npm - @stacksjs/sanitizer - Versions diffs - 0.2.0 → 0.2.5 - Mend

@stacksjs/sanitizer 0.2.0 → 0.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE.md ADDED Viewed

@@ -0,0 +1,21 @@
+# MIT License
+Copyright (c) 2025 Stacks.js
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,360 @@
+![Social Card of stx](https://github.com/stacksjs/stx/blob/main/.github/art/cover.jpg)
+[![npm version][npm-version-src]][npm-version-href]
+[![GitHub Actions][github-actions-src]][github-actions-href]
+[![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg)](http://commitizen.github.io/cz-cli/)
+[![npm downloads][npm-downloads-src]][npm-downloads-href]
+# stx
+A modern templating engine with Vue-like Single File Components, Laravel Blade directives, and Bun-powered performance.
+## Features
+- **Vue-like SFC** - `<script>`, `<template>`, `<style>` structure
+- **Auto-imported Components** - Use `<Card />` directly, no imports needed
+- **Two-way Binding** - `x-model` and `x-text` for reactive forms
+- **Blade Directives** - `@if`, `@foreach`, `@layout`, `@section`
+- **Props & Slots** - Pass data and content to components
+- **200K+ Icons** - Built-in Iconify integration
+- **Custom Directives** - Extend with your own directives
+## Quick Start
+```bash
+bun add bun-plugin-stx
+```
+```toml
+# bunfig.toml
+preload = ["bun-plugin-stx"]
+```
+## Single File Components
+STX components use a Vue-like structure:
+```html
+<!-- components/Greeting.stx -->
+<script server>
+// Server-side only - used for SSR, stripped from output
+const name = props.name || 'World'
+const time = new Date().toLocaleTimeString()
+</script>
+<template>
+  <div class="greeting">
+    <h1>Hello, {{ name }}!</h1>
+    <p>Current time: {{ time }}</p>
+    <slot />
+  </div>
+</template>
+<style>
+.greeting {
+  padding: 2rem;
+  background: #f5f5f5;
+}
+</style>
+```
+### Script Types
+| Type | Behavior |
+|------|----------|
+| `<script server>` | SSR only - extracted for variables, stripped from output |
+| `<script client>` | Client only - preserved for browser, skips server evaluation |
+| `<script>` | Both - runs on server AND preserved for client |
+## Components
+Components in `components/` are auto-imported using PascalCase:
+```html
+<!-- pages/home.stx -->
+<Header />
+<main>
+  <UserCard name="John" role="Admin" />
+  <Card title="Welcome">
+    <p>This goes into the slot!</p>
+  </Card>
+</main>
+<Footer />
+```
+### Props
+Pass data to components via attributes:
+```html
+<!-- String prop -->
+<Card title="Hello" />
+<!-- Expression binding with : -->
+<Card :count="items.length" :active="isActive" />
+<!-- Mustache interpolation -->
+<Card title="{{ userName }}" />
+```
+Access props in components:
+```html
+<script server>
+const title = props.title || 'Default'
+const count = props.count || 0
+</script>
+<template>
+  <h1>{{ title }}</h1>
+  <p>Count: {{ count }}</p>
+</template>
+```
+### Slots
+Use `<slot />` to inject content:
+```html
+<!-- components/Card.stx -->
+<template>
+  <div class="card">
+    <h2>{{ props.title }}</h2>
+    <slot />
+  </div>
+</template>
+```
+```html
+<!-- Usage -->
+<Card title="News">
+  <p>This content appears in the slot!</p>
+</Card>
+```
+### Explicit Imports
+For components outside `components/`, use `@import`:
+```html
+@import('layouts/Sidebar')
+@import('shared/Button', 'shared/Modal')
+<Sidebar />
+<Button label="Click me" />
+```
+## Layouts
+Wrap pages with common structure using `@layout`:
+```html
+<!-- layouts/default.stx -->
+<!DOCTYPE html>
+<html>
+<head>
+  <title>{{ title || 'My App' }}</title>
+</head>
+<body>
+  <Header />
+  <main>
+    @yield('content')
+  </main>
+  <Footer />
+</body>
+</html>
+```
+```html
+<!-- pages/about.stx -->
+@layout('default')
+@section('content')
+  <h1>About Us</h1>
+  <p>Welcome to our site.</p>
+@endsection
+```
+## Two-Way Binding (x-element)
