npm - @optilogic/core - Versions diffs - 1.2.0 → 1.2.2 - Mend

@optilogic/core 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.cjs +66 -2
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +18 -1
package/dist/index.d.ts +18 -1
package/dist/index.js +66 -2
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/src/components/file-view/components/HtmlRenderer.tsx +110 -2

package/dist/index.cjs CHANGED Viewed

@@ -7487,18 +7487,82 @@ function CsvRenderer({ content, className }) {
   ) });
 }
 CsvRenderer.displayName = "CsvRenderer";
+var CSP_POLICY = [
+  "default-src 'none'",
+  "script-src 'unsafe-inline'",
+  "style-src 'unsafe-inline'",
+  "img-src data: blob:"
+].join("; ");
+var PERMISSIONS_POLICY = [
+  "camera=()",
+  "microphone=()",
+  "geolocation=()",
+  "payment=()",
+  "usb=()",
+  "clipboard-read=()",
+  "clipboard-write=()",
+  "display-capture=()",
+  "fullscreen=()",
+  "autoplay=()",
+  "web-share=()",
+  "screen-wake-lock=()",
+  "xr-spatial-tracking=()",
+  "magnetometer=()",
+  "gyroscope=()",
+  "accelerometer=()"
+].join(", ");
+function buildSandboxedHtml(content) {
+  return `<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Security-Policy" content="${CSP_POLICY}">
+<script>
+// Neutralise APIs that the sandbox + CSP can't fully block.
+// This runs in <head> before any user content in <body>.
+// Uses Object.defineProperty to make overrides non-configurable
+// so user scripts cannot restore the original via prototype tricks.
+(function(){
+  // postMessage: iframe can message parent even without allow-same-origin.
+  // Kill it so content can't probe or spam any future parent listeners.
+  // Also kill parent/top refs as an extra layer.
+  var noop = function(){};
+  try { Object.defineProperty(window, 'postMessage', { value: noop, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'parent', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'top', { value: window, writable: false, configurable: false }); } catch(e) {}
+  try { Object.defineProperty(window, 'opener', { value: null, writable: false, configurable: false }); } catch(e) {}
+  // RTCPeerConnection: not governed by CSP; could contact a STUN server
+  // over UDP to leak the user's IP. Kill all browser-prefixed variants.
+  var rtcNames = ['RTCPeerConnection', 'webkitRTCPeerConnection', 'mozRTCPeerConnection'];
+  for (var i = 0; i < rtcNames.length; i++) {
+    try { Object.defineProperty(window, rtcNames[i], { value: undefined, writable: false, configurable: false }); } catch(e) {}
+  }
+})();
+</script>
+</head>
+<body>${content}</body>
+</html>`;
+}
 function HtmlRenderer({
   content,
   fileName,
   className
 }) {
+  const srcDoc = React20__namespace.useMemo(
+    () => buildSandboxedHtml(content ?? ""),
+    [content]
+  );
+  const iframeProps = { csp: CSP_POLICY };
   return /* @__PURE__ */ jsxRuntime.jsx(
     "iframe",
     {
-      srcDoc: content ?? "",
+      srcDoc,
       sandbox: "allow-scripts",
       title: fileName,
-      className: cn("h-full w-full border-0", className)
+      referrerPolicy: "no-referrer",
+      allow: PERMISSIONS_POLICY,
+      className: cn("h-full w-full border-0", className),
+      ...iframeProps
     }
   );
 }