@reckona/mreact-shared 0.0.160 → 0.0.162
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/compiler-contract.d.ts +17 -0
- package/dist/compiler-contract.d.ts.map +1 -1
- package/dist/compiler-contract.js +1 -0
- package/dist/compiler-contract.js.map +1 -1
- package/dist/html-elements.d.ts +1 -0
- package/dist/html-elements.d.ts.map +1 -1
- package/dist/html-elements.js +1 -0
- package/dist/html-elements.js.map +1 -1
- package/dist/html-escape.d.ts +3 -0
- package/dist/html-escape.d.ts.map +1 -1
- package/dist/html-escape.js +3 -0
- package/dist/html-escape.js.map +1 -1
- package/dist/url-safety.d.ts +7 -0
- package/dist/url-safety.d.ts.map +1 -1
- package/dist/url-safety.js +7 -0
- package/dist/url-safety.js.map +1 -1
- package/package.json +1 -1
- package/src/compiler-contract.ts +17 -0
- package/src/html-elements.ts +1 -0
- package/src/html-escape.ts +3 -0
- package/src/url-safety.ts +7 -0
|
@@ -1,17 +1,22 @@
|
|
|
1
|
+
/** Version number for the compiler output metadata contract consumed by runtime packages. */
|
|
1
2
|
export declare const compilerOutputContractVersion = 1;
|
|
3
|
+
/** Server rendering mode requested for transformed component output. */
|
|
2
4
|
export type ServerOutputMode = "string" | "stream";
|
|
5
|
+
/** Receives HTML chunks and deferred work while server rendering. */
|
|
3
6
|
export interface HtmlSink {
|
|
4
7
|
append(chunk: string): void;
|
|
5
8
|
backpressure?(): Promise<void>;
|
|
6
9
|
defer?(task: PromiseLike<void>): void;
|
|
7
10
|
signal?: AbortSignal;
|
|
8
11
|
}
|
|
12
|
+
/** Complete source transform result emitted by a compiler frontend. */
|
|
9
13
|
export interface TransformOutput {
|
|
10
14
|
code: string;
|
|
11
15
|
map?: string | null;
|
|
12
16
|
diagnostics: Diagnostic[];
|
|
13
17
|
metadata: ModuleMetadata;
|
|
14
18
|
}
|
|
19
|
+
/** Compiler diagnostic reported for a transformed source module. */
|
|
15
20
|
export interface Diagnostic {
|
|
16
21
|
level: "info" | "warn" | "error";
|
|
17
22
|
code: string;
|
|
@@ -19,15 +24,18 @@ export interface Diagnostic {
|
|
|
19
24
|
loc?: SourceLocation;
|
|
20
25
|
suggestion?: DiagnosticSuggestion;
|
|
21
26
|
}
|
|
27
|
+
/** Suggested action or reference attached to a compiler diagnostic. */
|
|
22
28
|
export interface DiagnosticSuggestion {
|
|
23
29
|
title: string;
|
|
24
30
|
replacement?: string;
|
|
25
31
|
link?: string;
|
|
26
32
|
}
|
|
33
|
+
/** One-based source location used by compiler diagnostics. */
|
|
27
34
|
export interface SourceLocation {
|
|
28
35
|
line: number;
|
|
29
36
|
column: number;
|
|
30
37
|
}
|
|
38
|
+
/** Metadata that describes the transformed module and its runtime dependencies. */
|
|
31
39
|
export interface ModuleMetadata {
|
|
32
40
|
filename: string;
|
|
33
41
|
target: CompileTarget;
|
|
@@ -46,30 +54,39 @@ export interface ModuleMetadata {
|
|
|
46
54
|
serverReferences?: string[];
|
|
47
55
|
eventHydrationManifest?: EventHydrationManifestMetadata;
|
|
48
56
|
}
|
|
57
|
+
/** Compilation target used to select client or server output. */
|
|
49
58
|
export type CompileTarget = "client" | "server";
|
|
59
|
+
/** Bootstrap script mode requested by server output metadata. */
|
|
50
60
|
export type ServerBootstrapMode = "none" | "out-of-order-reorder";
|
|
61
|
+
/** Compiler frontend implementation that produced a transform result. */
|
|
51
62
|
export type CompilerFrontend = "oxc";
|
|
63
|
+
/** Compiler implementation metadata stored with a transform result. */
|
|
52
64
|
export interface CompilerMetadata {
|
|
53
65
|
frontend: CompilerFrontend;
|
|
54
66
|
typescriptFallback: boolean;
|
|
55
67
|
}
|
|
68
|
+
/** Client component export recorded for React Flight manifests. */
|
|
56
69
|
export interface ClientReferenceMetadata {
|
|
57
70
|
name: string;
|
|
58
71
|
moduleId: string;
|
|
59
72
|
exportName: string;
|
|
60
73
|
}
|
|
74
|
+
/** Component export discovered by the compiler for runtime registration. */
|
|
61
75
|
export interface ComponentMetadata {
|
|
62
76
|
name: string;
|
|
63
77
|
exportName: string;
|
|
64
78
|
}
|
|
79
|
+
/** Runtime import required by transformed source output. */
|
|
65
80
|
export interface RuntimeImport {
|
|
66
81
|
source: string;
|
|
67
82
|
specifiers: string[];
|
|
68
83
|
}
|
|
84
|
+
/** Event hydration manifest metadata emitted with transformed server output. */
|
|
69
85
|
export interface EventHydrationManifestMetadata {
|
|
70
86
|
version: 1;
|
|
71
87
|
events: EventHydrationEntryMetadata[];
|
|
72
88
|
}
|
|
89
|
+
/** Event handler hydration entry recorded by the compiler. */
|
|
73
90
|
export interface EventHydrationEntryMetadata {
|
|
74
91
|
id: string;
|
|
75
92
|
event: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compiler-contract.d.ts","sourceRoot":"","sources":["../src/compiler-contract.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,6BAA6B,IAAI,CAAC;AAE/C,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEnD,MAAM,WAAW,QAAQ;IACvB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,KAAK,CAAC,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACtC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,QAAQ,EAAE,cAAc,CAAC;CAC1B;AAED,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,cAAc,CAAC;IACrB,UAAU,CAAC,EAAE,oBAAoB,CAAC;CACnC;AAED,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,YAAY,CAAC,EAAE,gBAAgB,CAAC;IAChC,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IACpD,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;CACzD;AAED,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAChD,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,sBAAsB,CAAC;AAClE,MAAM,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAErC,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,CAAC,CAAC;IACX,MAAM,EAAE,2BAA2B,EAAE,CAAC;CACvC;AAED,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB"}
|
|
1
|
+
