npm - @nsshunt/stsuxvue - Versions diffs - 1.0.123 → 1.0.124 - Mend

@nsshunt/stsuxvue 1.0.123 → 1.0.124

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/stsuxvue.cjs +66 -19
package/dist/stsuxvue.cjs.map +1 -1
package/dist/stsuxvue.mjs +66 -19
package/dist/stsuxvue.mjs.map +1 -1
package/package.json +12 -12
package/types/Views/UXModelNavigatorView.vue.d.ts +3 -0
package/types/Views/UXModelNavigatorView.vue.d.ts.map +1 -1
package/types/Views/UXModelNavigatorViewSingle.vue.d.ts +3 -0
package/types/Views/UXModelNavigatorViewSingle.vue.d.ts.map +1 -1

package/dist/stsuxvue.cjs CHANGED Viewed

@@ -6036,7 +6036,7 @@ var import_ansi_to_html = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin
 		return Filter;
 	}();
 })))(), 1);
-/*! @license DOMPurify 3.4.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.3/LICENSE */
+/*! @license DOMPurify 3.4.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.5/LICENSE */
 function _arrayLikeToArray(r, a) {
 	(null == a || a > r.length) && (a = r.length);
 	for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e];
@@ -6543,6 +6543,8 @@ var html = freeze([
 	"color",
 	"cols",
 	"colspan",
+	"command",
+	"commandfor",
 	"controls",
 	"controlslist",
 	"coords",
@@ -6956,7 +6958,7 @@ var _createHooksMap = function _createHooksMap() {
 function createDOMPurify() {
 	let window = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : getGlobal$1();
 	const DOMPurify = (root) => createDOMPurify(root);
-	DOMPurify.version = "3.4.3";
+	DOMPurify.version = "3.4.5";
 	DOMPurify.removed = [];
 	if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
 		DOMPurify.isSupported = false;
@@ -6972,6 +6974,7 @@ function createDOMPurify() {
 	const getNextSibling = lookupGetter(ElementPrototype, "nextSibling");
 	const getChildNodes = lookupGetter(ElementPrototype, "childNodes");
 	const getParentNode = lookupGetter(ElementPrototype, "parentNode");
+	const getNodeType = Node && Node.prototype ? lookupGetter(Node.prototype, "nodeType") : null;
 	if (typeof HTMLTemplateElement === "function") {
 		const template = document.createElement("template");
 		if (template.content && template.content.ownerDocument) document = template.content.ownerDocument;
@@ -7390,6 +7393,42 @@ function createDOMPurify() {
 		return createNodeIterator.call(root.ownerDocument || root, root, NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
 	};
 	/**
+	* Strip template-engine expressions ({{...}}, ${...}, <%...%>) from the
+	* character data of an element subtree. Used as the final safety net for
+	* SAFE_FOR_TEMPLATES on every DOM-returning code path so that expressions
+	* which only form after text-node normalization (e.g. fragments split across
+	* stripped elements) cannot survive into a template-evaluating framework.
+	*
+	* Walks text/comment/CDATA/processing-instruction nodes and mutates `.data`
+	* in place rather than round-tripping through innerHTML. This preserves
+	* descendant node references (important for IN_PLACE callers), avoids a
+	* serialize/reparse cycle, and reads literal character data — which means
+	* `<%...%>` in text content matches the ERB regex against its real bytes
+	* instead of the HTML-entity-escaped form innerHTML would produce.
+	*
+	* Attribute values are not visited here; SAFE_FOR_TEMPLATES handling for
+	* attributes is performed during the per-node `_sanitizeAttributes` pass.
+	*
+	* @param node The root element whose character data should be scrubbed.
+	*/
+	const _scrubTemplateExpressions = function _scrubTemplateExpressions(node) {
+		node.normalize();
+		const walker = createNodeIterator.call(node.ownerDocument || node, node, NodeFilter.SHOW_TEXT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_CDATA_SECTION | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
+		let currentNode = walker.nextNode();
+		while (currentNode) {
+			let data = currentNode.data;
+			arrayForEach([
+				MUSTACHE_EXPR$1,
+				ERB_EXPR$1,
+				TMPLIT_EXPR$1
+			], (expr) => {
+				data = stringReplace(data, expr, " ");
+			});
+			currentNode.data = data;
+			currentNode = walker.nextNode();
+		}
+	};
+	/**
 	* _isClobbered
 	*
 	* @param element element to check for clobbering attacks
@@ -7399,13 +7438,29 @@ function createDOMPurify() {
 		return element instanceof HTMLFormElement && (typeof element.nodeName !== "string" || typeof element.textContent !== "string" || typeof element.removeChild !== "function" || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== "function" || typeof element.setAttribute !== "function" || typeof element.namespaceURI !== "string" || typeof element.insertBefore !== "function" || typeof element.hasChildNodes !== "function");
 	};
 	/**
-	* Checks whether the given object is a DOM node.
+	* Checks whether the given object is a DOM node, including nodes that
+	* originate from a different window/realm (e.g. an iframe's
+	* contentDocument). The previous `value instanceof Node` check was
+	* realm-bound: nodes from a different window failed it, causing
+	* sanitize() to silently stringify them and reset IN_PLACE to false,
+	* returning the original node unsanitized. See GHSA-4w3q-35jp-p934.
+	*
+	* Implementation: call the cached `nodeType` getter from Node.prototype
+	* directly on the value. This bypasses any clobbered instance property
+	* (e.g. a child element named "nodeType") and works across realms
+	* because the WebIDL `nodeType` getter reads an internal slot that
+	* every real Node has, regardless of which window minted it.
 	*
 	* @param value object to check whether it's a DOM node
-	* @return true is object is a DOM node
+	* @return true if value is a DOM node from any realm
 	*/
 	const _isNode = function _isNode(value) {
-		return typeof Node === "function" && value instanceof Node;
+		if (!getNodeType || typeof value !== "object" || value === null) return false;
+		try {
+			return typeof getNodeType(value) === "number";
+		} catch (_) {
+			return false;
+		}
 	};
 	function _executeHooks(hooks, currentNode, data) {
 		arrayForEach(hooks, (hook) => {
@@ -7697,7 +7752,7 @@ function createDOMPurify() {
 				if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) throw typeErrorCreate("root node is forbidden and cannot be sanitized in-place");
 			}
 			_sanitizeAttachedShadowRoots2(dirty);
-		} else if (dirty instanceof Node) {
+		} else if (_isNode(dirty)) {
 			body = _initDocument("<!---->");
 			importedNode = body.ownerDocument.importNode(dirty, true);
 			if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === "BODY") body = importedNode;
@@ -7716,20 +7771,12 @@ function createDOMPurify() {
 			_sanitizeAttributes(currentNode);
 			if (currentNode.content instanceof DocumentFragment) _sanitizeShadowDOM2(currentNode.content);
 		}
-		if (IN_PLACE) return dirty;
+		if (IN_PLACE) {
+			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions(dirty);
+			return dirty;
+		}
 		if (RETURN_DOM) {
-			if (SAFE_FOR_TEMPLATES) {
-				body.normalize();
-				let html = body.innerHTML;
-				arrayForEach([
-					MUSTACHE_EXPR$1,
-					ERB_EXPR$1,
-					TMPLIT_EXPR$1
-				], (expr) => {
-					html = stringReplace(html, expr, " ");
-				});
-				body.innerHTML = html;
-			}
+			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions(body);
 			if (RETURN_DOM_FRAGMENT) {
 				returnNode = createDocumentFragment.call(body.ownerDocument);
 				while (body.firstChild) returnNode.appendChild(body.firstChild);