@nsshunt/stsuxvue 1.0.124 → 1.0.126

package/dist/stsuxvue.cjs

@@ -6036,7 +6036,7 @@ var import_ansi_to_html = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin
 		return Filter;
 	}();
 })))(), 1);
-/*! @license DOMPurify 3.4.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.5/LICENSE */
+/*! @license DOMPurify 3.4.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.9/LICENSE */
 function _arrayLikeToArray(r, a) {
 	(null == a || a > r.length) && (a = r.length);
 	for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e];
@@ -6906,10 +6906,17 @@ var DOCTYPE_NAME = seal(/^html$/i);
 var CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
 var NODE_TYPE = {
 	element: 1,
+	attribute: 2,
 	text: 3,
+	cdataSection: 4,
+	entityReference: 5,
+	entityNode: 6,
 	progressingInstruction: 7,
 	comment: 8,
-	document: 9
+	document: 9,
+	documentType: 10,
+	documentFragment: 11,
+	notation: 12
 };
 var getGlobal$1 = function getGlobal() {
 	return typeof window === "undefined" ? null : window;
@@ -6958,7 +6965,7 @@ var _createHooksMap = function _createHooksMap() {
 function createDOMPurify() {
 	let window = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : getGlobal$1();
 	const DOMPurify = (root) => createDOMPurify(root);
-	DOMPurify.version = "3.4.5";
+	DOMPurify.version = "3.4.9";
 	DOMPurify.removed = [];
 	if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
 		DOMPurify.isSupported = false;
@@ -6967,20 +6974,58 @@ function createDOMPurify() {
 	let document = window.document;
 	const originalDocument = document;
 	const currentScript = originalDocument.currentScript;
-	const DocumentFragment = window.DocumentFragment, HTMLTemplateElement = window.HTMLTemplateElement, Node = window.Node, Element = window.Element, NodeFilter = window.NodeFilter, _window$NamedNodeMap = window.NamedNodeMap, NamedNodeMap = _window$NamedNodeMap === void 0 ? window.NamedNodeMap || window.MozNamedAttrMap : _window$NamedNodeMap, HTMLFormElement = window.HTMLFormElement, DOMParser = window.DOMParser, trustedTypes = window.trustedTypes;
+	window.DocumentFragment;
+	const HTMLTemplateElement = window.HTMLTemplateElement, Node = window.Node, Element = window.Element, NodeFilter = window.NodeFilter;
+	window.NamedNodeMap === void 0 && (window.NamedNodeMap || window.MozNamedAttrMap);
+	window.HTMLFormElement;
+	const DOMParser = window.DOMParser, trustedTypes = window.trustedTypes;
 	const ElementPrototype = Element.prototype;
 	const cloneNode = lookupGetter(ElementPrototype, "cloneNode");
 	const remove = lookupGetter(ElementPrototype, "remove");
 	const getNextSibling = lookupGetter(ElementPrototype, "nextSibling");
 	const getChildNodes = lookupGetter(ElementPrototype, "childNodes");
 	const getParentNode = lookupGetter(ElementPrototype, "parentNode");
+	const getShadowRoot = lookupGetter(ElementPrototype, "shadowRoot");
+	const getAttributes = lookupGetter(ElementPrototype, "attributes");
 	const getNodeType = Node && Node.prototype ? lookupGetter(Node.prototype, "nodeType") : null;
+	const getNodeName = Node && Node.prototype ? lookupGetter(Node.prototype, "nodeName") : null;
 	if (typeof HTMLTemplateElement === "function") {
 		const template = document.createElement("template");
 		if (template.content && template.content.ownerDocument) document = template.content.ownerDocument;
 	}
 	let trustedTypesPolicy;
 	let emptyHTML = "";
+	let defaultTrustedTypesPolicy;
+	let defaultTrustedTypesPolicyResolved = false;
+	let IN_TRUSTED_TYPES_POLICY = 0;
+	const _assertNotInTrustedTypesPolicy = function _assertNotInTrustedTypesPolicy() {
+		if (IN_TRUSTED_TYPES_POLICY > 0) throw typeErrorCreate("A configured TRUSTED_TYPES_POLICY callback (createHTML or createScriptURL) must not call DOMPurify.sanitize, as that causes infinite recursion. Do not pass a policy whose callbacks wrap DOMPurify as TRUSTED_TYPES_POLICY; see the \"DOMPurify and Trusted Types\" section of the README.");
+	};
+	const _createTrustedHTML = function _createTrustedHTML(html) {
+		_assertNotInTrustedTypesPolicy();
+		IN_TRUSTED_TYPES_POLICY++;
+		try {
+			return trustedTypesPolicy.createHTML(html);
+		} finally {
+			IN_TRUSTED_TYPES_POLICY--;
+		}
+	};
+	const _createTrustedScriptURL = function _createTrustedScriptURL(scriptUrl) {
+		_assertNotInTrustedTypesPolicy();
+		IN_TRUSTED_TYPES_POLICY++;
+		try {
+			return trustedTypesPolicy.createScriptURL(scriptUrl);
+		} finally {
+			IN_TRUSTED_TYPES_POLICY--;
+		}
+	};
+	const _getDefaultTrustedTypesPolicy = function _getDefaultTrustedTypesPolicy() {
+		if (!defaultTrustedTypesPolicyResolved) {
+			defaultTrustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
+			defaultTrustedTypesPolicyResolved = true;
+		}
+		return defaultTrustedTypesPolicy;
+	};
 	const _document = document, implementation = _document.implementation, createNodeIterator = _document.createNodeIterator, createDocumentFragment = _document.createDocumentFragment, getElementsByTagName = _document.getElementsByTagName;
 	const importNode = originalDocument.importNode;
 	let hooks = _createHooksMap();
@@ -7083,6 +7128,7 @@ function createDOMPurify() {
 		"noscript",
 		"plaintext",
 		"script",
+		"selectedcontent",
 		"style",
 		"svg",
 		"template",
@@ -7266,12 +7312,23 @@ function createDOMPurify() {
 		if (cfg.TRUSTED_TYPES_POLICY) {
 			if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== "function") throw typeErrorCreate("TRUSTED_TYPES_POLICY configuration option must provide a \"createHTML\" hook.");
