@pyreon/runtime-dom 0.12.12 → 0.12.14

package/src/tests/ssr-xss-round-trip.browser.test.ts

@@ -0,0 +1,93 @@
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+// End-to-end XSS round-trip for the For-key-marker fix (PR #235).
+// The happy-dom/Node tests assert the encoder produces safe-looking
+// output; this one asserts a real Chromium browser parses the encoded
+// SSR output without executing the injected script.
+//
+// runtime-server can't be imported in the browser (Node async_hooks),
+// so we reconstruct SSR-shaped output directly: a pre-fix (vulnerable)
+// string to prove the attack model, and a post-fix (encoded) string
+// to prove the fix neutralizes it.
+
+describe('SSR → real-browser round-trip — For-key marker XSS', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it('unencoded attacker key in marker would execute script in Chromium (attack model)', async () => {
+    const win = window as Window & { __preFixFired?: boolean }
+    win.__preFixFired = false
+
+    // Build what PRE-fix SSR would have emitted: the raw attacker key
+    // interpolated directly into the comment.
+    const attackKey = `--><script>window.__preFixFired = true</script><!--`
+    const preFixHtml =
+      `<!--pyreon-for--><!--k:${attackKey}--><li>item</li><!--/pyreon-for-->`
+
+    const container = document.createElement('div')
+    // innerHTML does not execute <script> per HTML5 spec — so use
+    // document.write-free manual parsing via DOMParser, then adopt.
+    // This mirrors what a streaming renderer would produce.
+    const parsed = new DOMParser().parseFromString(
+      `<body>${preFixHtml}</body>`,
+      'text/html',
+    )
+    // Move the parsed body's children into our container; re-insert
+    // script tags via createElement so they execute in the real page.
+    for (const node of Array.from(parsed.body.childNodes)) {
+      if (node.nodeType === 1 && (node as Element).tagName === 'SCRIPT') {
+        const s = document.createElement('script')
+        s.textContent = (node as HTMLScriptElement).textContent ?? ''
+        container.appendChild(s)
+      } else {
+        container.appendChild(node)
+      }
+    }
+    document.body.appendChild(container)
+    await new Promise((r) => setTimeout(r, 0))
+
+    // Attack model proof: the raw form DOES execute when re-inserted.
+    expect(win.__preFixFired).toBe(true)
+
+    container.remove()
+    delete win.__preFixFired
+  })
+
+  it('encoded marker (post-fix) does NOT execute script in Chromium', async () => {
+    const win = window as Window & { __postFixFired?: boolean }
+    win.__postFixFired = false
+
+    // Build what POST-fix SSR emits after safeKeyForMarker:
+    // encodeURIComponent then all `-` → `%2D`.
+    const attackKey = `--><script>window.__postFixFired = true</script><!--`
+    const encoded = encodeURIComponent(attackKey).replace(/-/g, '%2D')
+    const postFixHtml =
+      `<!--pyreon-for--><!--k:${encoded}--><li>item</li><!--/pyreon-for-->`
+
+    const container = document.createElement('div')
+    const parsed = new DOMParser().parseFromString(
+      `<body>${postFixHtml}</body>`,
+      'text/html',
+    )
+    for (const node of Array.from(parsed.body.childNodes)) {
+      if (node.nodeType === 1 && (node as Element).tagName === 'SCRIPT') {
+        const s = document.createElement('script')
+        s.textContent = (node as HTMLScriptElement).textContent ?? ''
+        container.appendChild(s)
+      } else {
+        container.appendChild(node)
+      }
+    }
+    document.body.appendChild(container)
+    await new Promise((r) => setTimeout(r, 0))
+
+    // Post-fix: no script was parsed out of the marker. Encoded key
+    // stays inside the comment; nothing to execute.
+    expect(win.__postFixFired).toBe(false)
+    expect(container.querySelector('script')).toBeNull()
+
+    container.remove()
+    delete win.__postFixFired
+  })
+})