+For reactive forms, use x-element directives:
+```html
+<div x-data="{ message: '', count: 0 }">
+  <!-- Two-way binding -->
+  <input x-model="message" placeholder="Type here..." />
+  <!-- Reactive display -->
+  <p>You typed: <span x-text="message"></span></p>
+  <!-- Event handling -->
+  <button @click="count++">Increment</button>
+  <button @click="count--">Decrement</button>
+  <span x-text="count"></span>
+</div>
+```
+| Directive | Purpose |
+|-----------|---------|
+| `x-data` | Define reactive scope |
+| `x-model` | Two-way binding for inputs |
+| `x-text` | Reactive text content |
+| `@click` | Event handling |
+## Template Directives
+### Conditionals
+```html
+@if (user.isAdmin)
+  <AdminPanel />
+@elseif (user.isEditor)
+  <EditorTools />
+@else
+  <UserView />
+@endif
+```
+### Loops
+```html
+@foreach (items as item)
+  <li>{{ item.name }}</li>
+@endforeach
+@for (let i = 0; i < 5; i++)
+  <li>Item {{ i }}</li>
+@endfor
+```
+### Auth Guards
+```html
+@auth
+  <p>Welcome back, {{ user.name }}!</p>
+@endauth
+@guest
+  <a href="/login">Please log in</a>
+@endguest
+```
+### Output
+```html
+<!-- Escaped (safe) -->
+{{ userInput }}
+<!-- Raw HTML (trusted content only) -->
+{!! trustedHtml !!}
+```
+## Custom Directives
+Register custom directives in your build:
+```typescript
+import { stxPlugin, type CustomDirective } from 'bun-plugin-stx'
+const uppercase: CustomDirective = {
+  name: 'uppercase',
+  handler: (content, params) => params[0]?.toUpperCase() || content.toUpperCase()
+}
+const wrap: CustomDirective = {
+  name: 'wrap',
+  hasEndTag: true,
+  handler: (content, params) => `<div class="${params[0] || 'wrapper'}">${content}</div>`
+}
+Bun.build({
+  entrypoints: ['./src/index.stx'],
+  plugins: [stxPlugin({
+    customDirectives: [uppercase, wrap]
+  })]
+})
+```
+```html
+<!-- Usage -->
+<p>@uppercase('hello world')</p>
+@wrap('container')
+  <p>Wrapped content</p>
+@endwrap
+```
+## Icons
+200K+ icons via Iconify:
+```html
+<HomeIcon size="24" />
+<SearchIcon size="20" color="#333" />
+```
+```bash
+bun stx iconify list
+bun stx iconify generate material-symbols
+```
+## Complete Example
+```html
+<!-- components/TodoApp.stx -->
+<script server>
+const title = props.title || 'My Todos'
+</script>
+<template>
+  <div class="todo-app" x-data="{ todos: [], newTodo: '' }">
+    <h1>{{ title }}</h1>
+    <form @submit.prevent="todos.push({ text: newTodo, done: false }); newTodo = ''">
+      <input x-model="newTodo" placeholder="Add todo..." />
+      <button type="submit">Add</button>
+    </form>
+    @if (initialTodos)
+      <ul>
+        @foreach (initialTodos as todo)
+          <li>{{ todo.text }}</li>
+        @endforeach
+      </ul>
+    @endif
+  </div>
+</template>
+<style>
+.todo-app {
+  max-width: 400px;
+  margin: 0 auto;
+}
+</style>
+```
+## Documentation
+- [Full Documentation](https://stx.sh)
+- [Syntax Highlighting Guide](./docs/STX_SYNTAX_HIGHLIGHTING.md)
+- [Examples](./examples/)
+## Testing
+```bash
+bun test
+```
+## License
+MIT
+<!-- Badges -->
+[npm-version-src]: https://img.shields.io/npm/v/@stacksjs/stx?style=flat-square
+[npm-version-href]: https://npmjs.com/package/@stacksjs/stx
+[npm-downloads-src]: https://img.shields.io/npm/dm/@stacksjs/stx?style=flat-square
+[npm-downloads-href]: https://npmjs.com/package/@stacksjs/stx
+[github-actions-src]: https://img.shields.io/github/actions/workflow/status/stacksjs/stx/ci.yml?style=flat-square&branch=main
+[github-actions-href]: https://github.com/stacksjs/stx/actions?query=workflow%3Aci

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+import { sanitize } from './sanitizer';
+export * from './presets';
+export { basic, getPreset, markdown, relaxed, strict } from './presets';
+export * from './sanitizer';
+export { escape, isSafe, sanitize, sanitizeWithInfo, stripTags } from './sanitizer';
+export * from './types';
+export default sanitize;