 			if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== "function") throw typeErrorCreate("TRUSTED_TYPES_POLICY configuration option must provide a \"createScriptURL\" hook.");
+			const previousTrustedTypesPolicy = trustedTypesPolicy;
 			trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
-			emptyHTML = trustedTypesPolicy.createHTML("");
+			try {
+				emptyHTML = _createTrustedHTML("");
+			} catch (error) {
+				trustedTypesPolicy = previousTrustedTypesPolicy;
+				throw error;
+			}
+		} else if (cfg.TRUSTED_TYPES_POLICY === null) {
+			trustedTypesPolicy = void 0;
+			emptyHTML = "";
 		} else {
-			if (trustedTypesPolicy === void 0) trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
-			if (trustedTypesPolicy !== null && typeof emptyHTML === "string") emptyHTML = trustedTypesPolicy.createHTML("");
+			if (trustedTypesPolicy === void 0) trustedTypesPolicy = _getDefaultTrustedTypesPolicy();
+			if (trustedTypesPolicy && typeof emptyHTML === "string") emptyHTML = _createTrustedHTML("");
 		}
+		if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) ALLOWED_TAGS = clone(ALLOWED_TAGS);
+		if (hooks.uponSanitizeAttribute.length > 0 && ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) ALLOWED_ATTR = clone(ALLOWED_ATTR);
 		if (freeze) freeze(cfg);
 		CONFIG = cfg;
 	};
@@ -7325,6 +7382,45 @@ function createDOMPurify() {
 			getParentNode(node).removeChild(node);
 		} catch (_) {
 			remove(node);
+			if (!getParentNode(node)) throw typeErrorCreate("a node selected for removal could not be detached from its tree and cannot be safely returned; refusing to sanitize in place");
+		}
+	};
+	/**
+	* _neutralizeRoot
+	*
+	* Fail-closed teardown of an in-place root after the sanitize walk aborts
+	* (campaign-3 F2). An internal throw mid-walk — e.g. a page-registered
+	* custom element's reaction detaches a node so `_forceRemove`'s deliberate
+	* parentless guard throws, or any other re-entrant engine mutation — would
+	* otherwise leave the caller's *live* tree half-sanitized, with everything
+	* after the abort point still carrying its handlers. There is no safe way
+	* to resume the walk (the tree mutated under us), so we strip the root bare:
+	* remove every child and every attribute, then let the caller's catch see
+	* the original error. Clobber-safe (cached `remove`/`childNodes`/`attributes`
+	* getters; the root was already clobber-pre-flighted at the IN_PLACE entry).
+	*
+	* @param root the in-place root to empty
+	*/
+	const _neutralizeRoot = function _neutralizeRoot(root) {
+		const childNodes = getChildNodes ? getChildNodes(root) : root.childNodes;
+		if (childNodes) {
+			const snapshot = [];
+			arrayForEach(childNodes, (child) => {
+				arrayPush(snapshot, child);
+			});
+			arrayForEach(snapshot, (child) => {
+				try {
+					remove(child);
+				} catch (_) {}
+			});
+		}
+		const attributes = getAttributes ? getAttributes(root) : null;
+		if (attributes) for (let i = attributes.length - 1; i >= 0; --i) {
+			const attribute = attributes[i];
+			const name = attribute && attribute.name;
+			if (typeof name === "string") try {
+				root.removeAttribute(name);
+			} catch (_) {}
 		}
 	};
 	/**
@@ -7354,6 +7450,59 @@ function createDOMPurify() {
 		} catch (_) {}
 	};
 	/**
+	* _stripDisallowedAttributes
+	*
+	* Removes every attribute the active configuration does not allow from a
+	* single element, using the same allowlist as the main attribute pass (so
+	* `on*` handlers go, but no `/^on/` blocklist is introduced). Used only to
+	* neutralise nodes that are being discarded from an in-place tree.
+	*
+	* @param element the element to strip
+	*/
+	const _stripDisallowedAttributes = function _stripDisallowedAttributes(element) {
+		const attributes = getAttributes ? getAttributes(element) : element.attributes;
+		if (!attributes) return;
+		for (let i = attributes.length - 1; i >= 0; --i) {
+			const attribute = attributes[i];
+			const name = attribute && attribute.name;
+			if (typeof name !== "string" || ALLOWED_ATTR[transformCaseFunc(name)]) continue;
+			try {
+				element.removeAttribute(name);
+			} catch (_) {}
+		}
+	};
+	/**
+	* _neutralizeSubtree
+	*
+	* Completes the audit-5 F1 fix across every removal path. The KEEP_CONTENT
+	* move-hoist neutralises only disallowed-tag removals; clobber, mXSS-canary,
+	* namespace, comment, processing-instruction and KEEP_CONTENT:false removals
+	* all drop their subtree wholesale via `_forceRemove`. On the IN_PLACE path
+	* those dropped nodes are detached from the caller's LIVE tree but a
+	* handler-bearing original among them (an `<img onerror>`/`<video>` that was
+	* loading) keeps its queued resource event, which fires in page scope after
+	* sanitize returns. This walks a removed subtree and strips every attribute
+	* the active configuration does not allow — so `on*` handlers are cancelled
+	* through the SAME allowlist that governs kept nodes, not a separate `/^on/`
+	* blocklist. Run synchronously before sanitize returns, i.e. before any
+	* queued event can fire. Hook-free by design: these nodes leave the output,
+	* so firing attribute hooks for them would be surprising. Clobber-safe reads;
+	* a doomed clobbered node may shadow `removeAttribute` (its own attributes are
+	* irrelevant — it is discarded — while its non-clobbered descendants, e.g.