package/src/tests/style-key-removal.browser.test.ts

@@ -0,0 +1,54 @@
+import { h } from '@pyreon/core'
+import { signal } from '@pyreon/reactivity'
+import { flush, mountInBrowser } from '@pyreon/test-utils/browser'
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+// Real-Chromium smoke for the #233 style-key-removal fix. happy-dom can
+// pass because its CSSStyleDeclaration stub is forgiving — this suite
+// asserts the fix holds up against a real engine's styles bag.
+
+describe('reactive style — stale keys removed (real browser)', () => {
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  it('drops a key that disappears from a reactive style object', async () => {
+    const style = signal<Record<string, string>>({ color: 'rgb(255, 0, 0)', fontSize: '14px' })
+    const { container, unmount } = mountInBrowser(
+      h('div', { id: 's1', style: () => style() }, 'x'),
+    )
+
+    const el = container.querySelector<HTMLDivElement>('#s1')!
+    expect(el.style.color).toBe('rgb(255, 0, 0)')
+    expect(el.style.fontSize).toBe('14px')
+
+    style.set({ color: 'rgb(255, 0, 0)' })
+    await flush()
+
+    expect(el.style.color).toBe('rgb(255, 0, 0)')
+    // Chromium reports the removed longhand as an empty string on the
+    // inline style. This is exactly what #233 intended and what happy-dom
+    // only started reporting after the fix landed.
+    expect(el.style.fontSize).toBe('')
+    unmount()
+  })
+
+  it('clears every tracked key when style becomes null', async () => {
+    const style = signal<Record<string, string> | null>({
+      color: 'rgb(0, 0, 255)',
+      padding: '10px',
+    })
+    const { container, unmount } = mountInBrowser(
+      h('div', { id: 's2', style: () => style() }, 'x'),
+    )
+    const el = container.querySelector<HTMLDivElement>('#s2')!
+    expect(el.style.color).toBe('rgb(0, 0, 255)')
+
+    style.set(null)
+    await flush()
+
+    expect(el.style.color).toBe('')
+    expect(el.style.padding).toBe('')
+    unmount()
+  })
+})

package/src/tests/style-key-removal.test.ts

@@ -0,0 +1,88 @@
+import { h } from '@pyreon/core'
+import { signal } from '@pyreon/reactivity'
+import { mount } from '../index'
+
+describe('reactive style object — stale keys are removed', () => {
+  let container: HTMLDivElement
+
+  beforeEach(() => {
+    container = document.createElement('div')
+    document.body.appendChild(container)
+  })
+
+  afterEach(() => {
+    container.remove()
+  })
+
+  it('removes a property that disappears from a reactive style object', () => {
+    const style = signal<Record<string, string>>({ color: 'red', fontSize: '14px' })
+
+    mount(h('div', { style: () => style() }), container)
+
+    const el = container.querySelector('div') as HTMLDivElement
+    expect(el.style.color).toBe('red')
+    expect(el.style.fontSize).toBe('14px')
+
+    // Drop fontSize — previous behavior left it on the element.
+    style.set({ color: 'red' })
+
+    expect(el.style.color).toBe('red')
+    expect(el.style.fontSize).toBe('')
+  })
+
+  it('clears all object-mode keys when reactive style becomes null', () => {
+    const style = signal<Record<string, string> | null>({ color: 'blue', padding: '10px' })
+
+    mount(h('div', { style: () => style() }), container)
+
+    const el = container.querySelector('div') as HTMLDivElement
+    expect(el.style.color).toBe('blue')
+    expect(el.style.padding).toBe('10px')
+
+    style.set(null)
+
+    expect(el.style.color).toBe('')
+    expect(el.style.padding).toBe('')
+  })
+
+  it('clears every tracked key when reactive style shrinks to an empty object', () => {
+    // Empty-object edge flagged on PR #233: if the new value is `{}`, the
+    // `value == null` branch in applyStyleProp is skipped, but the key-diff
+    // loop still iterates the prior tracked set and removes each one.
+    const style = signal<Record<string, string>>({ color: 'green', margin: '2px' })
+
+    mount(h('div', { style: () => style() }), container)
+
+    const el = container.querySelector('div') as HTMLDivElement
+    expect(el.style.color).toBe('green')
+    expect(el.style.margin).toBe('2px')
+
+    style.set({})
+
+    expect(el.style.color).toBe('')
+    expect(el.style.margin).toBe('')
+  })
+
+  it('handles object → string → object transitions without leaking keys', () => {
+    const style = signal<string | Record<string, string>>({ color: 'red' })
+
+    mount(h('div', { style: () => style() }), container)
+
+    const el = container.querySelector('div') as HTMLDivElement
+    expect(el.style.color).toBe('red')
+
+    // Swap to string form — cssText replaces everything.
+    style.set('background: yellow;')
+    expect(el.style.color).toBe('')
+    expect(el.style.background).toContain('yellow')
+
+    // Swap back to object form. The previous object-mode tracking was
+    // reset by the string assignment, so we start fresh and must not
+    // carry forward stale keys from the initial object.
+    style.set({ margin: '5px' })
+    expect(el.style.margin).toBe('5px')
+    // Previously-set `background` from the string form stays put because
+    // cssText can't round-trip through key-level tracking — this is
+    // identical to React/Solid/Vue behavior; document it.
+  })
+})