package/dist/index.js ADDED Viewed

@@ -0,0 +1,468 @@
+// @bun
+// src/presets.ts
+var strict = {
+  allowedTags: [
+    "p",
+    "br",
+    "strong",
+    "em",
+    "u",
+    "span",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "ul",
+    "ol",
+    "li",
+    "code",
+    "pre"
+  ],
+  allowedAttributes: {
+    "*": ["class", "id"]
+  },
+  allowedSchemes: ["http", "https", "mailto"],
+  allowDataAttributes: false,
+  allowAriaAttributes: true,
+  stripTags: true,
+  allowComments: false
+};
+var basic = {
+  allowedTags: [
+    "p",
+    "br",
+    "strong",
+    "em",
+    "u",
+    "span",
+    "div",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "ul",
+    "ol",
+    "li",
+    "a",
+    "img",
+    "code",
+    "pre",
+    "blockquote",
+    "table",
+    "thead",
+    "tbody",
+    "tr",
+    "th",
+    "td"
+  ],
+  allowedAttributes: {
+    "*": ["class", "id"],
+    a: ["class", "id", "href", "title", "target", "rel"],
+    img: ["class", "id", "src", "alt", "title", "width", "height"],
+    td: ["class", "id", "colspan", "rowspan", "align"],
+    th: ["class", "id", "colspan", "rowspan", "align", "scope"]
+  },
+  allowedSchemes: ["http", "https", "mailto", "tel"],
+  allowDataAttributes: false,
+  allowAriaAttributes: true,
+  stripTags: true,
+  allowComments: false
+};
+var relaxed = {
+  allowedTags: [
+    "p",
+    "br",
+    "strong",
+    "em",
+    "u",
+    "span",
+    "div",
+    "section",
+    "article",
+    "aside",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "ul",
+    "ol",
+    "li",
+    "dl",
+    "dt",
+    "dd",
+    "a",
+    "img",
+    "figure",
+    "figcaption",
+    "code",
+    "pre",
+    "kbd",
+    "samp",
+    "var",
+    "blockquote",
+    "q",
+    "cite",
+    "table",
+    "thead",
+    "tbody",
+    "tfoot",
+    "tr",
+    "th",
+    "td",
+    "caption",
+    "del",
+    "ins",
+    "sub",
+    "sup",
+    "abbr",
+    "address",
+    "time",
+    "hr",
+    "video",
+    "audio",
+    "source",
+    "track"
+  ],
+  allowedAttributes: {
+    "*": ["class", "id", "title"],
+    a: ["class", "id", "href", "title", "target", "rel"],
+    img: ["class", "id", "src", "srcset", "alt", "title", "width", "height", "loading"],
+    video: ["class", "id", "src", "width", "height", "controls", "preload", "poster"],
+    audio: ["class", "id", "src", "controls", "preload"],
+    source: ["src", "type"],
+    track: ["src", "kind", "srclang", "label"],
+    td: ["class", "id", "colspan", "rowspan", "align"],
+    th: ["class", "id", "colspan", "rowspan", "align", "scope"],
+    time: ["class", "id", "datetime"],
+    abbr: ["class", "id", "title"]
+  },
+  allowedSchemes: ["http", "https", "mailto", "tel", "data"],
+  allowDataAttributes: true,
+  allowAriaAttributes: true,
+  stripTags: true,
+  allowComments: false
+};
+var markdown = {
+  allowedTags: [
+    "p",
+    "br",
+    "strong",
+    "em",
+    "span",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "ul",
+    "ol",
+    "li",
+    "a",
+    "img",
+    "code",
+    "pre",
+    "blockquote",
+    "table",
+    "thead",
+    "tbody",
+    "tr",
+    "th",
+    "td",
+    "del",
+    "ins",
+    "hr",
+    "input"
+  ],
+  allowedAttributes: {
+    "*": ["class", "id"],
+    a: ["class", "id", "href", "title"],
+    img: ["class", "id", "src", "alt", "title"],
+    code: ["class"],
+    td: ["align"],
+    th: ["align", "scope"],
+    input: ["type", "checked", "disabled"]
+  },
+  allowedSchemes: ["http", "https", "mailto"],
+  allowDataAttributes: false,
+  allowAriaAttributes: false,
+  stripTags: true,
+  allowComments: false
+};
+function getPreset(name) {
+  switch (name) {
+    case "strict":
+      return strict;
+    case "basic":
+      return basic;
+    case "relaxed":
+      return relaxed;
+    case "markdown":
+      return markdown;
+    default:
+      return basic;
+  }
+}
+// src/sanitizer.ts