+	* the `<img>`, are reached and scrubbed).
+	*
+	* @param root the root of a removed subtree to neutralise
+	*/
+	const _neutralizeSubtree = function _neutralizeSubtree(root) {
+		const stack = [root];
+		while (stack.length > 0) {
+			const node = stack.pop();
+			if ((getNodeType ? getNodeType(node) : node.nodeType) === NODE_TYPE.element) _stripDisallowedAttributes(node);
+			const childNodes = getChildNodes ? getChildNodes(node) : node.childNodes;
+			if (childNodes) for (let i = childNodes.length - 1; i >= 0; --i) stack.push(childNodes[i]);
+		}
+	};
+	/**
 	* _initDocument
 	*
 	* @param dirty - a string of dirty markup
@@ -7368,7 +7517,7 @@ function createDOMPurify() {
 			leadingWhitespace = matches && matches[0];
 		}
 		if (PARSER_MEDIA_TYPE === "application/xhtml+xml" && NAMESPACE === HTML_NAMESPACE) dirty = "<html xmlns=\"http://www.w3.org/1999/xhtml\"><head></head><body>" + dirty + "</body></html>";
-		const dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
+		const dirtyPayload = trustedTypesPolicy ? _createTrustedHTML(dirty) : dirty;
 		if (NAMESPACE === HTML_NAMESPACE) try {
 			doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);
 		} catch (_) {}
@@ -7411,7 +7560,8 @@ function createDOMPurify() {
 	*
 	* @param node The root element whose character data should be scrubbed.
 	*/
-	const _scrubTemplateExpressions = function _scrubTemplateExpressions(node) {
+	const _scrubTemplateExpressions2 = function _scrubTemplateExpressions(node) {
+		var _node$querySelectorAl, _node$querySelectorAl2;
 		node.normalize();
 		const walker = createNodeIterator.call(node.ownerDocument || node, node, NodeFilter.SHOW_TEXT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_CDATA_SECTION | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
 		let currentNode = walker.nextNode();
@@ -7427,15 +7577,47 @@ function createDOMPurify() {
 			currentNode.data = data;
 			currentNode = walker.nextNode();
 		}
+		const templates = (_node$querySelectorAl = (_node$querySelectorAl2 = node.querySelectorAll) === null || _node$querySelectorAl2 === void 0 ? void 0 : _node$querySelectorAl2.call(node, "template")) !== null && _node$querySelectorAl !== void 0 ? _node$querySelectorAl : [];
+		arrayForEach(Array.from(templates), (tmpl) => {
+			if (_isDocumentFragment(tmpl.content)) _scrubTemplateExpressions2(tmpl.content);
+		});
 	};
 	/**
 	* _isClobbered
 	*
+	* Detect DOM-clobbering on HTMLFormElement nodes. Form is the only HTML
+	* interface with [LegacyOverrideBuiltIns]; a descendant element with a
+	* `name` attribute matching a prototype property shadows that property
+	* on direct reads. We use this check at the IN_PLACE entry-point and
+	* during attribute sanitization to refuse clobbered forms.
+	*
 	* @param element element to check for clobbering attacks
 	* @return true if clobbered, false if safe
 	*/
 	const _isClobbered = function _isClobbered(element) {
-		return element instanceof HTMLFormElement && (typeof element.nodeName !== "string" || typeof element.textContent !== "string" || typeof element.removeChild !== "function" || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== "function" || typeof element.setAttribute !== "function" || typeof element.namespaceURI !== "string" || typeof element.insertBefore !== "function" || typeof element.hasChildNodes !== "function");
+		const realTagName = getNodeName ? getNodeName(element) : null;
+		if (typeof realTagName !== "string") return false;
+		if (transformCaseFunc(realTagName) !== "form") return false;
+		return typeof element.nodeName !== "string" || typeof element.textContent !== "string" || typeof element.removeChild !== "function" || element.attributes !== getAttributes(element) || typeof element.removeAttribute !== "function" || typeof element.setAttribute !== "function" || typeof element.namespaceURI !== "string" || typeof element.insertBefore !== "function" || typeof element.hasChildNodes !== "function" || element.nodeType !== getNodeType(element) || element.childNodes !== getChildNodes(element);
+	};
+	/**
+	* Checks whether the given value is a DocumentFragment from any realm.
+	*
+	* The realm-independent replacement reads `nodeType` through the cached
+	* Node.prototype getter and compares to the DOCUMENT_FRAGMENT_NODE
+	* constant (11). nodeType is a numeric value resolved from the node's
+	* internal slot, identical across realms for the same kind of node.
