npm - @nsshunt/stsuxvue - Versions diffs - 1.0.125 → 1.0.126 - Mend

@nsshunt/stsuxvue 1.0.125 → 1.0.126

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/stsuxvue.cjs +189 -41
package/dist/stsuxvue.cjs.map +1 -1
package/dist/stsuxvue.mjs +189 -41
package/dist/stsuxvue.mjs.map +1 -1
package/package.json +12 -12
package/types/Views/UXModelNavigatorView.vue.d.ts.map +1 -1
package/types/Views/UXModelNavigatorViewSingle.vue.d.ts.map +1 -1
package/types/components/UXModelInstrumentServiceCommon.vue.d.ts.map +1 -1
package/types/components/UXModelInstrumentServiceSmall.vue.d.ts.map +1 -1
package/types/components/UXModelNavigator.vue.d.ts.map +1 -1
package/types/components/UXModelNode.vue.d.ts.map +1 -1

package/dist/stsuxvue.cjs CHANGED Viewed

@@ -6036,7 +6036,7 @@ var import_ansi_to_html = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin
 		return Filter;
 	}();
 })))(), 1);
-/*! @license DOMPurify 3.4.8 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.8/LICENSE */
+/*! @license DOMPurify 3.4.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.9/LICENSE */
 function _arrayLikeToArray(r, a) {
 	(null == a || a > r.length) && (a = r.length);
 	for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e];
@@ -6965,7 +6965,7 @@ var _createHooksMap = function _createHooksMap() {
 function createDOMPurify() {
 	let window = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : getGlobal$1();
 	const DOMPurify = (root) => createDOMPurify(root);
-	DOMPurify.version = "3.4.8";
+	DOMPurify.version = "3.4.9";
 	DOMPurify.removed = [];
 	if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
 		DOMPurify.isSupported = false;
@@ -6995,15 +6995,36 @@ function createDOMPurify() {
 	}
 	let trustedTypesPolicy;
 	let emptyHTML = "";
-	let IN_POLICY_CREATE_HTML = 0;
+	let defaultTrustedTypesPolicy;
+	let defaultTrustedTypesPolicyResolved = false;
+	let IN_TRUSTED_TYPES_POLICY = 0;
+	const _assertNotInTrustedTypesPolicy = function _assertNotInTrustedTypesPolicy() {
+		if (IN_TRUSTED_TYPES_POLICY > 0) throw typeErrorCreate("A configured TRUSTED_TYPES_POLICY callback (createHTML or createScriptURL) must not call DOMPurify.sanitize, as that causes infinite recursion. Do not pass a policy whose callbacks wrap DOMPurify as TRUSTED_TYPES_POLICY; see the \"DOMPurify and Trusted Types\" section of the README.");
+	};
 	const _createTrustedHTML = function _createTrustedHTML(html) {
-		if (IN_POLICY_CREATE_HTML > 0) throw typeErrorCreate("The configured TRUSTED_TYPES_POLICY.createHTML must not call DOMPurify.sanitize, as that causes infinite recursion. Do not pass a policy whose createHTML wraps DOMPurify as TRUSTED_TYPES_POLICY; see the \"DOMPurify and Trusted Types\" section of the README.");
-		IN_POLICY_CREATE_HTML++;
+		_assertNotInTrustedTypesPolicy();
+		IN_TRUSTED_TYPES_POLICY++;
 		try {
 			return trustedTypesPolicy.createHTML(html);
 		} finally {
-			IN_POLICY_CREATE_HTML--;
+			IN_TRUSTED_TYPES_POLICY--;
+		}
+	};
+	const _createTrustedScriptURL = function _createTrustedScriptURL(scriptUrl) {
+		_assertNotInTrustedTypesPolicy();
+		IN_TRUSTED_TYPES_POLICY++;
+		try {
+			return trustedTypesPolicy.createScriptURL(scriptUrl);
+		} finally {
+			IN_TRUSTED_TYPES_POLICY--;
+		}
+	};
+	const _getDefaultTrustedTypesPolicy = function _getDefaultTrustedTypesPolicy() {
+		if (!defaultTrustedTypesPolicyResolved) {
+			defaultTrustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
+			defaultTrustedTypesPolicyResolved = true;
 		}
+		return defaultTrustedTypesPolicy;
 	};
 	const _document = document, implementation = _document.implementation, createNodeIterator = _document.createNodeIterator, createDocumentFragment = _document.createDocumentFragment, getElementsByTagName = _document.getElementsByTagName;
 	const importNode = originalDocument.importNode;
@@ -7107,6 +7128,7 @@ function createDOMPurify() {
 		"noscript",
 		"plaintext",
 		"script",
+		"selectedcontent",
 		"style",
 		"svg",
 		"template",
@@ -7298,8 +7320,11 @@ function createDOMPurify() {
 				trustedTypesPolicy = previousTrustedTypesPolicy;
 				throw error;
 			}
+		} else if (cfg.TRUSTED_TYPES_POLICY === null) {
+			trustedTypesPolicy = void 0;
+			emptyHTML = "";
 		} else {
-			if (trustedTypesPolicy === void 0 && cfg.TRUSTED_TYPES_POLICY !== null) trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