+var DEFAULT_OPTIONS = {
+  allowedTags: [],
+  allowedAttributes: {},
+  allowedSchemes: ["http", "https", "mailto"],
+  allowDataAttributes: false,
+  allowAriaAttributes: true,
+  stripTags: true,
+  allowComments: false
+};
+var DANGEROUS_TAGS = [
+  "script",
+  "iframe",
+  "object",
+  "embed",
+  "applet",
+  "base",
+  "link",
+  "meta",
+  "style"
+];
+var URL_ATTRIBUTES = [
+  "href",
+  "src",
+  "action",
+  "formaction",
+  "data",
+  "poster",
+  "cite",
+  "background",
+  "longdesc"
+];
+var EVENT_ATTRIBUTES_REGEX = /^on\w+/i;
+function sanitize(html, options) {
+  const result = sanitizeWithInfo(html, options);
+  return result.html;
+}
+function sanitizeWithInfo(html, options) {
+  const opts = typeof options === "string" ? getPreset(options) : { ...DEFAULT_OPTIONS, ...options };
+  const removedTags = [];
+  const removedAttributes = [];
+  let result = html;
+  let modified = false;
+  if (!opts.allowComments) {
+    const commentRegex = /<!--[\s\S]*?-->/g;
+    if (commentRegex.test(result)) {
+      result = result.replace(commentRegex, "");
+      modified = true;
+    }
+  }
+  const tagRegex = /<(\/?)([a-zA-Z][\w-]*)([^>]*)>/g;
+  result = result.replace(tagRegex, (match, closing, tagName, attributesStr) => {
+    const lowerTag = tagName.toLowerCase();
+    if (DANGEROUS_TAGS.includes(lowerTag)) {
+      if (!removedTags.includes(lowerTag)) {
+        removedTags.push(lowerTag);
+      }
+      modified = true;
+      return opts.stripTags ? "" : escapeHtml(match);
+    }
+    const allowedTags = opts.allowedTags || [];
+    if (allowedTags.length > 0 && !allowedTags.includes(lowerTag)) {
+      if (!removedTags.includes(lowerTag)) {
+        removedTags.push(lowerTag);
+      }
+      modified = true;
+      return opts.stripTags ? "" : escapeHtml(match);
+    }
+    if (closing) {
+      return match;
+    }
+    const sanitizedAttrs = sanitizeAttributes(attributesStr, lowerTag, opts, removedAttributes);
+    if (sanitizedAttrs !== attributesStr) {
+      modified = true;
+    }
+    if (opts.transformTag) {
+      const attributes = parseAttributes(sanitizedAttrs);
+      const transformed = opts.transformTag(lowerTag, attributes);
+      if (transformed === null) {
+        if (!removedTags.includes(lowerTag)) {
+          removedTags.push(lowerTag);
+        }
+        modified = true;
+        return "";
+      }
+      if (transformed.tagName !== lowerTag || JSON.stringify(transformed.attributes) !== JSON.stringify(attributes)) {
+        modified = true;
+        return buildTag(transformed.tagName, transformed.attributes);
+      }
+    }
+    return `<${tagName}${sanitizedAttrs}>`;
+  });
+  return {
+    html: result,
+    modified,
+    removedTags: removedTags.length > 0 ? removedTags : undefined,
+    removedAttributes: removedAttributes.length > 0 ? removedAttributes : undefined
+  };
+}
+function sanitizeAttributes(attributesStr, tagName, options, removedAttributes) {
+  if (!attributesStr.trim()) {
+    return attributesStr;
+  }
+  const attributes = parseAttributes(attributesStr);
+  const sanitized = {};
+  for (const [name, value] of Object.entries(attributes)) {
+    const lowerName = name.toLowerCase();
+    if (EVENT_ATTRIBUTES_REGEX.test(lowerName)) {
+      if (!removedAttributes.includes(lowerName)) {
+        removedAttributes.push(lowerName);
+      }
+      continue;
+    }
+    if (!isAttributeAllowed(lowerName, tagName, options)) {
+      if (!removedAttributes.includes(lowerName)) {
+        removedAttributes.push(lowerName);
+      }
+      continue;
+    }
+    if (URL_ATTRIBUTES.includes(lowerName)) {
+      if (!isUrlSafe(value, options)) {
+        if (!removedAttributes.includes(lowerName)) {
+          removedAttributes.push(lowerName);
+        }
+        continue;
+      }
+    }
+    if (lowerName === "style" && options.allowedStyles) {