+	*
+	* @param value object to check
+	* @return true if value is a DocumentFragment-shaped node from any realm
+	*/
+	const _isDocumentFragment = function _isDocumentFragment(value) {
+		if (!getNodeType || typeof value !== "object" || value === null) return false;
+		try {
+			return getNodeType(value) === NODE_TYPE.documentFragment;
+		} catch (_) {
+			return false;
+		}
 	};
 	/**
 	* Checks whether the given object is a DOM node, including nodes that
@@ -7445,12 +7627,6 @@ function createDOMPurify() {
 	* sanitize() to silently stringify them and reset IN_PLACE to false,
 	* returning the original node unsanitized. See GHSA-4w3q-35jp-p934.
 	*
-	* Implementation: call the cached `nodeType` getter from Node.prototype
-	* directly on the value. This bypasses any clobbered instance property
-	* (e.g. a child element named "nodeType") and works across realms
-	* because the WebIDL `nodeType` getter reads an internal slot that
-	* every real Node has, regardless of which window minted it.
-	*
 	* @param value object to check whether it's a DOM node
 	* @return true if value is a DOM node from any realm
 	*/
@@ -7483,7 +7659,7 @@ function createDOMPurify() {
 			_forceRemove(currentNode);
 			return true;
 		}
-		const tagName = transformCaseFunc(currentNode.nodeName);
+		const tagName = transformCaseFunc(getNodeName ? getNodeName(currentNode) : currentNode.nodeName);
 		_executeHooks(hooks.uponSanitizeElement, currentNode, {
 			tagName,
 			allowedTags: ALLOWED_TAGS
@@ -7510,20 +7686,20 @@ function createDOMPurify() {
 				if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(tagName)) return false;
 			}
 			if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
-				const parentNode = getParentNode(currentNode) || currentNode.parentNode;
-				const childNodes = getChildNodes(currentNode) || currentNode.childNodes;
+				const parentNode = getParentNode(currentNode);
+				const childNodes = getChildNodes(currentNode);
 				if (childNodes && parentNode) {
 					const childCount = childNodes.length;
 					for (let i = childCount - 1; i >= 0; --i) {
-						const childClone = cloneNode(childNodes[i], true);
-						parentNode.insertBefore(childClone, getNextSibling(currentNode));
+						const hoisted = IN_PLACE ? childNodes[i] : cloneNode(childNodes[i], true);
+						parentNode.insertBefore(hoisted, getNextSibling(currentNode));
 					}
 				}
 			}
 			_forceRemove(currentNode);
 			return true;
 		}
-		if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {
+		if ((getNodeType ? getNodeType(currentNode) : currentNode.nodeType) === NODE_TYPE.element && !_checkValidNamespace(currentNode)) {
 			_forceRemove(currentNode);
 			return true;
 		}
@@ -7662,10 +7838,10 @@ function createDOMPurify() {
 			if (trustedTypesPolicy && typeof trustedTypes === "object" && typeof trustedTypes.getAttributeType === "function") if (namespaceURI);
 			else switch (trustedTypes.getAttributeType(lcTag, lcName)) {
 				case "TrustedHTML":
-					value = trustedTypesPolicy.createHTML(value);
+					value = _createTrustedHTML(value);
 					break;
 				case "TrustedScriptURL":
-					value = trustedTypesPolicy.createScriptURL(value);
+					value = _createTrustedScriptURL(value);
 					break;
 			}
 			if (value !== initValue) try {
@@ -7692,7 +7868,14 @@ function createDOMPurify() {
 			_executeHooks(hooks.uponSanitizeShadowNode, shadowNode, null);
 			_sanitizeElements(shadowNode);
 			_sanitizeAttributes(shadowNode);
-			if (shadowNode.content instanceof DocumentFragment) _sanitizeShadowDOM2(shadowNode.content);
+			if (_isDocumentFragment(shadowNode.content)) _sanitizeShadowDOM2(shadowNode.content);
+			if ((getNodeType ? getNodeType(shadowNode) : shadowNode.nodeType) === NODE_TYPE.element) {
+				const innerSr = getShadowRoot ? getShadowRoot(shadowNode) : shadowNode.shadowRoot;
+				if (_isDocumentFragment(innerSr)) {
+					_sanitizeAttachedShadowRoots(innerSr);
+					_sanitizeShadowDOM2(innerSr);
+				}
+			}
 		}
 		_executeHooks(hooks.afterSanitizeShadowDOM, fragment, null);
 	};
@@ -7715,19 +7898,45 @@ function createDOMPurify() {
 	*
 	* @param root the subtree root to walk for attached shadow roots
 	*/
-	const _sanitizeAttachedShadowRoots2 = function _sanitizeAttachedShadowRoots(root) {
-		if (root.nodeType === NODE_TYPE.element && root.shadowRoot instanceof DocumentFragment) {
-			const sr = root.shadowRoot;
-			_sanitizeAttachedShadowRoots2(sr);
-			_sanitizeShadowDOM2(sr);
-		}
-		const childNodes = root.childNodes;
-		if (!childNodes) return;
-		const snapshot = [];
-		arrayForEach(childNodes, (child) => {
-			arrayPush(snapshot, child);
-		});
-		for (const child of snapshot) _sanitizeAttachedShadowRoots2(child);
+	const _sanitizeAttachedShadowRoots = function _sanitizeAttachedShadowRoots(root) {
+		const stack = [{
+			node: root,
+			shadow: null
+		}];
+		while (stack.length > 0) {
+			const item = stack.pop();
+			if (item.shadow) {
+				_sanitizeShadowDOM2(item.shadow);
+				continue;
+			}
+			const node = item.node;
+			const isElement = (getNodeType ? getNodeType(node) : node.nodeType) === NODE_TYPE.element;
+			const childNodes = getChildNodes ? getChildNodes(node) : node.childNodes;
+			if (childNodes) for (let i = childNodes.length - 1; i >= 0; --i) stack.push({
+				node: childNodes[i],
+				shadow: null
+			});
+			if (isElement) {