+			if (trustedTypesPolicy === void 0) trustedTypesPolicy = _getDefaultTrustedTypesPolicy();
 			if (trustedTypesPolicy && typeof emptyHTML === "string") emptyHTML = _createTrustedHTML("");
 		}
 		if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) ALLOWED_TAGS = clone(ALLOWED_TAGS);
@@ -7357,6 +7382,45 @@ function createDOMPurify() {
 			getParentNode(node).removeChild(node);
 		} catch (_) {
 			remove(node);
+			if (!getParentNode(node)) throw typeErrorCreate("a node selected for removal could not be detached from its tree and cannot be safely returned; refusing to sanitize in place");
+		}
+	};
+	/**
+	* _neutralizeRoot
+	*
+	* Fail-closed teardown of an in-place root after the sanitize walk aborts
+	* (campaign-3 F2). An internal throw mid-walk — e.g. a page-registered
+	* custom element's reaction detaches a node so `_forceRemove`'s deliberate
+	* parentless guard throws, or any other re-entrant engine mutation — would
+	* otherwise leave the caller's *live* tree half-sanitized, with everything
+	* after the abort point still carrying its handlers. There is no safe way
+	* to resume the walk (the tree mutated under us), so we strip the root bare:
+	* remove every child and every attribute, then let the caller's catch see
+	* the original error. Clobber-safe (cached `remove`/`childNodes`/`attributes`
+	* getters; the root was already clobber-pre-flighted at the IN_PLACE entry).
+	*
+	* @param root the in-place root to empty
+	*/
+	const _neutralizeRoot = function _neutralizeRoot(root) {
+		const childNodes = getChildNodes ? getChildNodes(root) : root.childNodes;
+		if (childNodes) {
+			const snapshot = [];
+			arrayForEach(childNodes, (child) => {
+				arrayPush(snapshot, child);
+			});
+			arrayForEach(snapshot, (child) => {
+				try {
+					remove(child);
+				} catch (_) {}
+			});
+		}
+		const attributes = getAttributes ? getAttributes(root) : null;
+		if (attributes) for (let i = attributes.length - 1; i >= 0; --i) {
+			const attribute = attributes[i];
+			const name = attribute && attribute.name;
+			if (typeof name === "string") try {
+				root.removeAttribute(name);
+			} catch (_) {}
 		}
 	};
 	/**
@@ -7386,6 +7450,59 @@ function createDOMPurify() {
 		} catch (_) {}
 	};
 	/**
+	* _stripDisallowedAttributes
+	*
+	* Removes every attribute the active configuration does not allow from a
+	* single element, using the same allowlist as the main attribute pass (so
+	* `on*` handlers go, but no `/^on/` blocklist is introduced). Used only to
+	* neutralise nodes that are being discarded from an in-place tree.
+	*
+	* @param element the element to strip
+	*/
+	const _stripDisallowedAttributes = function _stripDisallowedAttributes(element) {
+		const attributes = getAttributes ? getAttributes(element) : element.attributes;
+		if (!attributes) return;
+		for (let i = attributes.length - 1; i >= 0; --i) {
+			const attribute = attributes[i];
+			const name = attribute && attribute.name;
+			if (typeof name !== "string" || ALLOWED_ATTR[transformCaseFunc(name)]) continue;
+			try {
+				element.removeAttribute(name);
+			} catch (_) {}
+		}
+	};
+	/**
+	* _neutralizeSubtree
+	*
+	* Completes the audit-5 F1 fix across every removal path. The KEEP_CONTENT
+	* move-hoist neutralises only disallowed-tag removals; clobber, mXSS-canary,
+	* namespace, comment, processing-instruction and KEEP_CONTENT:false removals
+	* all drop their subtree wholesale via `_forceRemove`. On the IN_PLACE path
+	* those dropped nodes are detached from the caller's LIVE tree but a
+	* handler-bearing original among them (an `<img onerror>`/`<video>` that was
+	* loading) keeps its queued resource event, which fires in page scope after
+	* sanitize returns. This walks a removed subtree and strips every attribute
+	* the active configuration does not allow — so `on*` handlers are cancelled
+	* through the SAME allowlist that governs kept nodes, not a separate `/^on/`
+	* blocklist. Run synchronously before sanitize returns, i.e. before any
+	* queued event can fire. Hook-free by design: these nodes leave the output,
+	* so firing attribute hooks for them would be surprising. Clobber-safe reads;
+	* a doomed clobbered node may shadow `removeAttribute` (its own attributes are
+	* irrelevant — it is discarded — while its non-clobbered descendants, e.g.