+      sanitized[name] = sanitizeStyle(value, options.allowedStyles);
+    } else {
+      sanitized[name] = value;
+    }
+  }
+  return buildAttributes(sanitized);
+}
+function isAttributeAllowed(attrName, tagName, options) {
+  const allowedAttrs = options.allowedAttributes;
+  if (!allowedAttrs) {
+    return false;
+  }
+  if (attrName.startsWith("data-")) {
+    return options.allowDataAttributes || false;
+  }
+  if (attrName.startsWith("aria-")) {
+    return options.allowAriaAttributes || false;
+  }
+  if (Array.isArray(allowedAttrs)) {
+    return allowedAttrs.includes(attrName);
+  }
+  if (allowedAttrs[tagName]?.includes(attrName)) {
+    return true;
+  }
+  if (allowedAttrs["*"]?.includes(attrName)) {
+    return true;
+  }
+  return false;
+}
+function isUrlSafe(url, options) {
+  if (options.urlValidator) {
+    return options.urlValidator(url);
+  }
+  const trimmed = url.trim().toLowerCase();
+  const cleaned = trimmed.replace(/[\s\x00-\x1F]/g, "");
+  const dangerousProtocols = ["javascript:", "data:text/html", "vbscript:", "file:"];
+  for (const protocol of dangerousProtocols) {
+    if (cleaned.startsWith(protocol)) {
+      return false;
+    }
+  }
+  if (options.allowedSchemes && options.allowedSchemes.length > 0) {
+    if (!cleaned.includes(":")) {
+      return true;
+    }
+    const hasAllowedScheme = options.allowedSchemes.some((scheme) => {
+      return cleaned.startsWith(`${scheme}:`);
+    });
+    if (!hasAllowedScheme) {
+      return false;
+    }
+  }
+  return true;
+}
+function sanitizeStyle(style, allowedStyles) {
+  const properties = style.split(";").filter((p) => p.trim());
+  const sanitized = [];
+  for (const prop of properties) {
+    const colonIndex = prop.indexOf(":");
+    if (colonIndex === -1)
+      continue;
+    const name = prop.substring(0, colonIndex).trim().toLowerCase();
+    const value = prop.substring(colonIndex + 1).trim();
+    if (allowedStyles.includes(name)) {
+      if (!value.toLowerCase().includes("javascript:") && !value.toLowerCase().includes("expression(")) {
+        sanitized.push(`${name}: ${value}`);
+      }
+    }
+  }
+  return sanitized.join("; ");
+}
+function parseAttributes(attributesStr) {
+  const attributes = {};
+  const attrRegex = /([\w-]+)(?:=(?:"([^"]*)"|'([^']*)'|([^\s>]+)))?/g;
+  let match;
+  while (match = attrRegex.exec(attributesStr)) {
+    const name = match[1];
+    const value = match[2] || match[3] || match[4] || "";
+    attributes[name] = value;
+  }
+  return attributes;
+}
+function buildAttributes(attributes) {
+  const parts = [];
+  for (const [name, value] of Object.entries(attributes)) {
+    if (value === "") {
+      parts.push(name);
+    } else {
+      const escaped = value.replace(/"/g, "&quot;");
+      parts.push(`${name}="${escaped}"`);
+    }
+  }
+  return parts.length > 0 ? ` ${parts.join(" ")}` : "";
+}
+function buildTag(tagName, attributes) {
+  return `<${tagName}${buildAttributes(attributes)}>`;
+}
+function escapeHtml(text) {
+  return text.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function isSafe(html, options) {
+  const result = sanitizeWithInfo(html, options);
+  return !result.modified;
+}
+function stripTags(html) {
+  return html.replace(/<[^>]*>/g, "");
+}
+function escape(text) {
+  return escapeHtml(text);
+}
+// src/index.ts
+var src_default = sanitize;
+export {
+  stripTags,
+  strict,
+  sanitizeWithInfo,
+  sanitize,
+  relaxed,
+  markdown,
+  isSafe,
+  getPreset,
+  escape,
+  src_default as default,
+  basic
+};
+//# debugId=11C850CF49E4930C64756E2164756E21

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "version": 3,
+  "sources": ["../src/presets.ts", "../src/sanitizer.ts", "../src/index.ts"],
+  "sourcesContent": [