package/src/tests/transition-timeout-leak.test.ts

@@ -0,0 +1,81 @@
+import type { ComponentFn } from '@pyreon/core'
+import { h } from '@pyreon/core'
+import { signal } from '@pyreon/reactivity'
+import { Transition as _Transition, mount } from '../index'
+
+const Transition = _Transition as unknown as ComponentFn<Record<string, unknown>>
+
+function container(): HTMLElement {
+  const el = document.createElement('div')
+  document.body.appendChild(el)
+  return el
+}
+
+// Regression for the 5s safety-timer leak in applyEnter / applyLeave.
+// Before the fix, when transitionend fired normally the 5s setTimeout was
+// never cleared and would re-invoke `done()` later, firing onAfterEnter /
+// onAfterLeave twice and leaking closures over the element.
+describe('Transition — safety-timer leak (regression)', () => {
+  beforeEach(() => {
+    vi.useFakeTimers()
+  })
+  afterEach(() => {
+    vi.useRealTimers()
+  })
+
+  test('onAfterEnter fires exactly once when transitionend fires before 5s safety timeout', async () => {
+    const el = container()
+    const show = signal(false)
+    const onAfterEnter = vi.fn()
+
+    mount(
+      h(
+        Transition,
+        { name: 'fade', show: () => show(), onAfterEnter },
+        h('div', { class: 'enter-leak' }, 'x'),
+      ),
+      el,
+    )
+
+    show.set(true)
+    await vi.advanceTimersByTimeAsync(20)
+
+    const target = el.querySelector('.enter-leak') as HTMLElement
+    expect(target).not.toBeNull()
+
+    target.dispatchEvent(new Event('transitionend'))
+    expect(onAfterEnter).toHaveBeenCalledTimes(1)
+
+    // Advance past the safety timeout. With the leak, done() would fire again.
+    await vi.advanceTimersByTimeAsync(6000)
+    expect(onAfterEnter).toHaveBeenCalledTimes(1)
+  })
+
+  test('onAfterLeave fires exactly once when transitionend fires before 5s safety timeout', async () => {
+    const el = container()
+    const show = signal(true)
+    const onAfterLeave = vi.fn()
+
+    mount(
+      h(
+        Transition,
+        { name: 'fade', show: () => show(), onAfterLeave },
+        h('div', { class: 'leave-leak' }, 'x'),
+      ),
+      el,
+    )
+    await vi.advanceTimersByTimeAsync(20)
+
+    show.set(false)
+    await vi.advanceTimersByTimeAsync(20)
+
+    const target = el.querySelector('.leave-leak') as HTMLElement
+    expect(target).not.toBeNull()
+
+    target.dispatchEvent(new Event('transitionend'))
+    expect(onAfterLeave).toHaveBeenCalledTimes(1)
+
+    await vi.advanceTimersByTimeAsync(6000)
+    expect(onAfterLeave).toHaveBeenCalledTimes(1)
+  })
+})