{"version":3,"file":"compiler-contract.d.ts","sourceRoot":"","sources":["../src/compiler-contract.ts"],"names":[],"mappings":"AAAA,6FAA6F;AAC7F,eAAO,MAAM,6BAA6B,IAAI,CAAC;AAE/C,wEAAwE;AACxE,MAAM,MAAM,gBAAgB,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAEnD,qEAAqE;AACrE,MAAM,WAAW,QAAQ;IACvB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,KAAK,CAAC,CAAC,IAAI,EAAE,WAAW,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACtC,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,uEAAuE;AACvE,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,QAAQ,EAAE,cAAc,CAAC;CAC1B;AAED,oEAAoE;AACpE,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,cAAc,CAAC;IACrB,UAAU,CAAC,EAAE,oBAAoB,CAAC;CACnC;AAED,uEAAuE;AACvE,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,8DAA8D;AAC9D,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,mFAAmF;AACnF,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,aAAa,CAAC;IACtB,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,YAAY,CAAC,EAAE,gBAAgB,CAAC;IAChC,eAAe,CAAC,EAAE,mBAAmB,CAAC;IACtC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,oBAAoB,CAAC,EAAE,OAAO,CAAC;IAC/B,4BAA4B,CAAC,EAAE,MAAM,CAAC;IACtC,UAAU,EAAE,iBAAiB,EAAE,CAAC;IAChC,OAAO,EAAE,aAAa,EAAE,CAAC;IACzB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,uBAAuB,CAAC,EAAE,uBAAuB,EAAE,CAAC;IACpD,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,sBAAsB,CAAC,EAAE,8BAA8B,CAAC;CACzD;AAED,iEAAiE;AACjE,MAAM,MAAM,aAAa,GAAG,QAAQ,GAAG,QAAQ,CAAC;AAChD,iEAAiE;AACjE,MAAM,MAAM,mBAAmB,GAAG,MAAM,GAAG,sBAAsB,CAAC;AAClE,yEAAyE;AACzE,MAAM,MAAM,gBAAgB,GAAG,KAAK,CAAC;AAErC,uEAAuE;AACvE,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED,mEAAmE;AACnE,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,4EAA4E;AAC5E,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,4DAA4D;AAC5D,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED,gFAAgF;AAChF,MAAM,WAAW,8BAA8B;IAC7C,OAAO,EAAE,CAAC,CAAC;IACX,MAAM,EAAE,2BAA2B,EAAE,CAAC;CACvC;AAED,8DAA8D;AAC9D,MAAM,WAAW,2BAA2B;IAC1C,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;CACjB"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"compiler-contract.js","sourceRoot":"","sources":["../src/compiler-contract.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC","sourcesContent":["
|
|
1
|
+
{"version":3,"file":"compiler-contract.js","sourceRoot":"","sources":["../src/compiler-contract.ts"],"names":[],"mappings":"AAAA,6FAA6F;AAC7F,MAAM,CAAC,MAAM,6BAA6B,GAAG,CAAC,CAAC","sourcesContent":["/** Version number for the compiler output metadata contract consumed by runtime packages. */\nexport const compilerOutputContractVersion = 1;\n\n/** Server rendering mode requested for transformed component output. */\nexport type ServerOutputMode = \"string\" | \"stream\";\n\n/** Receives HTML chunks and deferred work while server rendering. */\nexport interface HtmlSink {\n append(chunk: string): void;\n backpressure?(): Promise<void>;\n defer?(task: PromiseLike<void>): void;\n signal?: AbortSignal;\n}\n\n/** Complete source transform result emitted by a compiler frontend. */\nexport interface TransformOutput {\n code: string;\n map?: string | null;\n diagnostics: Diagnostic[];\n metadata: ModuleMetadata;\n}\n\n/** Compiler diagnostic reported for a transformed source module. */\nexport interface Diagnostic {\n level: \"info\" | \"warn\" | \"error\";\n code: string;\n message: string;\n loc?: SourceLocation;\n suggestion?: DiagnosticSuggestion;\n}\n\n/** Suggested action or reference attached to a compiler diagnostic. */\nexport interface DiagnosticSuggestion {\n title: string;\n replacement?: string;\n link?: string;\n}\n\n/** One-based source location used by compiler diagnostics. */\nexport interface SourceLocation {\n line: number;\n column: number;\n}\n\n/** Metadata that describes the transformed module and its runtime dependencies. */\nexport interface ModuleMetadata {\n filename: string;\n target: CompileTarget;\n compiler: CompilerMetadata;\n serverOutput?: ServerOutputMode;\n serverBootstrap?: ServerBootstrapMode;\n serverBootstrapNonce?: string;\n serverBootstrapSrc?: string;\n serverHydration?: boolean;\n serverAwaitHydration?: boolean;\n reactSuspenseRevealScriptSrc?: string;\n components: ComponentMetadata[];\n imports: RuntimeImport[];\n clientReferences?: string[];\n clientReferenceManifest?: ClientReferenceMetadata[];\n serverReferences?: string[];\n eventHydrationManifest?: EventHydrationManifestMetadata;\n}\n\n/** Compilation target used to select client or server output. */\nexport type CompileTarget = \"client\" | \"server\";\n/** Bootstrap script mode requested by server output metadata. */\nexport type ServerBootstrapMode = \"none\" | \"out-of-order-reorder\";\n/** Compiler frontend implementation that produced a transform result. */\nexport type CompilerFrontend = \"oxc\";\n\n/** Compiler implementation metadata stored with a transform result. */\nexport interface CompilerMetadata {\n frontend: CompilerFrontend;\n typescriptFallback: boolean;\n}\n\n/** Client component export recorded for React Flight manifests. */\nexport interface ClientReferenceMetadata {\n name: string;\n moduleId: string;\n exportName: string;\n}\n\n/** Component export discovered by the compiler for runtime registration. */\nexport interface ComponentMetadata {\n name: string;\n exportName: string;\n}\n\n/** Runtime import required by transformed source output. */\nexport interface RuntimeImport {\n source: string;\n specifiers: string[];\n}\n\n/** Event hydration manifest metadata emitted with transformed server output. */\nexport interface EventHydrationManifestMetadata {\n version: 1;\n events: EventHydrationEntryMetadata[];\n}\n\n/** Event handler hydration entry recorded by the compiler. */\nexport interface EventHydrationEntryMetadata {\n id: string;\n event: string;\n handler: string;\n}\n"]}
|
package/dist/html-elements.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"html-elements.d.ts","sourceRoot":"","sources":["../src/html-elements.ts"],"names":[],"mappings":"AAiBA,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE1D"}
|
|
1
|
+