+    "import type { SanitizerOptions } from './types'\n\n/**\n * Strict preset - Only safe, basic formatting\n */\nexport const strict: SanitizerOptions = {\n  allowedTags: [\n    'p',\n    'br',\n    'strong',\n    'em',\n    'u',\n    'span',\n    'h1',\n    'h2',\n    'h3',\n    'h4',\n    'h5',\n    'h6',\n    'ul',\n    'ol',\n    'li',\n    'code',\n    'pre',\n  ],\n  allowedAttributes: {\n    '*': ['class', 'id'],\n  },\n  allowedSchemes: ['http', 'https', 'mailto'],\n  allowDataAttributes: false,\n  allowAriaAttributes: true,\n  stripTags: true,\n  allowComments: false,\n}\n\n/**\n * Basic preset - Common safe HTML elements\n */\nexport const basic: SanitizerOptions = {\n  allowedTags: [\n    'p',\n    'br',\n    'strong',\n    'em',\n    'u',\n    'span',\n    'div',\n    'h1',\n    'h2',\n    'h3',\n    'h4',\n    'h5',\n    'h6',\n    'ul',\n    'ol',\n    'li',\n    'a',\n    'img',\n    'code',\n    'pre',\n    'blockquote',\n    'table',\n    'thead',\n    'tbody',\n    'tr',\n    'th',\n    'td',\n  ],\n  allowedAttributes: {\n    '*': ['class', 'id'],\n    'a': ['class', 'id', 'href', 'title', 'target', 'rel'],\n    'img': ['class', 'id', 'src', 'alt', 'title', 'width', 'height'],\n    'td': ['class', 'id', 'colspan', 'rowspan', 'align'],\n    'th': ['class', 'id', 'colspan', 'rowspan', 'align', 'scope'],\n  },\n  allowedSchemes: ['http', 'https', 'mailto', 'tel'],\n  allowDataAttributes: false,\n  allowAriaAttributes: true,\n  stripTags: true,\n  allowComments: false,\n}\n\n/**\n * Relaxed preset - More permissive, includes media and interactive elements\n */\nexport const relaxed: SanitizerOptions = {\n  allowedTags: [\n    'p',\n    'br',\n    'strong',\n    'em',\n    'u',\n    'span',\n    'div',\n    'section',\n    'article',\n    'aside',\n    'h1',\n    'h2',\n    'h3',\n    'h4',\n    'h5',\n    'h6',\n    'ul',\n    'ol',\n    'li',\n    'dl',\n    'dt',\n    'dd',\n    'a',\n    'img',\n    'figure',\n    'figcaption',\n    'code',\n    'pre',\n    'kbd',\n    'samp',\n    'var',\n    'blockquote',\n    'q',\n    'cite',\n    'table',\n    'thead',\n    'tbody',\n    'tfoot',\n    'tr',\n    'th',\n    'td',\n    'caption',\n    'del',\n    'ins',\n    'sub',\n    'sup',\n    'abbr',\n    'address',\n    'time',\n    'hr',\n    'video',\n    'audio',\n    'source',\n    'track',\n  ],\n  allowedAttributes: {\n    '*': ['class', 'id', 'title'],\n    'a': ['class', 'id', 'href', 'title', 'target', 'rel'],\n    'img': ['class', 'id', 'src', 'srcset', 'alt', 'title', 'width', 'height', 'loading'],\n    'video': ['class', 'id', 'src', 'width', 'height', 'controls', 'preload', 'poster'],\n    'audio': ['class', 'id', 'src', 'controls', 'preload'],\n    'source': ['src', 'type'],\n    'track': ['src', 'kind', 'srclang', 'label'],\n    'td': ['class', 'id', 'colspan', 'rowspan', 'align'],\n    'th': ['class', 'id', 'colspan', 'rowspan', 'align', 'scope'],\n    'time': ['class', 'id', 'datetime'],\n    'abbr': ['class', 'id', 'title'],\n  },\n  allowedSchemes: ['http', 'https', 'mailto', 'tel', 'data'],\n  allowDataAttributes: true,\n  allowAriaAttributes: true,\n  stripTags: true,\n  allowComments: false,\n}\n\n/**\n * Markdown preset - Optimized for markdown-generated HTML\n */\nexport const markdown: SanitizerOptions = {\n  allowedTags: [\n    'p',\n    'br',\n    'strong',\n    'em',\n    'span',\n    'h1',\n    'h2',\n    'h3',\n    'h4',\n    'h5',\n    'h6',\n    'ul',\n    'ol',\n    'li',\n    'a',\n    'img',\n    'code',\n    'pre',\n    'blockquote',\n    'table',\n    'thead',\n    'tbody',\n    'tr',\n    'th',\n    'td',\n    'del',\n    'ins',\n    'hr',\n    'input', // For task lists\n  ],\n  allowedAttributes: {\n    '*': ['class', 'id'],\n    'a': ['class', 'id', 'href', 'title'],\n    'img': ['class', 'id', 'src', 'alt', 'title'],\n    'code': ['class'], // For syntax highlighting\n    'td': ['align'],\n    'th': ['align', 'scope'],\n    'input': ['type', 'checked', 'disabled'], // For task lists\n  },\n  allowedSchemes: ['http', 'https', 'mailto'],\n  allowDataAttributes: false,\n  allowAriaAttributes: false,\n  stripTags: true,\n  allowComments: false,\n}\n\n/**\n * Get preset by name\n */\nexport function getPreset(name: string): SanitizerOptions {\n  switch (name) {\n    case 'strict':\n      return strict\n    case 'basic':\n      return basic\n    case 'relaxed':\n      return relaxed\n    case 'markdown':\n      return markdown\n    default:\n      return basic\n  }\n}\n",