+				const rootName = getNodeName ? getNodeName(node) : null;
+				if (typeof rootName === "string" && transformCaseFunc(rootName) === "template") {
+					const content = node.content;
+					if (_isDocumentFragment(content)) stack.push({
+						node: content,
+						shadow: null
+					});
+				}
+			}
+			if (isElement) {
+				const sr = getShadowRoot ? getShadowRoot(node) : node.shadowRoot;
+				if (_isDocumentFragment(sr)) stack.push({
+					node: null,
+					shadow: sr
+				}, {
+					node: sr,
+					shadow: null
+				});
+			}
+		}
 	};
 	DOMPurify.sanitize = function(dirty) {
 		let cfg = arguments.length > 1 && arguments[1] !== void 0 ? arguments[1] : {};
@@ -7744,39 +7953,53 @@ function createDOMPurify() {
 		if (!DOMPurify.isSupported) return dirty;
 		if (!SET_CONFIG) _parseConfig(cfg);
 		DOMPurify.removed = [];
-		if (typeof dirty === "string") IN_PLACE = false;
-		if (IN_PLACE) {
-			const nn = dirty.nodeName;
+		const inPlace = IN_PLACE && typeof dirty !== "string" && _isNode(dirty);
+		if (inPlace) {
+			const nn = getNodeName ? getNodeName(dirty) : dirty.nodeName;
 			if (typeof nn === "string") {
 				const tagName = transformCaseFunc(nn);
 				if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) throw typeErrorCreate("root node is forbidden and cannot be sanitized in-place");
 			}
-			_sanitizeAttachedShadowRoots2(dirty);
+			if (_isClobbered(dirty)) throw typeErrorCreate("root node is clobbered and cannot be sanitized in-place");
+			try {
+				_sanitizeAttachedShadowRoots(dirty);
+			} catch (error) {
+				_neutralizeRoot(dirty);
+				throw error;
+			}
 		} else if (_isNode(dirty)) {
 			body = _initDocument("<!---->");
 			importedNode = body.ownerDocument.importNode(dirty, true);
 			if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === "BODY") body = importedNode;
 			else if (importedNode.nodeName === "HTML") body = importedNode;
 			else body.appendChild(importedNode);
-			_sanitizeAttachedShadowRoots2(importedNode);
+			_sanitizeAttachedShadowRoots(importedNode);
 		} else {
-			if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf("<") === -1) return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;
+			if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf("<") === -1) return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? _createTrustedHTML(dirty) : dirty;
 			body = _initDocument(dirty);
 			if (!body) return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : "";
 		}
 		if (body && FORCE_BODY) _forceRemove(body.firstChild);
-		const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
-		while (currentNode = nodeIterator.nextNode()) {
-			_sanitizeElements(currentNode);
-			_sanitizeAttributes(currentNode);
-			if (currentNode.content instanceof DocumentFragment) _sanitizeShadowDOM2(currentNode.content);
-		}
-		if (IN_PLACE) {
-			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions(dirty);
+		const nodeIterator = _createNodeIterator(inPlace ? dirty : body);
+		try {
+			while (currentNode = nodeIterator.nextNode()) {
+				_sanitizeElements(currentNode);
+				_sanitizeAttributes(currentNode);
+				if (_isDocumentFragment(currentNode.content)) _sanitizeShadowDOM2(currentNode.content);
+			}
+		} catch (error) {
+			if (inPlace) _neutralizeRoot(dirty);
+			throw error;
+		}
+		if (inPlace) {
+			arrayForEach(DOMPurify.removed, (entry) => {
+				if (entry.element) _neutralizeSubtree(entry.element);
+			});
+			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions2(dirty);
 			return dirty;
 		}
 		if (RETURN_DOM) {
-			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions(body);
+			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions2(body);
 			if (RETURN_DOM_FRAGMENT) {
 				returnNode = createDocumentFragment.call(body.ownerDocument);
 				while (body.firstChild) returnNode.appendChild(body.firstChild);
@@ -7793,7 +8016,7 @@ function createDOMPurify() {
 		], (expr) => {
 			serializedHTML = stringReplace(serializedHTML, expr, " ");
 		});
-		return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
+		return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? _createTrustedHTML(serializedHTML) : serializedHTML;
 	};
 	DOMPurify.setConfig = function() {
 		_parseConfig(arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : {});
@@ -7802,6 +8025,8 @@ function createDOMPurify() {
 	DOMPurify.clearConfig = function() {
 		CONFIG = null;
 		SET_CONFIG = false;
+		trustedTypesPolicy = defaultTrustedTypesPolicy;
+		emptyHTML = "";
 	};
 	DOMPurify.isValidAttribute = function(tag, attr, value) {
 		if (!CONFIG) _parseConfig({});
@@ -7870,7 +8095,7 @@ var _hoisted_26$1 = { key: 0 };
 var _hoisted_27$1 = ["innerHTML"];
 var _hoisted_28$1 = { key: 1 };
 var _hoisted_29$1 = ["innerHTML"];
-var UXModelInstrumentAgentCommon_vue_vue_type_script_setup_true_lang_default = /* @__PURE__ */ (0, vue.defineComponent)({
+var UXModelInstrumentAgentCommon_vue_vue_type_script_setup_true_lang_default = /*@__PURE__*/ (0, vue.defineComponent)({
 	__name: "UXModelInstrumentAgentCommon",
 	props: {
 		modelId: {},
@@ -8157,7 +8382,7 @@ var _plugin_vue_export_helper_default = (sfc, props) => {
 };
 //#endregion
 //#region src/components/UXModelInstrumentAgentCommon.vue
-var UXModelInstrumentAgentCommon_default = /* @__PURE__ */ _plugin_vue_export_helper_default(UXModelInstrumentAgentCommon_vue_vue_type_script_setup_true_lang_default, [["__scopeId", "data-v-6a76d4ff"]]);