{"version":3,"file":"html-elements.d.ts","sourceRoot":"","sources":["../src/html-elements.ts"],"names":[],"mappings":"AAiBA,iFAAiF;AACjF,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAE1D"}
|
package/dist/html-elements.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"html-elements.js","sourceRoot":"","sources":["../src/html-elements.ts"],"names":[],"mappings":"AAAA,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM;IACN,MAAM;IACN,IAAI;IACJ,KAAK;IACL,OAAO;IACP,IAAI;IACJ,KAAK;IACL,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,QAAQ;IACR,OAAO;IACP,KAAK;CACN,CAAC,CAAC;AAEH,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC","sourcesContent":["const voidHtmlElementNames = new Set([\n \"area\",\n \"base\",\n \"br\",\n \"col\",\n \"embed\",\n \"hr\",\n \"img\",\n \"input\",\n \"link\",\n \"meta\",\n \"param\",\n \"source\",\n \"track\",\n \"wbr\",\n]);\n\nexport function isVoidHtmlElement(tagName: string): boolean {\n return voidHtmlElementNames.has(tagName);\n}\n"]}
|
|
1
|
+
{"version":3,"file":"html-elements.js","sourceRoot":"","sources":["../src/html-elements.ts"],"names":[],"mappings":"AAAA,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM;IACN,MAAM;IACN,IAAI;IACJ,KAAK;IACL,OAAO;IACP,IAAI;IACJ,KAAK;IACL,OAAO;IACP,MAAM;IACN,MAAM;IACN,OAAO;IACP,QAAQ;IACR,OAAO;IACP,KAAK;CACN,CAAC,CAAC;AAEH,iFAAiF;AACjF,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,OAAO,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAC3C,CAAC","sourcesContent":["const voidHtmlElementNames = new Set([\n \"area\",\n \"base\",\n \"br\",\n \"col\",\n \"embed\",\n \"hr\",\n \"img\",\n \"input\",\n \"link\",\n \"meta\",\n \"param\",\n \"source\",\n \"track\",\n \"wbr\",\n]);\n\n/** Returns true when an HTML tag is a void element that cannot have children. */\nexport function isVoidHtmlElement(tagName: string): boolean {\n return voidHtmlElementNames.has(tagName);\n}\n"]}
|
package/dist/html-escape.d.ts
CHANGED
|
@@ -1,4 +1,7 @@
|
|
|
1
|
+
/** Escapes text content for safe insertion between HTML tags. */
|
|
1
2
|
export declare function escapeHtmlText(value: unknown): string;
|
|
3
|
+
/** Escapes a value for safe use in an HTML attribute. */
|
|
2
4
|
export declare function escapeHtmlAttribute(value: unknown): string;
|
|
5
|
+
/** Escapes a value for safe use inside an already quoted HTML attribute. */
|
|
3
6
|
export declare function escapeHtmlQuotedAttribute(value: unknown): string;
|
|
4
7
|
//# sourceMappingURL=html-escape.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"html-escape.d.ts","sourceRoot":"","sources":["../src/html-escape.ts"],"names":[],"mappings":"AAIA,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAErD;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAE1D;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEhE"}
|
|
1
|
+
{"version":3,"file":"html-escape.d.ts","sourceRoot":"","sources":["../src/html-escape.ts"],"names":[],"mappings":"AAIA,iEAAiE;AACjE,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAErD;AAED,yDAAyD;AACzD,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAE1D;AAED,4EAA4E;AAC5E,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEhE"}
|
package/dist/html-escape.js
CHANGED
|
@@ -1,12 +1,15 @@
|
|
|
1
1
|
const textEscapePattern = /[&<>]/;
|
|
2
2
|
const attributeEscapePattern = /["&'<>]/;
|
|
3
3
|
const quotedAttributeEscapePattern = /["&]/;
|
|
4
|
+
/** Escapes text content for safe insertion between HTML tags. */
|
|
4
5
|
export function escapeHtmlText(value) {
|
|
5
6
|
return escapeHtml(String(value), textEscapePattern, textReplacement);
|
|
6
7
|
}
|
|
8
|
+
/** Escapes a value for safe use in an HTML attribute. */
|
|
7
9
|
export function escapeHtmlAttribute(value) {
|
|
8
10
|
return escapeHtml(String(value), attributeEscapePattern, attributeReplacement);
|
|
9
11
|
}
|
|
12
|
+
/** Escapes a value for safe use inside an already quoted HTML attribute. */
|
|
10
13
|
export function escapeHtmlQuotedAttribute(value) {
|
|
11
14
|
return escapeHtml(String(value), quotedAttributeEscapePattern, quotedAttributeReplacement);
|
|
12
15
|
}
|
package/dist/html-escape.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"html-escape.js","sourceRoot":"","sources":["../src/html-escape.ts"],"names":[],"mappings":"AAAA,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,sBAAsB,GAAG,SAAS,CAAC;AACzC,MAAM,4BAA4B,GAAG,MAAM,CAAC;AAE5C,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,iBAAiB,EAAE,eAAe,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,KAAc;IAChD,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;AACjF,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,4BAA4B,EAAE,0BAA0B,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,UAAU,CACjB,KAAa,EACb,OAAe,EACf,kBAAwD;IAExD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAElC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAExB,OAAO,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QAEhE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;YACxB,OAAO,IAAI,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,IAAI,WAAW,CAAC;QACvB,SAAS,GAAG,KAAK,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,OAAO,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,EAAE;YACL,OAAO,OAAO,CAAC;QACjB,KAAK,EAAE;YACL,OAAO,MAAM,CAAC;QAChB,KAAK,EAAE;YACL,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY;IACxC,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;QAChB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;QAChB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY;IAC9C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,EAAE;YACL,OAAO,QAAQ,CAAC;QAClB,KAAK,EAAE;YACL,OAAO,OAAO,CAAC;QACjB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC","sourcesContent":["const textEscapePattern = /[&<>]/;\nconst attributeEscapePattern = /[\"&'<>]/;\nconst quotedAttributeEscapePattern = /[\"&]/;\n\nexport function escapeHtmlText(value: unknown): string {\n return escapeHtml(String(value), textEscapePattern, textReplacement);\n}\n\nexport function escapeHtmlAttribute(value: unknown): string {\n return escapeHtml(String(value), attributeEscapePattern, attributeReplacement);\n}\n\nexport function escapeHtmlQuotedAttribute(value: unknown): string {\n return escapeHtml(String(value), quotedAttributeEscapePattern, quotedAttributeReplacement);\n}\n\nfunction escapeHtml(\n value: string,\n pattern: RegExp,\n replacementForCode: (code: number) => string | undefined,\n): string {\n const match = pattern.exec(value);\n\n if (match === null) {\n return value;\n }\n\n let escaped = \"\";\n let lastIndex = 0;\n let index = match.index;\n\n for (; index < value.length; index += 1) {\n const replacement = replacementForCode(value.charCodeAt(index));\n\n if (replacement === undefined) {\n continue;\n }\n\n if (lastIndex !