+    "import type { SanitizeResult, SanitizerOptions, SanitizerPreset } from './types'\nimport { getPreset } from './presets'\n\n/**\n * Fast, native HTML sanitizer optimized for Bun\n * Provides DOMPurify-like features with performance focus\n */\n\nconst DEFAULT_OPTIONS: SanitizerOptions = {\n  allowedTags: [],\n  allowedAttributes: {},\n  allowedSchemes: ['http', 'https', 'mailto'],\n  allowDataAttributes: false,\n  allowAriaAttributes: true,\n  stripTags: true,\n  allowComments: false,\n}\n\n// Dangerous tags that should never be allowed\nconst DANGEROUS_TAGS = [\n  'script',\n  'iframe',\n  'object',\n  'embed',\n  'applet',\n  'base',\n  'link',\n  'meta',\n  'style',\n]\n\n// URL attributes that need validation\nconst URL_ATTRIBUTES = [\n  'href',\n  'src',\n  'action',\n  'formaction',\n  'data',\n  'poster',\n  'cite',\n  'background',\n  'longdesc',\n]\n\n// Event handler attributes (always removed)\nconst EVENT_ATTRIBUTES_REGEX = /^on\\w+/i\n\n/**\n * Sanitize HTML content\n */\nexport function sanitize(\n  html: string,\n  options?: SanitizerOptions | SanitizerPreset,\n): string {\n  const result = sanitizeWithInfo(html, options)\n  return result.html\n}\n\n/**\n * Sanitize HTML content with detailed information\n */\nexport function sanitizeWithInfo(\n  html: string,\n  options?: SanitizerOptions | SanitizerPreset,\n): SanitizeResult {\n  // Load preset if string provided\n  const opts: SanitizerOptions = typeof options === 'string'\n    ? getPreset(options)\n    : { ...DEFAULT_OPTIONS, ...options }\n\n  const removedTags: string[] = []\n  const removedAttributes: string[] = []\n\n  // Use a simple regex-based parser for performance\n  let result = html\n  let modified = false\n\n  // Remove comments if not allowed\n  if (!opts.allowComments) {\n    const commentRegex = /<!--[\\s\\S]*?-->/g\n    if (commentRegex.test(result)) {\n      result = result.replace(commentRegex, '')\n      modified = true\n    }\n  }\n\n  // Parse and sanitize tags\n  // eslint-disable-next-line regexp/use-ignore-case\n  const tagRegex = /<(\\/?)([a-zA-Z][\\w-]*)([^>]*)>/g\n  result = result.replace(tagRegex, (match, closing, tagName, attributesStr) => {\n    const lowerTag = tagName.toLowerCase()\n\n    // Always remove dangerous tags\n    if (DANGEROUS_TAGS.includes(lowerTag)) {\n      if (!removedTags.includes(lowerTag)) {\n        removedTags.push(lowerTag)\n      }\n      modified = true\n      return opts.stripTags ? '' : escapeHtml(match)\n    }\n\n    // Check if tag is allowed\n    const allowedTags = opts.allowedTags || []\n    if (allowedTags.length > 0 && !allowedTags.includes(lowerTag)) {\n      if (!removedTags.includes(lowerTag)) {\n        removedTags.push(lowerTag)\n      }\n      modified = true\n      return opts.stripTags ? '' : escapeHtml(match)\n    }\n\n    // For closing tags, just return as-is (already validated by opening tag)\n    if (closing) {\n      return match\n    }\n\n    // Sanitize attributes\n    const sanitizedAttrs = sanitizeAttributes(\n      attributesStr,\n      lowerTag,\n      opts,\n      removedAttributes,\n    )\n\n    if (sanitizedAttrs !== attributesStr) {\n      modified = true\n    }\n\n    // Transform tag if transformer provided\n    if (opts.transformTag) {\n      const attributes = parseAttributes(sanitizedAttrs)\n      const transformed = opts.transformTag(lowerTag, attributes)\n\n      if (transformed === null) {\n        if (!removedTags.includes(lowerTag)) {\n          removedTags.push(lowerTag)\n        }\n        modified = true\n        return ''\n      }\n\n      if (transformed.tagName !