a
|
|
263
|
+
This error is similar to [TS88601](#ts88601), but instead of using `safe` native
|
|
264
|
+
attribute, you need to use `Html.escapeHtml()` function because its a component and not a
|
|
265
|
+
native JSX.
|
|
241
266
|
|
|
242
267
|
```tsx
|
|
243
268
|
// ❌ Content variable may have a value of `<script>alert('xss')</script>`
|
|
244
269
|
// which will lead to XSS vulnerabilities.
|
|
245
|
-
const html = <Component>{content}</Component
|
|
270
|
+
const html = <Component>{content}</Component>
|
|
246
271
|
|
|
247
272
|
// ✅ Content variable may have a value of `<script>alert('xss')</script>`,
|
|
248
273
|
// but it's safe to use because you manually call the escape function.
|
|
249
|
-
const html = <Component>{Html.escapeHtml(content)}</Component
|
|
274
|
+
const html = <Component>{Html.escapeHtml(content)}</Component>
|
|
250
275
|
|
|
251
276
|
// ⚠️ Content variable may have a value of `<script>alert('xss')</script>`,
|
|
252
277
|
// but variable starts with safe, so the error is suppressed.
|
|
253
|
-
const safeContent = content
|
|
254
|
-
const html = <Component>{safeContent}</Component
|
|
278
|
+
const safeContent = content
|
|
279
|
+
const html = <Component>{safeContent}</Component>
|
|
255
280
|
```
|
|
256
281
|
|
|
257
282
|
<br />
|
|
258
283
|
|
|
259
|
-
###
|
|
284
|
+
### TS88604
|
|
285
|
+
|
|
286
|
+
**The `safe` attribute is unused in this context.**
|
|
260
287
|
|
|
261
288
|
You are using the safe attribute on expressions that does not contain any XSS
|
|
262
289
|
vulnerabilities. Please remove the safe attribute or prepend your variable with `unsafe`.
|
|
@@ -264,16 +291,16 @@ vulnerabilities. Please remove the safe attribute or prepend your variable with
|
|
|
264
291
|
```tsx
|
|
265
292
|
// ⚠️ The variable will never have any harmful XSS content, so the safe attribute is
|
|
266
293
|
// not needed and can be removed.
|
|
267
|
-
const html = <div safe>{numberVariable}</div
|
|
294
|
+
const html = <div safe>{numberVariable}</div>
|
|
268
295
|
|
|
269
296
|
// ✅ This variable will never have any harmful XSS content, so we can use it
|
|
270
297
|
// as is.
|
|
271
|
-
const html = <div>{numberVariable}</div
|
|
298
|
+
const html = <div>{numberVariable}</div>
|
|
272
299
|
|
|
273
300
|
// ✅ You manually told this plugin that the variable is unsafe, so errors will
|
|
274
301
|
// be thrown.
|
|
275
|
-
const unsafeVariable = numberVariable
|
|
276
|
-
const html = <div safe>{unsafeVariable}</div
|
|
302
|
+
const unsafeVariable = numberVariable
|
|
303
|
+
const html = <div safe>{unsafeVariable}</div>
|
|
277
304
|
```
|
|
278
305
|
|
|
279
306
|
<br />
|
|
@@ -291,14 +318,14 @@ information.
|
|
|
291
318
|
execute the content anyways.
|
|
292
319
|
|
|
293
320
|
```tsx
|
|
294
|
-
const html = <script>{content}</script
|
|
321
|
+
const html = <script>{content}</script>
|
|
295
322
|
```
|
|
296
323
|
|
|
297
324
|
2. Ternary and binary operations are evaluated in both sides separately and will throw
|
|
298
325
|
errors if any of the sides is not safe, even their condition never gets hit at runtime.
