@pyreon/document 0.11.5 → 0.11.7

package/src/sanitize.ts

@@ -8,13 +8,13 @@
  * Blocks: semicolons, braces, angle brackets, quotes, backslashes, expressions.
  */
 export function sanitizeCss(value: string | undefined): string {
-  if (value == null) return ""
+  if (value == null) return ''
   // Remove anything that could break out of a CSS value
   return value
-    .replace(/[;{}()<>\\'"]/g, "")
-    .replace(/expression\s*\(/gi, "")
-    .replace(/url\s*\(/gi, "")
-    .replace(/javascript\s*:/gi, "")
+    .replace(/[;{}()<>\\'"]/g, '')
+    .replace(/expression\s*\(/gi, '')
+    .replace(/url\s*\(/gi, '')
+    .replace(/javascript\s*:/gi, '')
 }
 
 /**
@@ -22,7 +22,7 @@ export function sanitizeCss(value: string | undefined): string {
  * Returns the value if valid, empty string if not.
  */
 export function sanitizeColor(value: string | undefined): string {
-  if (value == null) return ""
+  if (value == null) return ''
   const trimmed = value.trim()
   // Hex: #fff, #ffffff, #ffffffff
   if (/^#[0-9a-fA-F]{3,8}$/.test(trimmed)) return trimmed
@@ -32,16 +32,16 @@ export function sanitizeColor(value: string | undefined): string {
   if (/^(rgb|hsl)a?\(\s*[\d.,\s%]+\)$/.test(trimmed)) return trimmed
   // transparent, inherit, currentColor
   if (/^(transparent|inherit|currentColor|initial|unset)$/i.test(trimmed)) return trimmed
-  return ""
+  return ''
 }
 
 /**
  * Sanitize a color for XML attributes (DOCX/PPTX) — only hex without #.
  * Returns 6-char hex string or default.
  */
-export function sanitizeXmlColor(value: string | undefined, fallback = "000000"): string {
+export function sanitizeXmlColor(value: string | undefined, fallback = '000000'): string {
   if (value == null) return fallback
-  const hex = value.replace("#", "")
+  const hex = value.replace('#', '')
   if (/^[0-9a-fA-F]{3,8}$/.test(hex)) return hex
   return fallback
 }
@@ -51,13 +51,13 @@ export function sanitizeXmlColor(value: string | undefined, fallback = "000000")
  * Returns the URL if safe, empty string if not.
  */
 export function sanitizeHref(url: string | undefined): string {
-  if (url == null) return ""
+  if (url == null) return ''
   const trimmed = url.trim()
   // Block dangerous protocols
-  const lower = trimmed.toLowerCase().replace(/\s/g, "")
-  if (lower.startsWith("javascript:")) return ""
-  if (lower.startsWith("vbscript:")) return ""
-  if (lower.startsWith("data:") && !lower.startsWith("data:image/")) return ""
+  const lower = trimmed.toLowerCase().replace(/\s/g, '')
+  if (lower.startsWith('javascript:')) return ''
+  if (lower.startsWith('vbscript:')) return ''
+  if (lower.startsWith('data:') && !lower.startsWith('data:image/')) return ''
   return trimmed
 }
 
@@ -66,12 +66,12 @@ export function sanitizeHref(url: string | undefined): string {
  * Blocks javascript:, vbscript:, and non-image data: URIs.
  */
 export function sanitizeImageSrc(src: string | undefined): string {
-  if (src == null) return ""
+  if (src == null) return ''
   const trimmed = src.trim()
-  const lower = trimmed.toLowerCase().replace(/\s/g, "")
-  if (lower.startsWith("javascript:")) return ""
-  if (lower.startsWith("vbscript:")) return ""
-  if (lower.startsWith("data:") && !lower.startsWith("data:image/")) return ""
+  const lower = trimmed.toLowerCase().replace(/\s/g, '')
+  if (lower.startsWith('javascript:')) return ''
+  if (lower.startsWith('vbscript:')) return ''
+  if (lower.startsWith('data:') && !lower.startsWith('data:image/')) return ''
   return trimmed
 }
 
@@ -79,6 +79,6 @@ export function sanitizeImageSrc(src: string | undefined): string {
  * Sanitize a style attribute value — validates it's safe CSS.
  */
 export function sanitizeStyle(value: string | undefined): string {
-  if (value == null) return ""
+  if (value == null) return ''
   return sanitizeCss(value)
 }