+	* the `<img>`, are reached and scrubbed).
+	*
+	* @param root the root of a removed subtree to neutralise
+	*/
+	const _neutralizeSubtree = function _neutralizeSubtree(root) {
+		const stack = [root];
+		while (stack.length > 0) {
+			const node = stack.pop();
+			if ((getNodeType ? getNodeType(node) : node.nodeType) === NODE_TYPE.element) _stripDisallowedAttributes(node);
+			const childNodes = getChildNodes ? getChildNodes(node) : node.childNodes;
+			if (childNodes) for (let i = childNodes.length - 1; i >= 0; --i) stack.push(childNodes[i]);
+		}
+	};
+	/**
 	* _initDocument
 	*
 	* @param dirty - a string of dirty markup
@@ -7574,8 +7691,8 @@ function createDOMPurify() {
 				if (childNodes && parentNode) {
 					const childCount = childNodes.length;
 					for (let i = childCount - 1; i >= 0; --i) {
-						const childClone = cloneNode(childNodes[i], true);
-						parentNode.insertBefore(childClone, getNextSibling(currentNode));
+						const hoisted = IN_PLACE ? childNodes[i] : cloneNode(childNodes[i], true);
+						parentNode.insertBefore(hoisted, getNextSibling(currentNode));
 					}
 				}
 			}
@@ -7724,7 +7841,7 @@ function createDOMPurify() {
 					value = _createTrustedHTML(value);
 					break;
 				case "TrustedScriptURL":
-					value = trustedTypesPolicy.createScriptURL(value);
+					value = _createTrustedScriptURL(value);
 					break;
 			}
 			if (value !== initValue) try {
@@ -7755,7 +7872,7 @@ function createDOMPurify() {
 			if ((getNodeType ? getNodeType(shadowNode) : shadowNode.nodeType) === NODE_TYPE.element) {
 				const innerSr = getShadowRoot ? getShadowRoot(shadowNode) : shadowNode.shadowRoot;
 				if (_isDocumentFragment(innerSr)) {
-					_sanitizeAttachedShadowRoots2(innerSr);
+					_sanitizeAttachedShadowRoots(innerSr);
 					_sanitizeShadowDOM2(innerSr);
 				}
 			}
@@ -7781,27 +7898,43 @@ function createDOMPurify() {
 	*
 	* @param root the subtree root to walk for attached shadow roots
 	*/
-	const _sanitizeAttachedShadowRoots2 = function _sanitizeAttachedShadowRoots(root) {
-		const nodeType = getNodeType ? getNodeType(root) : root.nodeType;
-		if (nodeType === NODE_TYPE.element) {
-			const sr = getShadowRoot ? getShadowRoot(root) : root.shadowRoot;
-			if (_isDocumentFragment(sr)) {
-				_sanitizeAttachedShadowRoots2(sr);
-				_sanitizeShadowDOM2(sr);
+	const _sanitizeAttachedShadowRoots = function _sanitizeAttachedShadowRoots(root) {
+		const stack = [{
+			node: root,
+			shadow: null
+		}];
+		while (stack.length > 0) {
+			const item = stack.pop();
+			if (item.shadow) {
+				_sanitizeShadowDOM2(item.shadow);
+				continue;
 			}
-		}
-		const childNodes = getChildNodes ? getChildNodes(root) : root.childNodes;
-		if (!childNodes) return;
-		const snapshot = [];
-		arrayForEach(childNodes, (child) => {
-			arrayPush(snapshot, child);
-		});
-		for (const child of snapshot) _sanitizeAttachedShadowRoots2(child);
-		if (nodeType === NODE_TYPE.element) {
-			const rootName = getNodeName ? getNodeName(root) : null;
-			if (typeof rootName === "string" && transformCaseFunc(rootName) === "template") {
-				const content = root.content;
-				if (_isDocumentFragment(content)) _sanitizeAttachedShadowRoots2(content);
+			const node = item.node;
+			const isElement = (getNodeType ? getNodeType(node) : node.nodeType) === NODE_TYPE.element;
+			const childNodes = getChildNodes ? getChildNodes(node) : node.childNodes;
+			if (childNodes) for (let i = childNodes.length - 1; i >= 0; --i) stack.push({
+				node: childNodes[i],