+var UXModelInstrumentAgentCommon_default = /*#__PURE__*/ _plugin_vue_export_helper_default(UXModelInstrumentAgentCommon_vue_vue_type_script_setup_true_lang_default, [["__scopeId", "data-v-6a76d4ff"]]);
 //#endregion
 //#region node_modules/chalk/source/vendor/ansi-styles/index.js
 var ANSI_BACKGROUND_OFFSET$1 = 10;
@@ -8552,7 +8777,7 @@ var _hoisted_42 = { key: 1 };
 var _hoisted_43 = ["innerHTML"];
 //#endregion
 //#region src/components/UXModelInstrumentServiceCommon.vue
-var UXModelInstrumentServiceCommon_default = /* @__PURE__ */ _plugin_vue_export_helper_default(/* @__PURE__ */ (0, vue.defineComponent)({
+var UXModelInstrumentServiceCommon_default = /*#__PURE__*/ _plugin_vue_export_helper_default(/* @__PURE__ */ (0, vue.defineComponent)({
 	__name: "UXModelInstrumentServiceCommon",
 	props: {
 		modelId: {},
@@ -9038,7 +9263,7 @@ var _hoisted_15 = {
 };
 //#endregion
 //#region src/components/UXModelInstrumentServiceSmall.vue
-var UXModelInstrumentServiceSmall_default = /* @__PURE__ */ _plugin_vue_export_helper_default(/* @__PURE__ */ (0, vue.defineComponent)({
+var UXModelInstrumentServiceSmall_default = /*#__PURE__*/ _plugin_vue_export_helper_default(/* @__PURE__ */ (0, vue.defineComponent)({
 	__name: "UXModelInstrumentServiceSmall",
 	props: {
 		modelId: {},
@@ -9966,14 +10191,24 @@ function merge(...objs) {
 	const result = {};
 	const assignValue = (val, key) => {
 		if (key === "__proto__" || key === "constructor" || key === "prototype") return;
-		const targetKey = caseless && findKey(result, key) || key;
+		const targetKey = caseless && typeof key === "string" && findKey(result, key) || key;
 		const existing = hasOwnProperty(result, targetKey) ? result[targetKey] : void 0;
 		if (isPlainObject(existing) && isPlainObject(val)) result[targetKey] = merge(existing, val);
 		else if (isPlainObject(val)) result[targetKey] = merge({}, val);
 		else if (isArray(val)) result[targetKey] = val.slice();
 		else if (!skipUndefined || !isUndefined(val)) result[targetKey] = val;
 	};
-	for (let i = 0, l = objs.length; i < l; i++) objs[i] && forEach(objs[i], assignValue);
+	for (let i = 0, l = objs.length; i < l; i++) {
+		const source = objs[i];
+		if (!source || isBuffer(source)) continue;
+		forEach(source, assignValue);
+		if (typeof source !== "object" || isArray(source)) continue;
+		const symbols = Object.getOwnPropertySymbols(source);
+		for (let j = 0; j < symbols.length; j++) {
+			const symbol = symbols[j];
+			if (propertyIsEnumerable.call(source, symbol)) assignValue(source[symbol], symbol);
+		}
+	}
 	return result;
 }
 /**
@@ -10153,6 +10388,7 @@ var toCamelCase = (str) => {
 	});
 };
 var hasOwnProperty = (({ hasOwnProperty }) => (obj, prop) => hasOwnProperty.call(obj, prop))(Object.prototype);
+var { propertyIsEnumerable } = Object.prototype;
 /**
 * Determine if a value is a RegExp object
 *
@@ -10492,7 +10728,7 @@ var AxiosHeaders = class {
 		const self = this;
 		function setHeader(_value, _header, _rewrite) {
 			const lHeader = normalizeHeader(_header);
-			if (!lHeader) throw new Error("header name must be a non-empty string");
+			if (!lHeader) return;
 			const key = utils_default.findKey(self, lHeader);
 			if (!key || self[key] === void 0 || _rewrite === true || _rewrite === void 0 && self[key] !== false) self[key || _header] = normalizeValue(_value);
 		}
@@ -10502,7 +10738,7 @@ var AxiosHeaders = class {
 		else if (utils_default.isObject(header) && utils_default.isIterable(header)) {
 			let obj = {}, dest, key;
 			for (const entry of header) {
-				if (!utils_default.isArray(entry)) throw TypeError("Object iterator must return a key-value pair");
+				if (!utils_default.isArray(entry)) throw new TypeError("Object iterator must return a key-value pair");
 				obj[key = entry[0]] = (dest = obj[key]) ? utils_default.isArray(dest) ? [...dest, entry[1]] : [dest, entry[1]] : entry[1];
 			}
 			setHeaders(obj, valueOrRewrite);
@@ -10896,7 +11132,7 @@ function toFormData(obj, formData, options) {
 	function build(value, path, depth = 0) {
 		if (utils_default.isUndefined(value)) return;
 		if (depth > maxDepth) throw new AxiosError("Object is too deeply nested (" + depth + " levels). Max depth: " + maxDepth, AxiosError.ERR_FORM_DATA_DEPTH_EXCEEDED);
-		if (stack.indexOf(value) !== -1) throw Error("Circular reference detected in " + path.join("."));
+		if (stack.indexOf(value) !== -1) throw new Error("Circular reference detected in " + path.join("."));
 		stack.push(value);
 		utils_default.forEach(value, function each(el, key) {
 			if ((!(utils_default.isUndefined(el) || el === null) && visitor.call(formData, el, utils_default.isString(key) ? key.trim() : key, path, exposedHelpers)) === true) build(el, path ? path.concat(key) : [key], depth + 1);
@@ -11055,7 +11291,8 @@ var transitional_default = {
 	silentJSONParsing: true,
 	forcedJSONParsing: true,
 	clarifyTimeoutError: false,
-	legacyInterceptorReqResOrdering: true
+	legacyInterceptorReqResOrdering: true,
+	advertiseZstdAcceptEncoding: false
 };
 //#endregion
 //#region node_modules/axios/lib/platform/browser/index.js
@@ -11117,7 +11354,9 @@ var hasStandardBrowserEnv = hasBrowserEnv && (!_navigator || [
 * `typeof window !== 'undefined' && typeof document !== 'undefined'`.