== index) {\n escaped += value.substring(lastIndex, index);\n }\n\n escaped += replacement;\n lastIndex = index + 1;\n }\n\n return lastIndex === index ? escaped : escaped + value.substring(lastIndex, index);\n}\n\nfunction textReplacement(code: number): string | undefined {\n switch (code) {\n case 38:\n return \"&\";\n case 60:\n return \"<\";\n case 62:\n return \">\";\n default:\n return undefined;\n }\n}\n\nfunction attributeReplacement(code: number): string | undefined {\n if (code === 34) {\n return \""\";\n }\n\n if (code === 39) {\n return \"'\";\n }\n\n return textReplacement(code);\n}\n\nfunction quotedAttributeReplacement(code: number): string | undefined {\n switch (code) {\n case 34:\n return \""\";\n case 38:\n return \"&\";\n default:\n return undefined;\n }\n}\n"]}
|
|
1
|
+
{"version":3,"file":"html-escape.js","sourceRoot":"","sources":["../src/html-escape.ts"],"names":[],"mappings":"AAAA,MAAM,iBAAiB,GAAG,OAAO,CAAC;AAClC,MAAM,sBAAsB,GAAG,SAAS,CAAC;AACzC,MAAM,4BAA4B,GAAG,MAAM,CAAC;AAE5C,iEAAiE;AACjE,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,iBAAiB,EAAE,eAAe,CAAC,CAAC;AACvE,CAAC;AAED,yDAAyD;AACzD,MAAM,UAAU,mBAAmB,CAAC,KAAc;IAChD,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;AACjF,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,yBAAyB,CAAC,KAAc;IACtD,OAAO,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,4BAA4B,EAAE,0BAA0B,CAAC,CAAC;AAC7F,CAAC;AAED,SAAS,UAAU,CACjB,KAAa,EACb,OAAe,EACf,kBAAwD;IAExD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAElC,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,IAAI,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC;IAExB,OAAO,KAAK,GAAG,KAAK,CAAC,MAAM,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;QAEhE,IAAI,WAAW,KAAK,SAAS,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;YACxB,OAAO,IAAI,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,IAAI,WAAW,CAAC;QACvB,SAAS,GAAG,KAAK,GAAG,CAAC,CAAC;IACxB,CAAC;IAED,OAAO,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;AACrF,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,EAAE;YACL,OAAO,OAAO,CAAC;QACjB,KAAK,EAAE;YACL,OAAO,MAAM,CAAC;QAChB,KAAK,EAAE;YACL,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,IAAY;IACxC,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;QAChB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;QAChB,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC;AAED,SAAS,0BAA0B,CAAC,IAAY;IAC9C,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,EAAE;YACL,OAAO,QAAQ,CAAC;QAClB,KAAK,EAAE;YACL,OAAO,OAAO,CAAC;QACjB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC","sourcesContent":["const textEscapePattern = /[&<>]/;\nconst attributeEscapePattern = /[\"&'<>]/;\nconst quotedAttributeEscapePattern = /[\"&]/;\n\n/** Escapes text content for safe insertion between HTML tags. */\nexport function escapeHtmlText(value: unknown): string {\n return escapeHtml(String(value), textEscapePattern, textReplacement);\n}\n\n/** Escapes a value for safe use in an HTML attribute. */\nexport function escapeHtmlAttribute(value: unknown): string {\n return escapeHtml(String(value), attributeEscapePattern, attributeReplacement);\n}\n\n/** Escapes a value for safe use inside an already quoted HTML attribute. */\nexport function escapeHtmlQuotedAttribute(value: unknown): string {\n return escapeHtml(String(value), quotedAttributeEscapePattern, quotedAttributeReplacement);\n}\n\nfunction escapeHtml(\n value: string,\n pattern: RegExp,\n replacementForCode: (code: number) => string | undefined,\n): string {\n const match = pattern.exec(value);\n\n if (match === null) {\n return value;\n }\n\n let escaped = \"\";\n let lastIndex = 0;\n let index = match.index;\n\n for (; index < value.length; index += 1) {\n const replacement = replacementForCode(value.charCodeAt(index));\n\n if (replacement === undefined) {\n continue;\n }\n\n if (lastIndex !== index) {\n escaped += value.substring(lastIndex, index);\n }\n\n escaped += replacement;\n lastIndex = index + 1;\n }\n\n return lastIndex === index ? escaped : escaped + value.substring(lastIndex, index);\n}\n\nfunction textReplacement(code: number): string | undefined {\n switch (code) {\n case 38:\n return \"&\";\n case 60:\n return \"<\";\n case 62:\n return \">\";\n default:\n return undefined;\n }\n}\n\nfunction attributeReplacement(code: number): string | undefined {\n if (code === 34) {\n return \""\";\n }\n\n if (code === 39) {\n return \"'\";\n }\n\n return textReplacement(code);\n}\n\nfunction quotedAttributeReplacement(code: number): string | undefined {\n switch (code) {\n case 34:\n return \""\";\n case 38:\n return \"&\";\n default:\n return undefined;\n }\n}\n"]}
|
package/dist/url-safety.d.ts
CHANGED
|
@@ -1,10 +1,17 @@
|
|
|
1
|
+
/** Returns true for HTML attributes that require explicit unsafe-HTML opt-in handling. */
|
|
1
2
|
export declare function isDangerousHtmlAttribute(name: string): boolean;
|
|
3
|
+
/** Narrows a value to an explicit raw HTML opt-in payload. */
|
|
2
4
|
export declare function isDangerousHtmlOptIn(value: unknown): value is {
|
|
3
5
|
__html: string;
|
|
4
6
|
};
|
|
7
|
+
/** Returns true when an attribute name normally carries a single URL value. */
|
|
5
8
|