|
|
299
326
|
|
|
300
327
|
```tsx
|
|
301
|
-
const html = <div>{true ? safeContent : content}</div
|
|
328
|
+
const html = <div>{true ? safeContent : content}</div>
|
|
302
329
|
// ~~~~~~~
|
|
303
330
|
```
|
|
304
331
|
|
package/bin/index.js
ADDED
package/dist/cli.d.ts
CHANGED
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAuGA,wBAAsB,IAAI,mBA6HzB"}
|
package/dist/cli.js
CHANGED
|
@@ -1,12 +1,14 @@
|
|
|
1
|
-
#!/usr/bin/env node
|
|
2
1
|
"use strict";
|
|
2
|
+
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
3
|
+
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
4
|
+
};
|
|
3
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
4
|
-
|
|
5
|
-
const chalk_1 =
|
|
6
|
-
const node_fs_1 =
|
|
7
|
-
const node_path_1 =
|
|
8
|
-
const typescript_1 =
|
|
9
|
-
const yargs_1 =
|
|
6
|
+
exports.main = main;
|
|
7
|
+
const chalk_1 = __importDefault(require("chalk"));
|
|
8
|
+
const node_fs_1 = __importDefault(require("node:fs"));
|
|
9
|
+
const node_path_1 = __importDefault(require("node:path"));
|
|
10
|
+
const typescript_1 = __importDefault(require("typescript"));
|
|
11
|
+
const yargs_1 = __importDefault(require("yargs"));
|
|
10
12
|
const helpers_1 = require("yargs/helpers");
|
|
11
13
|
const util_1 = require("./util");
|
|
12
14
|
const { version } = require('../package.json');
|
|
@@ -167,5 +169,4 @@ async function main() {
|
|
|
167
169
|
console.log(chalk_1.default.green(`No XSS vulnerabilities found in ${files.length} files!`));
|
|
168
170
|
process.exit(0);
|
|
169
171
|
}
|
|
170
|
-
main().catch(console.error);
|
|
171
172
|
//# sourceMappingURL=cli.js.map
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";;;;;;AAAA,kDAAyB;AACzB,sDAAwB;AACxB,0DAA4B;AAC5B,4DAA2B;AAC3B,kDAAyB;AACzB,2CAAuC;AACvC,iCAAqD;AAErD,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAA;AAE9C,MAAM,IAAI,GAAG;;0BAEa,OAAO;;;;;;;;;;;;;;;;;;;;;;;;CAwBhC,CAAC,IAAI,EAAE,CAAA;AAER,SAAS,mBAAmB,CAAC,YAAoB;IAC/C,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,oBAAE,CAAC,cAAc,CAAC,YAAY,EAAE,oBAAE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAE1E,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,EAAE,MAAM,EAAE,CAAC,KAAK,CAAC,EAAE,CAAA;IAC5B,CAAC;IAED,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,GAAG,oBAAE,CAAC,0BAA0B,CAClE,MAAM,EACN,oBAAE,CAAC,GAAG,EACN,mBAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAC1B,SAAS,EACT,YAAY,CACb,CAAA;IAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,EAAE,MAAM,EAAE,CAAA;IACnB,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;AAClD,CAAC;AAED,SAAS,qBAAqB,CAAC,WAA4B,EAAE,IAAY;IACvE,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAA;IAEvC,uCAAuC;IACvC,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;QACrC,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YACrB,SAAQ;QACV,CAAC;QAED,MAAM,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAEhD,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;YACvB,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,GAAG,CAAC,CAAC,CAAA;YAC7C,SAAQ;QACV,CAAC;QAED,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;IACxC,CAAC;IAED,IAAI,KAAK,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACnB,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CAAC,oBAAoB,WAAW,CAAC,MAAM,cAAc,KAAK,CAAC,IAAI,UAAU,CAAC,CACpF,CAAA;IACH,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7C,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CACP,SAAS,MAAM,SAAS,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,OAAO,mBAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAClF,CACF,CAAA;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,CAAS;IAC3B,IAAI,CAAC;QACH,iBAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAA;QACd,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAEM,KAAK;IACV,MAAM,IAAI,GAAG,MAAM,IAAA,eAAK,EAAC,IAAA,iBAAO,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,IAAI,CAAA;IAEjF,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;QACjB,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACxB,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,GAAG,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAChC,SAAQ;QACV,CAAC;QAED,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,KAAK,CAAC;YACX,KAAK,SAAS,CAAC;YACf,KAAK,GAAG,CAAC;YACT,KAAK,GAAG,CAAC;YACT,KAAK,YAAY;gBACf,SAAQ;YACV;gBACE,OAAO,CAAC,KAAK,CAAC,qBAAqB,GAAG,oCAAoC,CAAC,CAAA;gBAC3E,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QAC1B,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,CAAA;IAExD