package/src/tests/verified-correct-probes.test.ts

@@ -0,0 +1,56 @@
+import { Fragment, h } from '@pyreon/core'
+import { mount } from '../index'
+
+// Lock-in tests for behaviors PR #235 investigated and claimed
+// "verified correct". Without code assertions the prose claims
+// could silently regress.
+
+describe('Fragment + key — key is inert', () => {
+  let container: HTMLDivElement
+
+  beforeEach(() => {
+    container = document.createElement('div')
+    document.body.appendChild(container)
+  })
+
+  afterEach(() => {
+    container.remove()
+  })
+
+  it('Fragment with a key renders its children inline (key does not reconcile)', () => {
+    mount(
+      h(
+        Fragment,
+        { key: 'x' },
+        h('span', { id: 'a' }, 'a'),
+        h('span', { id: 'b' }, 'b'),
+      ),
+      container,
+    )
+
+    // Both children are present at the top level of the container —
+    // no extra wrapper, key didn't alter the structure.
+    expect(container.querySelector('#a')?.textContent).toBe('a')
+    expect(container.querySelector('#b')?.textContent).toBe('b')
+    expect(container.children).toHaveLength(2)
+  })
+
+  it('Fragment without a key renders identically', () => {
+    mount(
+      h(Fragment, null, h('span', { id: 'a' }, 'a'), h('span', { id: 'b' }, 'b')),
+      container,
+    )
+    expect(container.children).toHaveLength(2)
+    expect(container.querySelector('#a')?.textContent).toBe('a')
+    expect(container.querySelector('#b')?.textContent).toBe('b')
+  })
+})
+
+describe('Suspense fast-resolve — fallback-first streaming contract', () => {
+  // This is a SERVER behavior, not a browser one. The PR-#235 claim was:
+  // renderToStream always emits fallback first, then swap — even if the
+  // async child resolves synchronously. Synchronous callers should use
+  // renderToString. That contract is already locked in by the existing
+  // streaming integration tests; no additional coverage needed here.
+  it.skip('locked in by renderToStream integration tests — see runtime-server/src/tests/ssr.test.ts', () => {})
+})

package/src/transition.ts

@@ -93,17 +93,25 @@ export function Transition(props: TransitionProps): VNodeChild {
     requestAnimationFrame(() => {
       el.classList.remove(cls.ef)
       el.classList.add(cls.et)
+      let safetyTimer: ReturnType<typeof setTimeout> | null = null
       const done = () => {
         // Remove both listeners — only one fires, so clean up the other
         el.removeEventListener('transitionend', done)
         el.removeEventListener('animationend', done)
+        // Clear the safety timeout — without this, when transitionend fires
+        // normally the 5s timer would still fire later and re-invoke done(),
+        // leaking timer refs and re-firing onAfterEnter.
+        if (safetyTimer !== null) {
+          clearTimeout(safetyTimer)
+          safetyTimer = null
+        }
         el.classList.remove(cls.ea, cls.et)
         props.onAfterEnter?.(el)
       }
       el.addEventListener('transitionend', done, { once: true })
       el.addEventListener('animationend', done, { once: true })
       // Safety timeout: if CSS animation never fires (bad CSS, off-screen), force cleanup
-      setTimeout(done, 5000)
+      safetyTimer = setTimeout(done, 5000)
     })
   }
 
@@ -114,10 +122,16 @@ export function Transition(props: TransitionProps): VNodeChild {
     requestAnimationFrame(() => {
       el.classList.remove(cls.lf)
       el.classList.add(cls.lt)
+      let safetyTimer: ReturnType<typeof setTimeout> | null = null
       const done = () => {
         // Remove both listeners — only one fires, so clean up the other
         el.removeEventListener('transitionend', done)
         el.removeEventListener('animationend', done)
+        // Clear the safety timeout (see applyEnter for rationale).
+        if (safetyTimer !== null) {
+          clearTimeout(safetyTimer)
+          safetyTimer = null
+        }
         el.classList.remove(cls.la, cls.lt)
         pendingLeaveCancel = null
         isMounted.set(false)
@@ -126,12 +140,16 @@ export function Transition(props: TransitionProps): VNodeChild {
       pendingLeaveCancel = () => {
         el.removeEventListener('transitionend', done)
         el.removeEventListener('animationend', done)
+        if (safetyTimer !== null) {
+          clearTimeout(safetyTimer)
+          safetyTimer = null
+        }
         el.classList.remove(cls.lf, cls.la, cls.lt)
       }
       el.addEventListener('transitionend', done, { once: true })
       el.addEventListener('animationend', done, { once: true })
       // Safety timeout: if CSS animation never fires, force cleanup
-      setTimeout(done, 5000)
+      safetyTimer = setTimeout(done, 5000)
     })
   }