export declare function isUrlAttribute(name: string): boolean;
|
|
9
|
+
/** Returns true when an attribute name carries a srcset-style URL list. */
|
|
6
10
|
export declare function isSrcsetAttribute(name: string): boolean;
|
|
11
|
+
/** Checks whether an HTML URL-bearing attribute value uses a blocked scheme. */
|
|
7
12
|
export declare function isUnsafeUrlAttribute(name: string, value: string): boolean;
|
|
13
|
+
/** Returns the original URL attribute value when it is safe, otherwise undefined. */
|
|
8
14
|
export declare function safeUrlAttributeValue(name: string, value: string): string | undefined;
|
|
15
|
+
/** Checks whether a meta refresh content value redirects to an unsafe URL. */
|
|
9
16
|
export declare function isUnsafeMetaRefreshContent(httpEquiv: string, content: string): boolean;
|
|
10
17
|
//# sourceMappingURL=url-safety.d.ts.map
|
package/dist/url-safety.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"url-safety.d.ts","sourceRoot":"","sources":["../src/url-safety.ts"],"names":[],"mappings":"AA4BA,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAO7B;AAED,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAczE;AAED,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAErF;AAED,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAKtF"}
|
|
1
|
+
{"version":3,"file":"url-safety.d.ts","sourceRoot":"","sources":["../src/url-safety.ts"],"names":[],"mappings":"AA4BA,0FAA0F;AAC1F,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE9D;AAED,8DAA8D;AAC9D,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI;IAAE,MAAM,EAAE,MAAM,CAAA;CAAE,CAO7B;AAED,+EAA+E;AAC/E,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEpD;AAED,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEvD;AAED,gFAAgF;AAChF,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAczE;AAED,qFAAqF;AACrF,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAErF;AAED,8EAA8E;AAC9E,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAKtF"}
|
package/dist/url-safety.js
CHANGED
|
@@ -21,21 +21,26 @@ const UNSAFE_URL_SCHEMES = new Set([
|
|
|
21
21
|
"mhtml",
|
|
22
22
|
"file",
|
|
23
23
|
]);
|
|
24
|
+
/** Returns true for HTML attributes that require explicit unsafe-HTML opt-in handling. */
|
|
24
25
|
export function isDangerousHtmlAttribute(name) {
|
|
25
26
|
return DANGEROUS_HTML_ATTRIBUTE_NAMES.has(name);
|
|
26
27
|
}
|
|
28
|
+
/** Narrows a value to an explicit raw HTML opt-in payload. */
|
|
27
29
|
export function isDangerousHtmlOptIn(value) {
|
|
28
30
|
return (typeof value === "object" &&
|
|
29
31
|
value !== null &&
|
|
30
32
|
"__html" in value &&
|
|
31
33
|
typeof value.__html === "string");
|
|
32
34
|
}
|
|
35
|
+
/** Returns true when an attribute name normally carries a single URL value. */
|
|
33
36
|
export function isUrlAttribute(name) {
|
|
34
37
|
return URL_ATTRIBUTE_NAMES.has(name);
|
|
35
38
|
}
|
|
39
|
+
/** Returns true when an attribute name carries a srcset-style URL list. */
|
|
36
40
|
export function isSrcsetAttribute(name) {
|
|
37
41
|
return SRCSET_ATTRIBUTE_NAMES.has(name);
|
|
38
42
|
}
|
|
43
|
+
/** Checks whether an HTML URL-bearing attribute value uses a blocked scheme. */
|
|
39
44
|
export function isUnsafeUrlAttribute(name, value) {
|
|
40
45
|
if (isUrlAttribute(name)) {
|
|
41
46
|
return isUnsafeUrlValueForName(name, value);
|
|
@@ -53,9 +58,11 @@ export function isUnsafeUrlAttribute(name, value) {
|
|
|
53
58
|
}
|
|
54
59
|
return false;
|
|
55
60
|
}
|
|
61
|
+
/** Returns the original URL attribute value when it is safe, otherwise undefined. */
|
|
56
62
|
export function safeUrlAttributeValue(name, value) {
|
|
57
63
|
return isUnsafeUrlAttribute(name, value) ? undefined : value;
|
|
58
64
|
}
|
|
65
|
+
/** Checks whether a meta refresh content value redirects to an unsafe URL. */
|
|
59
66
|
export function isUnsafeMetaRefreshContent(httpEquiv, content) {
|
|
60
67
|
if (httpEquiv.toLowerCase() !== "refresh")
|
|
61
68
|
return false;
|
package/dist/url-safety.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"url-safety.js","sourceRoot":"","sources":["../src/url-safety.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sDAAsD;AAEtD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,MAAM;IACN,KAAK;IACL,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAElE,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AAE3D,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,YAAY;IACZ,MAAM;IACN,UAAU;IACV,YAAY;IACZ,OAAO;IACP,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,UAAU,wBAAwB,CAAC,IAAY;IACnD,OAAO,8BAA8B,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAClC,KAAc;IAEd,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,QAAQ,IAAI,KAAK;QACjB,OAAQ,KAA8B,CAAC,MAAM,KAAK,QAAQ,CAC3D,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAO,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,KAAa;IAC9D,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,uBAAuB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,6BAA6B,CAAC,KAAK,CAAC,CAAC;QACvD,KAAK,MAAM,SAAS,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,IAAI,GAAG,KAAK,EAAE;gBAAE,SAAS;YACzB,IAAI,uBAAuB,CAAC,KAAK,EAAE,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAY,EAAE,KAAa;IAC/D,OAAO,oBAAoB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/D,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,SAAiB,EAAE,OAAe;IAC3E,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,KAAK,GAAG,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC3D,OAAO,uBAAuB,CAAC,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QAC1E,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,6BAA6B,CAAC,KAAa;IAClD,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,OAAO,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QAC/D,KAAK,IAAI,CAAC,CAAC;IACb,CAAC;IAED,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa;IAC7B,MAAM,KAAK,GAAG,6BAA6B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC/D,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY,EAAE,KAAa;IAC1D,MAAM,SAAS,GAAG,6BAA6B,CAAC,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC/D,IAAI,sCAAsC,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["// Canonical URL and HTML-attribute safety helpers shared across server,\n// React compatibility, and reactive DOM render paths.