 * This leads to a problem when axios post `FormData` in webWorker
 */
-var hasStandardBrowserWebWorkerEnv = typeof WorkerGlobalScope !== "undefined" && self instanceof WorkerGlobalScope && typeof self.importScripts === "function";
+var hasStandardBrowserWebWorkerEnv = (() => {
+	return typeof WorkerGlobalScope !== "undefined" && self instanceof WorkerGlobalScope && typeof self.importScripts === "function";
+})();
 var origin = hasBrowserEnv && window.location.href || "http://localhost";
 //#endregion
 //#region node_modules/axios/lib/platform/index.js
@@ -11673,8 +11912,8 @@ function setFormDataHeaders(headers, formHeaders, policy) {
 *
 * @returns {string} UTF-8 bytes as a Latin-1 string
 */
-var encodeUTF8 = (str) => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
-var resolveConfig_default = (config) => {
+var encodeUTF8$1 = (str) => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
+function resolveConfig(config) {
 	const newConfig = mergeConfig({}, config);
 	const own = (key) => utils_default.hasOwnProp(newConfig, key) ? newConfig[key] : void 0;
 	const data = own("data");
@@ -11687,10 +11926,10 @@ var resolveConfig_default = (config) => {
 	const allowAbsoluteUrls = own("allowAbsoluteUrls");
 	const url = own("url");
 	newConfig.headers = headers = AxiosHeaders.from(headers);
-	newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), config.params, config.paramsSerializer);
-	if (auth) headers.set("Authorization", "Basic " + btoa((auth.username || "") + ":" + (auth.password ? encodeUTF8(auth.password) : "")));
+	newConfig.url = buildURL(buildFullPath(baseURL, url, allowAbsoluteUrls), own("params"), own("paramsSerializer"));
+	if (auth) headers.set("Authorization", "Basic " + btoa((auth.username || "") + ":" + (auth.password ? encodeUTF8$1(auth.password) : "")));
 	if (utils_default.isFormData(data)) {
-		if (platform_default.hasStandardBrowserEnv || platform_default.hasStandardBrowserWebWorkerEnv) headers.setContentType(void 0);
+		if (platform_default.hasStandardBrowserEnv || platform_default.hasStandardBrowserWebWorkerEnv || utils_default.isReactNative(data)) headers.setContentType(void 0);
 		else if (utils_default.isFunction(data.getHeaders)) setFormDataHeaders(headers, data.getHeaders(), own("formDataHeaderPolicy"));
 	}
 	if (platform_default.hasStandardBrowserEnv) {
@@ -11701,10 +11940,10 @@ var resolveConfig_default = (config) => {
 		}
 	}
 	return newConfig;
-};
+}
 var xhr_default = typeof XMLHttpRequest !== "undefined" && function(config) {
 	return new Promise(function dispatchXhrRequest(resolve, reject) {
-		const _config = resolveConfig_default(config);
+		const _config = resolveConfig(config);
 		let requestData = _config.data;
 		const requestHeaders = AxiosHeaders.from(_config.headers).normalize();
 		let { responseType, onUploadProgress, onDownloadProgress } = _config;
@@ -11967,11 +12206,28 @@ function estimateDataURLDecodedBytes(url) {
 }
 //#endregion
 //#region node_modules/axios/lib/env/data.js
-var VERSION = "1.16.1";
+var VERSION = "1.17.0";
 //#endregion
 //#region node_modules/axios/lib/adapters/fetch.js
 var DEFAULT_CHUNK_SIZE = 64 * 1024;
 var { isFunction } = utils_default;
+/**
+* Encode a UTF-8 string to a Latin-1 byte string for use with btoa().
+* This is a modern replacement for the deprecated unescape(encodeURIComponent(str)) pattern.