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,CAAC,IAAI,eAAe,CAAC,CAAA;IAEtE,MAAM,UAAU,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,CAAC,CAAC,CAAA;IAEhD,MAAM,mBAAmB,GACvB,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,UAAU;QACjC,CAAC,CAAC,oBAAE,CAAC,iBAAiB;QACtB,CAAC,CAAC,oBAAE,CAAC,oCAAoC,CAAA;IAE7C,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,kBAAkB,YAAY,EAAE,CAAC,CAAC,CAAA;QACnF,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACxB,CAAC;IAED,MAAM,QAAQ,GAAG,mBAAmB,CAAC,YAAY,CAAC,CAAA;IAElD,MAAM,cAAc,GAA6B;QAC/C,mBAAmB,EAAE,oBAAE,CAAC,GAAG,CAAC,mBAAmB;QAC/C,oBAAoB,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ;QAC5C,UAAU,EAAE,GAAG,EAAE,CAAC,oBAAE,CAAC,GAAG,CAAC,OAAO;KACjC,CAAA;IAED,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;QACpB,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,CAAA;QACnE,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACxB,CAAC;IAED,IAAI,KAAK,GAAG,QAAQ,CAAC,SAAS,CAAA;IAE9B,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClB,iFAAiF;QACjF,KAAK,GAAG,EAAE,CAAA;QAEV,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;YAE9B,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBACtB,OAAO,CAAC,KAAK,CACX,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,4BAA4B,IAAI,SAAS,CAAC,CAC9E,CAAA;gBACD,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;YACxB,CAAC;YAED,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,IAAI,CACV,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAK,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CACnC,aAAa,IAAI,+BAA+B,CACjD,CACF,CAAA;gBACD,SAAQ;YACV,CAAC;YAED,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAClB,CAAC;IACH,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;QAClB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,eAAK,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,+BAA+B,CAAC,CAAC,CAAA;QAClF,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACxB,CAAC;IAED,MAAM,OAAO,GAAG,oBAAE,CAAC,aAAa,CAAC,KAAK,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAA;IACzD,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,CAAA;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,cAAc,EAAE,CAAA;IAExC,MAAM,WAAW,GAAoB,EAAE,CAAA;IAEvC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAA;QAEhC,uCAAuC;QACvC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,SAAQ;QACV,CAAC;QAED,oBAAE,CAAC,YAAY,CAAC,MAAM,EAAE,SAAS,eAAe,CAAC,IAAI;YACnD,IAAA,mCAA4B,EAAC,oBAAE,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAA;QAClE,CAAC,CAAC,CAAA;IACJ,CAAC;IAED,IAAI,WAAW,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAC/B,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,KAAK,oBAAE,CAAC,kBAAkB,CAAC,KAAK,CACpE,CAAA;QAED,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,WAAW,EAAE,cAAc,CAAC,CAAC,CAAA;QAE/D,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,qBAAqB,CAAC,WAAW,EAAE,IAAI,CAAC,CAAA;QAC1C,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAChC,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,KAAK,CAAC,mCAAmC,KAAK,CAAC,MAAM,SAAS,CAAC,CAAC,CAAA;IAClF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC"}
|
package/dist/errors.d.ts
CHANGED
|
@@ -1,17 +1,17 @@
|
|
|
1
1
|
export declare const Xss: {
|
|
2
|
-
code:
|
|
2
|
+
code: number;
|
|
3
3
|
message: string;
|
|
4
4
|
};
|
|
5
5
|
export declare const DoubleEscape: {
|
|
6
|
-
code:
|
|
6
|
+
code: number;
|
|
7
7
|
message: string;
|
|
8
8
|
};
|
|
9
9
|
export declare const ComponentXss: {
|
|
10
|
-
code:
|
|
10
|
+
code: number;
|
|
11
11
|
message: string;
|
|
12
12
|
};
|
|
13
13
|
export declare const UnusedSafe: {
|
|
14
|
-
code:
|
|
14
|
+
code: number;
|
|
15
15
|
message: string;
|
|
16
16
|
};
|
|
17
17
|
//# sourceMappingURL=errors.d.ts.map
|
package/dist/errors.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAeA,eAAO,MAAM,GAAG;;;CAGf,CAAA;AAED,eAAO,MAAM,YAAY;;;CAGxB,CAAA;AAED,eAAO,MAAM,YAAY;;;CAGxB,CAAA;AAED,eAAO,MAAM,UAAU;;;CAGtB,CAAA"}
|
package/dist/errors.js
CHANGED
|
@@ -1,23 +1,20 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
3
|
exports.UnusedSafe = exports.ComponentXss = exports.DoubleEscape = exports.Xss = void 0;
|
|
4
|
-
function
|
|
5
|
-
return
|
|
4
|
+
function createError(code, message) {
|
|
5
|
+
return {
|
|
6
|
+
code,
|
|
7
|
+
message: process.env.INTERNAL_DISABLE_URL_DOCS !== 'true'
|
|
8
|
+
? `${message}\nSee https://html.kitajs.org/TS${code}`
|
|
9
|
+
: message
|
|
10
|
+
};
|
|
6
11
|
}
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
exports.