\n\nconst URL_ATTRIBUTE_NAMES = new Set([\n \"href\",\n \"src\",\n \"action\",\n \"formaction\",\n \"xlink:href\",\n \"ping\",\n \"poster\",\n \"background\",\n \"manifest\",\n]);\n\nconst SRCSET_ATTRIBUTE_NAMES = new Set([\"srcset\", \"imagesrcset\"]);\n\nconst DANGEROUS_HTML_ATTRIBUTE_NAMES = new Set([\"srcdoc\"]);\n\nconst UNSAFE_URL_SCHEMES = new Set([\n \"javascript\",\n \"data\",\n \"vbscript\",\n \"livescript\",\n \"mhtml\",\n \"file\",\n]);\n\nexport function isDangerousHtmlAttribute(name: string): boolean {\n return DANGEROUS_HTML_ATTRIBUTE_NAMES.has(name);\n}\n\nexport function isDangerousHtmlOptIn(\n value: unknown,\n): value is { __html: string } {\n return (\n typeof value === \"object\" &&\n value !== null &&\n \"__html\" in value &&\n typeof (value as { __html?: unknown }).__html === \"string\"\n );\n}\n\nexport function isUrlAttribute(name: string): boolean {\n return URL_ATTRIBUTE_NAMES.has(name);\n}\n\nexport function isSrcsetAttribute(name: string): boolean {\n return SRCSET_ATTRIBUTE_NAMES.has(name);\n}\n\nexport function isUnsafeUrlAttribute(name: string, value: string): boolean {\n if (isUrlAttribute(name)) {\n return isUnsafeUrlValueForName(name, value);\n }\n if (isSrcsetAttribute(name)) {\n const canonical = canonicalizeUrlForSchemeCheck(value);\n for (const candidate of canonical.split(\",\")) {\n const url = candidate.trim().split(/\\s+/)[0] ?? \"\";\n if (url === \"\") continue;\n if (isUnsafeUrlValueForName(\"src\", url)) return true;\n }\n return false;\n }\n return false;\n}\n\nexport function safeUrlAttributeValue(name: string, value: string): string | undefined {\n return isUnsafeUrlAttribute(name, value) ? undefined : value;\n}\n\nexport function isUnsafeMetaRefreshContent(httpEquiv: string, content: string): boolean {\n if (httpEquiv.toLowerCase() !== \"refresh\") return false;\n const match = /^[^;]*;\\s*url\\s*=\\s*([\\s\\S]+)$/iu.exec(content);\n if (match === null || match[1] === undefined) return false;\n return isUnsafeUrlValueForName(\"href\", stripSurroundingQuotes(match[1].trim()));\n}\n\nfunction stripSurroundingQuotes(value: string): string {\n if (value.length < 2) return value;\n\n const quote = value[0];\n if ((quote === '\"' || quote === \"'\") && value[value.length - 1] === quote) {\n return value.slice(1, -1).trim();\n }\n\n return value;\n}\n\nfunction canonicalizeUrlForSchemeCheck(value: string): string {\n let start = 0;\n\n while (start < value.length && value.charCodeAt(start) <= 0x20) {\n start += 1;\n }\n\n return value.slice(start).replace(/[\\t\\r\\n]/g, \"\");\n}\n\nfunction schemeOf(value: string): string | undefined {\n const match = /^([a-zA-Z][a-zA-Z0-9+.-]*):/.exec(value);\n if (match === null || match[1] === undefined) return undefined;\n return match[1].toLowerCase();\n}\n\nfunction isUnsafeUrlValueForName(name: string, value: string): boolean {\n const canonical = canonicalizeUrlForSchemeCheck(value);\n const scheme = schemeOf(canonical);\n if (scheme === undefined) return false;\n if (!UNSAFE_URL_SCHEMES.has(scheme)) return false;\n if (scheme === \"data\" && (name === \"src\" || name === \"poster\")) {\n if (/^data:image\\/(?!svg\\+xml(?:[;,]|$))/i.test(canonical)) return false;\n }\n return true;\n}\n"]}
|
|
1
|
+
{"version":3,"file":"url-safety.js","sourceRoot":"","sources":["../src/url-safety.ts"],"names":[],"mappings":"AAAA,wEAAwE;AACxE,sDAAsD;AAEtD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,MAAM;IACN,KAAK;IACL,QAAQ;IACR,YAAY;IACZ,YAAY;IACZ,MAAM;IACN,QAAQ;IACR,YAAY;IACZ,UAAU;CACX,CAAC,CAAC;AAEH,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC;AAElE,MAAM,8BAA8B,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;AAE3D,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,YAAY;IACZ,MAAM;IACN,UAAU;IACV,YAAY;IACZ,OAAO;IACP,MAAM;CACP,CAAC,CAAC;AAEH,0FAA0F;AAC1F,MAAM,UAAU,wBAAwB,CAAC,IAAY;IACnD,OAAO,8BAA8B,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAClD,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,oBAAoB,CAClC,KAAc;IAEd,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,QAAQ,IAAI,KAAK;QACjB,OAAQ,KAA8B,CAAC,MAAM,KAAK,QAAQ,CAC3D,CAAC;AACJ,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,OAAO,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACvC,CAAC;AAED,2EAA2E;AAC3E,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAO,sBAAsB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AAC1C,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,oBAAoB,CAAC,IAAY,EAAE,KAAa;IAC9D,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,uBAAuB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9C,CAAC;IACD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,MAAM,SAAS,GAAG,6BAA6B,CAAC,KAAK,CAAC,CAAC;QACvD,KAAK,MAAM,SAAS,IAAI,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7C,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,IAAI,GAAG,KAAK,EAAE;gBAAE,SAAS;YACzB,IAAI,uBAAuB,CAAC,KAAK,EAAE,GAAG,CAAC;gBAAE,OAAO,IAAI,CAAC;QACvD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,qFAAqF;AACrF,MAAM,UAAU,qBAAqB,CAAC,IAAY,EAAE,KAAa;IAC/D,OAAO,oBAAoB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/D,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,0BAA0B,CAAC,SAAiB,EAAE,OAAe;IAC3E,IAAI,SAAS,CAAC,WAAW,EAAE,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACxD,MAAM,KAAK,GAAG,kCAAkC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC/D,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAC3D,OAAO,uBAAuB,CAAC,MAAM,EAAE,sBAAsB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IACvB,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QAC1E,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACnC,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,6BAA6B,CAAC,KAAa;IAClD,IAAI,KAAK,GAAG,CAAC,CAAC;IAEd,OAAO,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC;QAC/D,KAAK,IAAI,CAAC,CAAC;IACb,CAAC;IAED,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,QAAQ,CAAC,KAAa;IAC7B,MAAM,KAAK,GAAG,6BAA6B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxD,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC/D,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY,EAAE,KAAa;IAC1D,MAAM,SAAS,GAAG,6BAA6B,CAAC,KAAK,CAAC,CAAC;IACvD,MAAM,MAAM,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnC,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAClD,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;QAC/D,IAAI,sCAAsC,CAAC,IAAI,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;IAC3E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC","sourcesContent":["// Canonical