@magneticjs/server 0.1.3 → 0.1.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@magneticjs/server",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Magnetic server-driven UI framework — JSX runtime, router, SSR",
   "type": "module",
   "exports": {

package/src/jsx-runtime.ts

@@ -26,9 +26,11 @@ type Component = (props: any) => DomNode;
  * Client-side navigation link. Renders an <a> that magnetic.js intercepts
  * to do pushState + send navigate action (no full page reload).
  */
-export function Link(props: { href: string; children?: Child | Child[]; class?: string; [k: string]: unknown }): DomNode {
-  const { href, children, ...rest } = props;
-  return jsx('a', { ...rest, href, onClick: `navigate:${href}`, children }, undefined);
+export function Link(props: { href: string; prefetch?: boolean; children?: Child | Child[]; class?: string; [k: string]: unknown }): DomNode {
+  const { href, prefetch, children, ...rest } = props;
+  const extra: Record<string, unknown> = { ...rest, href, onClick: `navigate:${href}` };
+  if (prefetch) extra['data-prefetch'] = href;
+  return jsx('a', { ...extra, children }, undefined);
 }
 
 /**
@@ -44,6 +46,9 @@ export function Head({ children }: { children?: Child | Child[] }): DomNode {
   return { tag: 'magnetic:head', children: flat };
 }
 
+// URI attributes to sanitize against javascript: injection
+const URI_ATTRS = new Set(['href', 'src', 'action', 'formaction', 'xlink:href']);
+
 // Event prop prefix → event name mapping
 const EVENT_MAP: Record<string, string> = {
   onClick: 'click',
@@ -109,7 +114,11 @@ export function jsx(tag: string | Component, props: Props, key?: string | number
       continue;
     }
 
-    attrs[k] = String(v);
+    // Sanitize URI attributes — defense in depth against javascript: injection
+    const sv = String(v);
+    if (URI_ATTRS.has(k) && /^\s*javascript\s*:/i.test(sv)) continue;
+
+    attrs[k] = sv;
   }
 
   if (Object.keys(attrs).length) node.attrs = attrs;