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
exports.ComponentXss = {
|
|
16
|
-
code: '0 K603',
|
|
17
|
-
message: `Xss-prone content inside a Component, wrap it into a Html.escapeHtml() call. ${urlDocs('k603')}`
|
|
18
|
-
};
|
|
19
|
-
exports.UnusedSafe = {
|
|
20
|
-
code: '0 K604',
|
|
21
|
-
message: `Unused safe attribute. ${urlDocs('k604')}`
|
|
22
|
-
};
|
|
12
|
+
// 88600 is the base code for all errors in this plugin.
|
|
13
|
+
// KITA in ASCII
|
|
14
|
+
// 75 * 105 * 116 * 97 = 88609500
|
|
15
|
+
// Simplify to 88600
|
|
16
|
+
exports.Xss = createError(88601, `Content may introduce an XSS vulnerability and must be marked with the \`safe\` attribute.`);
|
|
17
|
+
exports.DoubleEscape = createError(88602, `The \`safe\` attribute causes this content to be escaped more than once.`);
|
|
18
|
+
exports.ComponentXss = createError(88603, `Content inside a Component must be escaped using escapeHtml().`);
|
|
19
|
+
exports.UnusedSafe = createError(88604, `The \`safe\` attribute is unused in this context.`);
|
|
23
20
|
//# sourceMappingURL=errors.js.map
|
package/dist/errors.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA,SAAS,
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAAA,SAAS,WAAW,CAAC,IAAY,EAAE,OAAe;IAChD,OAAO;QACL,IAAI;QACJ,OAAO,EACL,OAAO,CAAC,GAAG,CAAC,yBAAyB,KAAK,MAAM;YAC9C,CAAC,CAAC,GAAG,OAAO,mCAAmC,IAAI,EAAE;YACrD,CAAC,CAAC,OAAO;KACd,CAAA;AACH,CAAC;AAED,wDAAwD;AACxD,gBAAgB;AAChB,iCAAiC;AACjC,oBAAoB;AAEP,QAAA,GAAG,GAAG,WAAW,CAC5B,KAAK,EACL,4FAA4F,CAC7F,CAAA;AAEY,QAAA,YAAY,GAAG,WAAW,CACrC,KAAK,EACL,0EAA0E,CAC3E,CAAA;AAEY,QAAA,YAAY,GAAG,WAAW,CACrC,KAAK,EACL,gEAAgE,CACjE,CAAA;AAEY,QAAA,UAAU,GAAG,WAAW,CACnC,KAAK,EACL,mDAAmD,CACpD,CAAA"}
|
package/dist/index.d.ts
CHANGED
|
@@ -2,7 +2,7 @@ import type { default as TS, server } from 'typescript/lib/tsserverlibrary';
|
|
|
2
2
|
declare const _default: (modules: {
|
|
3
3
|
typescript: typeof TS;
|
|
4
4
|
}) => {
|
|
5
|
-
create(info: server.PluginCreateInfo): TS.LanguageService;
|
|
5
|
+
create(info: Pick<server.PluginCreateInfo, 'languageService'>): TS.LanguageService;
|
|
6
6
|
};
|
|
7
7
|
export = _default;
|
|
8
8
|
//# sourceMappingURL=index.d.ts.map
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,gCAAgC,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,IAAI,EAAE,EAAE,MAAM,EAAE,MAAM,gCAAgC,CAAA;kCAG/C;IAAE,UAAU,EAAE,OAAO,EAAE,CAAA;CAAE;IAIjD,MAAM,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;;AAJjE,kBAuCC"}
|
package/dist/index.js
CHANGED