URL and HTML-attribute safety helpers shared across server,\n// React compatibility, and reactive DOM render paths.\n\nconst URL_ATTRIBUTE_NAMES = new Set([\n \"href\",\n \"src\",\n \"action\",\n \"formaction\",\n \"xlink:href\",\n \"ping\",\n \"poster\",\n \"background\",\n \"manifest\",\n]);\n\nconst SRCSET_ATTRIBUTE_NAMES = new Set([\"srcset\", \"imagesrcset\"]);\n\nconst DANGEROUS_HTML_ATTRIBUTE_NAMES = new Set([\"srcdoc\"]);\n\nconst UNSAFE_URL_SCHEMES = new Set([\n \"javascript\",\n \"data\",\n \"vbscript\",\n \"livescript\",\n \"mhtml\",\n \"file\",\n]);\n\n/** Returns true for HTML attributes that require explicit unsafe-HTML opt-in handling. */\nexport function isDangerousHtmlAttribute(name: string): boolean {\n return DANGEROUS_HTML_ATTRIBUTE_NAMES.has(name);\n}\n\n/** Narrows a value to an explicit raw HTML opt-in payload. */\nexport function isDangerousHtmlOptIn(\n value: unknown,\n): value is { __html: string } {\n return (\n typeof value === \"object\" &&\n value !== null &&\n \"__html\" in value &&\n typeof (value as { __html?: unknown }).__html === \"string\"\n );\n}\n\n/** Returns true when an attribute name normally carries a single URL value. */\nexport function isUrlAttribute(name: string): boolean {\n return URL_ATTRIBUTE_NAMES.has(name);\n}\n\n/** Returns true when an attribute name carries a srcset-style URL list. */\nexport function isSrcsetAttribute(name: string): boolean {\n return SRCSET_ATTRIBUTE_NAMES.has(name);\n}\n\n/** Checks whether an HTML URL-bearing attribute value uses a blocked scheme. */\nexport function isUnsafeUrlAttribute(name: string, value: string): boolean {\n if (isUrlAttribute(name)) {\n return isUnsafeUrlValueForName(name, value);\n }\n if (isSrcsetAttribute(name)) {\n const canonical = canonicalizeUrlForSchemeCheck(value);\n for (const candidate of canonical.split(\",\")) {\n const url = candidate.trim().split(/\\s+/)[0] ?? \"\";\n if (url === \"\") continue;\n if (isUnsafeUrlValueForName(\"src\", url)) return true;\n }\n return false;\n }\n return false;\n}\n\n/** Returns the original URL attribute value when it is safe, otherwise undefined. */\nexport function safeUrlAttributeValue(name: string, value: string): string | undefined {\n return isUnsafeUrlAttribute(name, value) ? undefined : value;\n}\n\n/** Checks whether a meta refresh content value redirects to an unsafe URL. */\nexport function isUnsafeMetaRefreshContent(httpEquiv: string, content: string): boolean {\n if (httpEquiv.toLowerCase() !== \"refresh\") return false;\n const match = /^[^;]*;\\s*url\\s*=\\s*([\\s\\S]+)$/iu.exec(content);\n if (match === null || match[1] === undefined) return false;\n return isUnsafeUrlValueForName(\"href\", stripSurroundingQuotes(match[1].trim()));\n}\n\nfunction stripSurroundingQuotes(value: string): string {\n if (value.length < 2) return value;\n\n const quote = value[0];\n if ((quote === '\"' || quote === \"'\") && value[value.length - 1] === quote) {\n return value.slice(1, -1).trim();\n }\n\n return value;\n}\n\nfunction canonicalizeUrlForSchemeCheck(value: string): string {\n let start = 0;\n\n while (start < value.length && value.charCodeAt(start) <= 0x20) {\n start += 1;\n }\n\n return value.slice(start).replace(/[\\t\\r\\n]/g, \"\");\n}\n\nfunction schemeOf(value: string): string | undefined {\n const match = /^([a-zA-Z][a-zA-Z0-9+.-]*):/.exec(value);\n if (match === null || match[1] === undefined) return undefined;\n return match[1].toLowerCase();\n}\n\nfunction isUnsafeUrlValueForName(name: string, value: string): boolean {\n const canonical = canonicalizeUrlForSchemeCheck(value);\n const scheme = schemeOf(canonical);\n if (scheme === undefined) return false;\n if (!UNSAFE_URL_SCHEMES.has(scheme)) return false;\n if (scheme === \"data\" && (name === \"src\" || name === \"poster\")) {\n if (/^data:image\\/(?!svg\\+xml(?:[;,]|$))/i.test(canonical)) return false;\n }\n return true;\n}\n"]}
|
package/package.json
CHANGED
package/src/compiler-contract.ts
CHANGED
|
@@ -1,7 +1,10 @@
|
|
|
1
|
+
/** Version number for the compiler output metadata contract consumed by runtime packages. */
|
|
1
2
|
export const compilerOutputContractVersion = 1;
|
|
2
3
|
|
|
4
|
+
/** Server rendering mode requested for transformed component output. */
|
|
3
5
|
export type ServerOutputMode = "string" | "stream";
|
|
4
6
|
|
|
7
|
+
/** Receives HTML chunks and deferred work while server rendering. */
|
|
5
8
|
export interface HtmlSink {
|
|
6
9
|
append(chunk: string): void;
|
|
7
10
|
backpressure?(): Promise<void>;
|
|
@@ -9,6 +12,7 @@ export interface HtmlSink {
|
|
|
9
12
|
signal?: AbortSignal;
|
|
10
13
|
}
|
|
11
14
|
|
|
15
|
+
/** Complete source transform result emitted by a compiler frontend. */
|
|
12
16
|
export interface TransformOutput {
|
|
13
17
|
code: string;
|
|
14
18
|
map?: string | null;
|
|
@@ -16,6 +20,7 @@ export interface TransformOutput {
|
|
|
16
20
|
metadata: ModuleMetadata;
|
|
17
21
|
}
|
|
18
22
|
|
|
23
|
+
/** Compiler diagnostic reported for a transformed source module. */
|
|
19
24
|
export interface Diagnostic {
|
|
20
25
|
level: "info" | "warn" | "error";
|
|
21
26
|
code: string;
|
|
@@ -24,17 +29,20 @@ export interface Diagnostic {
