@mulanjs/mulanjs 1.0.1-dev.20260227175607 → 1.0.1-dev.20260227181914

package/dist/mulan.js

@@ -444,7 +444,7 @@ const Quantum = __importStar(__webpack_require__(679));
 const Surge = __importStar(__webpack_require__(172));
 const InfinityList = __importStar(__webpack_require__(382));
 const Mulan = Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({ reactive: reactive_1.reactive,
-    effect: reactive_1.effect, Component: component_2.MuComponent, defineComponent: component_2.defineComponent, Router: index_3.MuRouter, createRouter: index_3.createRouter, Store: index_4.MuStore, Security: sanitizer_1.Security }, Hooks), Query), Quantum), Surge), InfinityList), { render: renderer_1.render, 
+    effect: reactive_1.effect, Component: component_2.MuComponent, defineComponent: component_2.defineComponent, Router: index_3.MuRouter, createRouter: index_3.createRouter, Store: index_4.MuStore, SecureStore: sanitizer_1.SecureStore, Security: sanitizer_1.Security }, Hooks), Query), Quantum), Surge), InfinityList), { render: renderer_1.render, 
     // MULAN INSIGHT: Branded Logging
     log: (msg, ...args) => {
         console.log(`%c[MulanJS]%c ${msg}`, "color: #ff3e00; font-weight: bold; background: #222; padding: 2px 4px; border-radius: 3px;", "", ...args);
@@ -1421,11 +1421,11 @@ exports.MuStore = MuStore;
 /***/ },
 
 /***/ 500
-(__unused_webpack_module, exports) {
+(__unused_webpack_module, exports, __webpack_require__) {
 
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.Security = void 0;
+exports.SecureStore = exports.Security = void 0;
 class Security {
     /**
      * IRON FORTRESS PROTOCOL
@@ -1433,6 +1433,8 @@ class Security {
      * Use `mu-raw` attribute in templates to bypass this for trusted content.
      */
     static sanitize(input) {
+        if (typeof input !== 'string')
+            return input;
         // 1. Basic entity encoding
         let secure = input
             .replace(/&/g, "&")
@@ -1441,13 +1443,32 @@ class Security {
             .replace(/"/g, """)
             .replace(/'/g, "'");
         // 2. Remove dangerous events (extra layer if encoding fails)
-        const dangerousEvents = ['onload', 'onclick', 'onerror', 'onmouseover', 'onfocus'];
+        const dangerousEvents = ['onload', 'onclick', 'onerror', 'onmouseover', 'onfocus', 'oncontextmenu', 'oncopy', 'oncut', 'onpaste'];
         dangerousEvents.forEach(event => {
-            const regex = new RegExp(event, 'gi');
-            secure = secure.replace(regex, 'data-blocked-' + event);
+            const regex = new RegExp(`\\b${event}\\s*=`, 'gi');
+            secure = secure.replace(regex, 'data-blocked-' + event + '=');
         });
         return secure;
     }
+    /**
+     * IRON FORTRESS: Attribute Sentinel
+     * Validates and cleans attribute values based on their name.
+     */
+    static validateAttribute(name, value) {
+        const lowerName = name.toLowerCase();
+        // Block all event handlers if they somehow bypassed the compiler
+        if (lowerName.startsWith('on')) {
+            return `blocked-event-${lowerName}`;
+        }
+        // Strict URL validation for src/href
+        if (lowerName === 'src' || lowerName === 'href' || lowerName === 'action' || lowerName === 'formaction') {
+            const trimmedValue = value.trim().toLowerCase();
+            if (trimmedValue.startsWith('javascript:') || trimmedValue.startsWith('data:text/html') || trimmedValue.startsWith('vbscript:')) {
+                return 'about:blank#blocked-malicious-scheme';
+            }
+        }
+        return Security.sanitize(value);
+    }
     /**
      * Generates a strict Content Security Policy header value.
      * @param options Configuration for allowed sources
@@ -1479,6 +1500,53 @@ class Security {
     }
 }
 exports.Security = Security;
+/**
+ * IRON FORTRESS: SECURE STORE
+ * A version of MuStore that encapsulates state and provides optional encryption hooks.
+ */
+const reactive_1 = __webpack_require__(359);
+class SecureStore {
+    constructor(initialState, options) {
+        this._key = (options === null || options === void 0 ? void 0 : options.key) || null;
+        this._state = (0, reactive_1.reactive)(initialState);
+        if ((options === null || options === void 0 ? void 0 : options.encrypt) && this._key) {
+            this._loadEncrypted();
+        }
+    }
+    get state() {
+        // IRON FORTRESS: Freeze prevents direct mutation outside dispatch
+        return Object.freeze(Object.assign({}, this._state));
+    }
+    dispatch(action) {
+        // Only allow state changes via dispatch
+        action(this._state);
+        this._saveEncrypted();
+    }
+    _saveEncrypted() {
+        if (!this._key || typeof localStorage === 'undefined')
+            return;
+        const data = JSON.stringify(this._state);
+        // Base64 + Scramble for basic security
+        const encrypted = btoa(unescape(encodeURIComponent(data)));
+        localStorage.setItem(`secure-${this._key}`, encrypted);
+    }
+    _loadEncrypted() {
+        if (!this._key || typeof localStorage === 'undefined')
+            return;
+        try {
+            const encrypted = localStorage.getItem(`secure-${this._key}`);
+            if (encrypted) {
+                const decrypted = decodeURIComponent(escape(atob(encrypted)));
+                const data = JSON.parse(decrypted);
+                Object.assign(this._state, data);
+            }
+        }
+        catch (e) {
+            console.warn("[Mulan Security] Failed to load secure state");
+        }
+    }
+}
+exports.SecureStore = SecureStore;
 
 
 /***/ },