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,iCAAkE;AAElE,iBAAS,UAAU,OAAkC;IACnD,MAAM,EAAE,GAAG,OAAO,CAAC,UAAU,CAAA;IAE7B,OAAO;QACL,MAAM,CAAC,IAAsD;YAC3D,MAAM,KAAK,GAAG,IAAA,kBAAW,EAAC,IAAI,CAAC,eAAe,CAAC,CAAA;YAE/C,KAAK,CAAC,sBAAsB,GAAG,SAAS,yBAAyB,CAAC,QAAQ;gBACxE,MAAM,WAAW,GAAG,IAAI,CAAC,eAAe,CAAC,sBAAsB,CAAC,QAAQ,CAAC,CAAA;gBAEzE,uCAAuC;gBACvC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7D,OAAO,WAAW,CAAA;gBACpB,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,CAAA;gBAEjD,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,WAAW,CAAA;gBACpB,CAAC;gBAED,MAAM,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAA;gBAE9C,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,OAAO,WAAW,CAAA;gBACpB,CAAC;gBAED,MAAM,WAAW,GAAG,OAAO,CAAC,cAAc,EAAE,CAAA;gBAE5C,EAAE,CAAC,YAAY,CAAC,MAAM,EAAE,SAAS,eAAe,CAAC,IAAI;oBACnD,IAAA,mCAA4B,EAAC,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,WAAW,CAAC,CAAA;gBAClE,CAAC,CAAC,CAAA;gBAEF,OAAO,WAAW,CAAA;YACpB,CAAC,CAAA;YAED,OAAO,KAAK,CAAA;QACd,CAAC;KACF,CAAA;AACH,CAAC,CAAA"}
|
package/dist/util.d.ts
CHANGED
|
@@ -1,9 +1,7 @@
|
|
|
1
|
-
import
|
|
1
|
+
import { type JsxFragment, type JsxSelfClosingElement, type default as ts } from 'typescript';
|
|
2
2
|
import type { Diagnostic, JsxElement, JsxOpeningElement, Node, default as TS, Type, TypeChecker } from 'typescript/lib/tsserverlibrary';
|
|
3
|
-
/** If the node is a JSX element or fragment */
|
|
4
|
-
export declare function isJsx(ts: typeof TS, node: TS.Node): node is JsxElement | JsxFragment;
|
|
5
3
|
export declare function recursiveDiagnoseJsxElements(ts: typeof TS, node: Node, typeChecker: TypeChecker, original: Diagnostic[]): void;
|
|
6
|
-
export declare function diagnoseJsxElement(ts: typeof TS, node: JsxElement | JsxFragment, typeChecker: TypeChecker, diagnostics: Diagnostic[]): void;
|
|
4
|
+
export declare function diagnoseJsxElement(ts: typeof TS, node: JsxElement | JsxFragment | JsxSelfClosingElement, typeChecker: TypeChecker, diagnostics: Diagnostic[]): void;
|
|
7
5
|
export declare function isSafeAttribute(ts: typeof TS, type: Type | undefined, checker: TypeChecker, node: ts.Node): boolean;
|
|
8
6
|
export declare function getSafeAttribute(element: JsxOpeningElement): ts.JsxAttributeLike | undefined;
|
|
9
7
|
export declare function proxyObject<T extends object>(obj: T): T;
|
package/dist/util.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,
|
|
1
|
+
{"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,WAAW,EAChB,KAAK,qBAAqB,EAC1B,KAAK,OAAO,IAAI,EAAE,EACnB,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EAEV,UAAU,EACV,UAAU,EACV,iBAAiB,EACjB,IAAI,EACJ,OAAO,IAAI,EAAE,EACb,IAAI,EACJ,WAAW,EACZ,MAAM,gCAAgC,CAAA;AAgBvC,wBAAgB,4BAA4B,CAC1C,EAAE,EAAE,OAAO,EAAE,EACb,IAAI,EAAE,IAAI,EACV,WAAW,EAAE,WAAW,EACxB,QAAQ,EAAE,UAAU,EAAE,QAwBvB;AAkBD,wBAAgB,kBAAkB,CAChC,EAAE,EAAE,OAAO,EAAE,EACb,IAAI,EAAE,UAAU,GAAG,WAAW,GAAG,qBAAqB,EACtD,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,UAAU,EAAE,GACxB,IAAI,CA+FN;AAkED,wBAAgB,eAAe,CAC7B,EAAE,EAAE,OAAO,EAAE,EACb,IAAI,EAAE,IAAI,GAAG,SAAS,EACtB,OAAO,EAAE,WAAW,EACpB,IAAI,EAAE,EAAE,CAAC,IAAI,GACZ,OAAO,CAkHT;AAED,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,mCAQ1D;AAED,wBAAgB,WAAW,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC,CAUvD"}
|