|
|
|
24
29
|
suggestion?: DiagnosticSuggestion;
|
|
25
30
|
}
|
|
26
31
|
|
|
32
|
+
/** Suggested action or reference attached to a compiler diagnostic. */
|
|
27
33
|
export interface DiagnosticSuggestion {
|
|
28
34
|
title: string;
|
|
29
35
|
replacement?: string;
|
|
30
36
|
link?: string;
|
|
31
37
|
}
|
|
32
38
|
|
|
39
|
+
/** One-based source location used by compiler diagnostics. */
|
|
33
40
|
export interface SourceLocation {
|
|
34
41
|
line: number;
|
|
35
42
|
column: number;
|
|
36
43
|
}
|
|
37
44
|
|
|
45
|
+
/** Metadata that describes the transformed module and its runtime dependencies. */
|
|
38
46
|
export interface ModuleMetadata {
|
|
39
47
|
filename: string;
|
|
40
48
|
target: CompileTarget;
|
|
@@ -54,36 +62,45 @@ export interface ModuleMetadata {
|
|
|
54
62
|
eventHydrationManifest?: EventHydrationManifestMetadata;
|
|
55
63
|
}
|
|
56
64
|
|
|
65
|
+
/** Compilation target used to select client or server output. */
|
|
57
66
|
export type CompileTarget = "client" | "server";
|
|
67
|
+
/** Bootstrap script mode requested by server output metadata. */
|
|
58
68
|
export type ServerBootstrapMode = "none" | "out-of-order-reorder";
|
|
69
|
+
/** Compiler frontend implementation that produced a transform result. */
|
|
59
70
|
export type CompilerFrontend = "oxc";
|
|
60
71
|
|
|
72
|
+
/** Compiler implementation metadata stored with a transform result. */
|
|
61
73
|
export interface CompilerMetadata {
|
|
62
74
|
frontend: CompilerFrontend;
|
|
63
75
|
typescriptFallback: boolean;
|
|
64
76
|
}
|
|
65
77
|
|
|
78
|
+
/** Client component export recorded for React Flight manifests. */
|
|
66
79
|
export interface ClientReferenceMetadata {
|
|
67
80
|
name: string;
|
|
68
81
|
moduleId: string;
|
|
69
82
|
exportName: string;
|
|
70
83
|
}
|
|
71
84
|
|
|
85
|
+
/** Component export discovered by the compiler for runtime registration. */
|
|
72
86
|
export interface ComponentMetadata {
|
|
73
87
|
name: string;
|
|
74
88
|
exportName: string;
|
|
75
89
|
}
|
|
76
90
|
|
|
91
|
+
/** Runtime import required by transformed source output. */
|
|
77
92
|
export interface RuntimeImport {
|
|
78
93
|
source: string;
|
|
79
94
|
specifiers: string[];
|
|
80
95
|
}
|
|
81
96
|
|
|
97
|
+
/** Event hydration manifest metadata emitted with transformed server output. */
|
|
82
98
|
export interface EventHydrationManifestMetadata {
|
|
83
99
|
version: 1;
|
|
84
100
|
events: EventHydrationEntryMetadata[];
|
|
85
101
|
}
|
|
86
102
|
|
|
103
|
+
/** Event handler hydration entry recorded by the compiler. */
|
|
87
104
|
export interface EventHydrationEntryMetadata {
|
|
88
105
|
id: string;
|
|
89
106
|
event: string;
|
package/src/html-elements.ts
CHANGED
package/src/html-escape.ts
CHANGED
|
@@ -2,14 +2,17 @@ const textEscapePattern = /[&<>]/;
|
|
|
2
2
|
const attributeEscapePattern = /["&'<>]/;
|
|
3
3
|
const quotedAttributeEscapePattern = /["&]/;
|
|
4
4
|
|
|
5
|
+
/** Escapes text content for safe insertion between HTML tags. */
|
|
5
6
|
export function escapeHtmlText(value: unknown): string {
|
|
6
7
|
return escapeHtml(String(value), textEscapePattern, textReplacement);
|
|
7
8
|
}
|
|
8
9
|
|
|
10
|
+
/** Escapes a value for safe use in an HTML attribute. */
|
|
9
11
|
export function escapeHtmlAttribute(value: unknown): string {
|
|
10
12
|
return escapeHtml(String(value), attributeEscapePattern, attributeReplacement);
|
|
11
13
|
}
|
|
12
14
|
|
|
15
|
+
/** Escapes a value for safe use inside an already quoted HTML attribute. */
|
|
13
16
|
export function escapeHtmlQuotedAttribute(value: unknown): string {
|
|
14
17
|
return escapeHtml(String(value), quotedAttributeEscapePattern, quotedAttributeReplacement);
|
|
15
18
|
}
|
package/src/url-safety.ts
CHANGED
|
@@ -26,10 +26,12 @@ const UNSAFE_URL_SCHEMES = new Set([
|
|
|
26
26
|
"file",
|
|
27
27
|
]);
|
|
28
28
|
|
|
29
|
+
/** Returns true for HTML attributes that require explicit unsafe-HTML opt-in handling. */
|
|
29
30
|
export function isDangerousHtmlAttribute(name: string): boolean {
|
|
30
31
|
return DANGEROUS_HTML_ATTRIBUTE_NAMES.has(name);
|
|
31
32
|
}
|
|
32
33
|
|
|
34
|
+
/** Narrows a value to an explicit raw HTML opt-in payload. */
|
|
33
35
|
export function isDangerousHtmlOptIn(
|
|
34
36
|
value: unknown,
|
|
35
37
|
): value is { __html: string } {
|
|
@@ -41,14 +43,17 @@ export function isDangerousHtmlOptIn(
|
|
|
41
43
|
);
|
|
42
44
|
}
|
|
43
45
|
|
|
46
|
+
/** Returns true when an attribute name normally carries a single URL value. */
|
|
44
47
|
export function isUrlAttribute(name: string): boolean {
|
|
45
48
|
return URL_ATTRIBUTE_NAMES.has(name);
|
|
46
49
|
}
|
|
47
50
|
|
|
51
|
+
/** Returns true when an attribute name carries a srcset-style URL list. */
|
|
48
52
|
export function isSrcsetAttribute(name: string): boolean {
|
|
49
53
|
return SRCSET_ATTRIBUTE_NAMES.has(name);
|
|
50
54
|
}
|
|
51
55
|
|
|
56
|
+
/** Checks whether an HTML URL-bearing attribute value uses a blocked scheme. */
|
|
52
57
|
export function isUnsafeUrlAttribute(name: string, value: string): boolean {
|
|
53
58
|
if (isUrlAttribute(name)) {
|
|
54
59
|
return isUnsafeUrlValueForName(name, value);
|
|
@@ -65,10 +70,12 @@ export function isUnsafeUrlAttribute(name: string, value: string): boolean {
|
|
|
65
70
|
return false;
|
|
66
71
|
}
|
|
67
72
|
|
|
73
|
+
/** Returns the original URL attribute value when it is safe, otherwise undefined. */
|
|
68
74
|
export function safeUrlAttributeValue(name: string, value: string): string | undefined {
|
|
69
75
|
return isUnsafeUrlAttribute(name, value) ? undefined : value;
|
|
70
76
|
}
|
|
71
77
|
|
|
78
|
+
/** Checks whether a meta refresh content value redirects to an unsafe URL. */
|
|
72
79
|
export function isUnsafeMetaRefreshContent(httpEquiv: string, content: string): boolean {
|
|
73
80
|
if (httpEquiv.toLowerCase() !== "refresh") return false;
|
|
74
81
|
const match = /^[^;]*;\s*url\s*=\s*([\s\S]+)$/iu.exec(content);
|