+				shadow: null
+			});
+			if (isElement) {
+				const rootName = getNodeName ? getNodeName(node) : null;
+				if (typeof rootName === "string" && transformCaseFunc(rootName) === "template") {
+					const content = node.content;
+					if (_isDocumentFragment(content)) stack.push({
+						node: content,
+						shadow: null
+					});
+				}
+			}
+			if (isElement) {
+				const sr = getShadowRoot ? getShadowRoot(node) : node.shadowRoot;
+				if (_isDocumentFragment(sr)) stack.push({
+					node: null,
+					shadow: sr
+				}, {
+					node: sr,
+					shadow: null
+				});
 			}
 		}
 	};
@@ -7820,35 +7953,48 @@ function createDOMPurify() {
 		if (!DOMPurify.isSupported) return dirty;
 		if (!SET_CONFIG) _parseConfig(cfg);
 		DOMPurify.removed = [];
-		if (typeof dirty === "string") IN_PLACE = false;
-		if (IN_PLACE) {
+		const inPlace = IN_PLACE && typeof dirty !== "string" && _isNode(dirty);
+		if (inPlace) {
 			const nn = getNodeName ? getNodeName(dirty) : dirty.nodeName;
 			if (typeof nn === "string") {
 				const tagName = transformCaseFunc(nn);
 				if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) throw typeErrorCreate("root node is forbidden and cannot be sanitized in-place");
 			}
 			if (_isClobbered(dirty)) throw typeErrorCreate("root node is clobbered and cannot be sanitized in-place");
-			_sanitizeAttachedShadowRoots2(dirty);
+			try {
+				_sanitizeAttachedShadowRoots(dirty);
+			} catch (error) {
+				_neutralizeRoot(dirty);
+				throw error;
+			}
 		} else if (_isNode(dirty)) {
 			body = _initDocument("<!---->");
 			importedNode = body.ownerDocument.importNode(dirty, true);
 			if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === "BODY") body = importedNode;
 			else if (importedNode.nodeName === "HTML") body = importedNode;
 			else body.appendChild(importedNode);
-			_sanitizeAttachedShadowRoots2(importedNode);
+			_sanitizeAttachedShadowRoots(importedNode);
 		} else {
 			if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf("<") === -1) return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? _createTrustedHTML(dirty) : dirty;
 			body = _initDocument(dirty);
 			if (!body) return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : "";
 		}
 		if (body && FORCE_BODY) _forceRemove(body.firstChild);
-		const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
-		while (currentNode = nodeIterator.nextNode()) {
-			_sanitizeElements(currentNode);
-			_sanitizeAttributes(currentNode);
-			if (_isDocumentFragment(currentNode.content)) _sanitizeShadowDOM2(currentNode.content);
+		const nodeIterator = _createNodeIterator(inPlace ? dirty : body);
+		try {
+			while (currentNode = nodeIterator.nextNode()) {
+				_sanitizeElements(currentNode);
+				_sanitizeAttributes(currentNode);
+				if (_isDocumentFragment(currentNode.content)) _sanitizeShadowDOM2(currentNode.content);
+			}
+		} catch (error) {
+			if (inPlace) _neutralizeRoot(dirty);
+			throw error;
 		}
-		if (IN_PLACE) {
+		if (inPlace) {
+			arrayForEach(DOMPurify.removed, (entry) => {
+				if (entry.element) _neutralizeSubtree(entry.element);
+			});
 			if (SAFE_FOR_TEMPLATES) _scrubTemplateExpressions2(dirty);
 			return dirty;
 		}
@@ -7879,6 +8025,8 @@ function createDOMPurify() {
 	DOMPurify.clearConfig = function() {
 		CONFIG = null;
 		SET_CONFIG = false;
+		trustedTypesPolicy = defaultTrustedTypesPolicy;
+		emptyHTML = "";
 	};
 	DOMPurify.isValidAttribute = function(tag, attr, value) {
 		if (!CONFIG) _parseConfig({});