+*
+* @param {string} str The string to encode
+*
+* @returns {string} UTF-8 bytes as a Latin-1 string
+*/
+var encodeUTF8 = (str) => encodeURIComponent(str).replace(/%([0-9A-F]{2})/gi, (_, hex) => String.fromCharCode(parseInt(hex, 16)));
+var decodeURIComponentSafe = (value) => {
+	if (!utils_default.isString(value)) return value;
+	try {
+		return decodeURIComponent(value);
+	} catch (error) {
+		return value;
+	}
+};
 var test = (fn, ...args) => {
 	try {
 		return !!fn(...args);
@@ -11979,6 +12235,12 @@ var test = (fn, ...args) => {
 		return false;
 	}
 };
+var maybeWithAuthCredentials = (url) => {
+	const protocolIndex = url.indexOf("://");
+	let urlToCheck = url;
+	if (protocolIndex !== -1) urlToCheck = urlToCheck.slice(protocolIndex + 3);
+	return urlToCheck.includes("@") || urlToCheck.includes(":");
+};
 var factory = (env) => {
 	const globalObject = utils_default.global !== void 0 && utils_default.global !== null ? utils_default.global : globalThis;
 	const { ReadableStream, TextEncoder } = globalObject;
@@ -12009,19 +12271,21 @@ var factory = (env) => {
 	});
 	const supportsResponseStream = isResponseSupported && isReadableStreamSupported && test(() => utils_default.isReadableStream(new Response("").body));
 	const resolvers = { stream: supportsResponseStream && ((res) => res.body) };
-	isFetchSupported && [
-		"text",
-		"arrayBuffer",
-		"blob",
-		"formData",
-		"stream"
-	].forEach((type) => {
-		!resolvers[type] && (resolvers[type] = (res, config) => {
-			let method = res && res[type];
-			if (method) return method.call(res);
-			throw new AxiosError(`Response type '${type}' is not supported`, AxiosError.ERR_NOT_SUPPORT, config);
+	isFetchSupported && (() => {
+		[
+			"text",
+			"arrayBuffer",
+			"blob",
+			"formData",
+			"stream"
+		].forEach((type) => {
+			!resolvers[type] && (resolvers[type] = (res, config) => {
+				let method = res && res[type];
+				if (method) return method.call(res);
+				throw new AxiosError(`Response type '${type}' is not supported`, AxiosError.ERR_NOT_SUPPORT, config);
+			});
 		});
-	});
+	})();
 	const getBodyLength = async (body) => {
 		if (body == null) return 0;
 		if (utils_default.isBlob(body)) return body.size;
@@ -12038,9 +12302,10 @@ var factory = (env) => {
 		return length == null ? getBodyLength(body) : length;
 	};
 	return async (config) => {
-		let { url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, withCredentials = "same-origin", fetchOptions, maxContentLength, maxBodyLength } = resolveConfig_default(config);
+		let { url, method, data, signal, cancelToken, timeout, onDownloadProgress, onUploadProgress, responseType, headers, withCredentials = "same-origin", fetchOptions, maxContentLength, maxBodyLength } = resolveConfig(config);
 		const hasMaxContentLength = utils_default.isNumber(maxContentLength) && maxContentLength > -1;
 		const hasMaxBodyLength = utils_default.isNumber(maxBodyLength) && maxBodyLength > -1;
+		const own = (key) => utils_default.hasOwnProp(config, key) ? config[key] : void 0;
 		let _fetch = envFetch || fetch;
 		responseType = responseType ? (responseType + "").toLowerCase() : "text";
 		let composedSignal = composeSignals([signal, cancelToken && cancelToken.toAbortSignal()], timeout);
@@ -12050,6 +12315,28 @@ var factory = (env) => {
 		});
 		let requestContentLength;
 		try {
+			let auth = void 0;
+			const configAuth = own("auth");
+			if (configAuth) auth = {
+				username: configAuth.username || "",
+				password: configAuth.password || ""
+			};
+			if (maybeWithAuthCredentials(url)) {
+				const parsedURL = new URL(url, platform_default.origin);
+				if (!auth && (parsedURL.username || parsedURL.password)) auth = {
+					username: decodeURIComponentSafe(parsedURL.username),
+					password: decodeURIComponentSafe(parsedURL.password)
+				};
+				if (parsedURL.username || parsedURL.password) {
+					parsedURL.username = "";
+					parsedURL.password = "";
+					url = parsedURL.href;
+				}
+			}
+			if (auth) {
+				headers.delete("authorization");
+				headers.set("Authorization", "Basic " + btoa(encodeUTF8((auth.username || "") + ":" + (auth.password || ""))));
+			}
 			if (hasMaxContentLength && typeof url === "string" && url.startsWith("data:")) {
 				if (estimateDataURLDecodedBytes(url) > maxContentLength) throw new AxiosError("maxContentLength size of " + maxContentLength + " exceeded", AxiosError.ERR_BAD_RESPONSE, config, request);
 			}
@@ -12454,7 +12741,8 @@ var Axios = class {
 			silentJSONParsing: validators.transitional(validators.boolean),
 			forcedJSONParsing: validators.transitional(validators.boolean),
 			clarifyTimeoutError: validators.transitional(validators.boolean),
-			legacyInterceptorReqResOrdering: validators.transitional(validators.boolean)
+			legacyInterceptorReqResOrdering: validators.transitional(validators.boolean),
+			advertiseZstdAcceptEncoding: validators.transitional(validators.boolean)
 		}, false);
 		if (paramsSerializer != null) if (utils_default.isFunction(paramsSerializer)) config.paramsSerializer = { serialize: paramsSerializer };
 		else validator_default.assertOptions(paramsSerializer, {
@@ -12998,7 +13286,7 @@ var SocketIoClient = class extends import_tiny_emitter$1.TinyEmitter {
 			} else {
 				const errorMessage = "SocketIoClient:on(\"connect\"): Could not get socket object from socket.io, Address: [${socketDetail.address}]";
 				this.LogErrorMessage(errorMessage);
-				this.SocketConnectError(new Error(errorMessage));
+				this.SocketConnectError(/* @__PURE__ */ new Error(errorMessage));
 			}
 		});
 		this.#socket.on("disconnect", (reason) => {