== lowerTag || JSON.stringify(transformed.attributes) !== JSON.stringify(attributes)) {\n        modified = true\n        return buildTag(transformed.tagName, transformed.attributes)\n      }\n    }\n\n    return `<${tagName}${sanitizedAttrs}>`\n  })\n\n  return {\n    html: result,\n    modified,\n    removedTags: removedTags.length > 0 ? removedTags : undefined,\n    removedAttributes: removedAttributes.length > 0 ? removedAttributes : undefined,\n  }\n}\n\n/**\n * Sanitize attributes\n */\nfunction sanitizeAttributes(\n  attributesStr: string,\n  tagName: string,\n  options: SanitizerOptions,\n  removedAttributes: string[],\n): string {\n  if (!attributesStr.trim()) {\n    return attributesStr\n  }\n\n  const attributes = parseAttributes(attributesStr)\n  const sanitized: Record<string, string> = {}\n\n  for (const [name, value] of Object.entries(attributes)) {\n    const lowerName = name.toLowerCase()\n\n    // Remove event handlers\n    if (EVENT_ATTRIBUTES_REGEX.test(lowerName)) {\n      if (!removedAttributes.includes(lowerName)) {\n        removedAttributes.push(lowerName)\n      }\n      continue\n    }\n\n    // Check if attribute is allowed\n    if (!isAttributeAllowed(lowerName, tagName, options)) {\n      if (!removedAttributes.includes(lowerName)) {\n        removedAttributes.push(lowerName)\n      }\n      continue\n    }\n\n    // Validate URL attributes\n    if (URL_ATTRIBUTES.includes(lowerName)) {\n      if (!isUrlSafe(value, options)) {\n        if (!removedAttributes.includes(lowerName)) {\n          removedAttributes.push(lowerName)\n        }\n        continue\n      }\n    }\n\n    // Sanitize style attribute\n    if (lowerName === 'style' && options.allowedStyles) {\n      sanitized[name] = sanitizeStyle(value, options.allowedStyles)\n    }\n    else {\n      sanitized[name] = value\n    }\n  }\n\n  return buildAttributes(sanitized)\n}\n\n/**\n * Check if attribute is allowed\n */\nfunction isAttributeAllowed(\n  attrName: string,\n  tagName: string,\n  options: SanitizerOptions,\n): boolean {\n  const allowedAttrs = options.allowedAttributes\n\n  if (!allowedAttrs) {\n    return false\n  }\n\n  // Check data attributes\n  if (attrName.startsWith('data-')) {\n    return options.allowDataAttributes || false\n  }\n\n  // Check aria attributes\n  if (attrName.startsWith('aria-')) {\n    return options.allowAriaAttributes || false\n  }\n\n  // Array format (global allowed attributes)\n  if (Array.isArray(allowedAttrs)) {\n    return allowedAttrs.includes(attrName)\n  }\n\n  // Object format (per-tag or global)\n  if (allowedAttrs[tagName]?.includes(attrName)) {\n    return true\n  }\n\n  // Check global attributes (*)\n  if (allowedAttrs['*']?.includes(attrName)) {\n    return true\n  }\n\n  return false\n}\n\n/**\n * Validate URL safety\n */\nfunction isUrlSafe(url: string, options: SanitizerOptions): boolean {\n  // Use custom validator if provided\n  if (options.urlValidator) {\n    return options.urlValidator(url)\n  }\n\n  // Check for javascript: protocol and other dangerous schemes\n  const trimmed = url.trim().toLowerCase()\n\n  // Remove common whitespace/encoding tricks\n  // eslint-disable-next-line no-control-regex\n  const cleaned = trimmed.replace(/[\\s\\x00-\\x1F]/g, '')\n\n  // Dangerous protocols\n  const dangerousProtocols = ['javascript:', 'data:text/html', 'vbscript:', 'file:']\n  for (const protocol of dangerousProtocols) {\n    if (cleaned.startsWith(protocol)) {\n      return false\n    }\n  }\n\n  // Check allowed schemes\n  if (options.allowedSchemes && options.allowedSchemes.length > 0) {\n    // Relative URLs are allowed\n    if (!cleaned.includes(':')) {\n      return true\n    }\n\n    const hasAllowedScheme = options.allowedSchemes.some((scheme) => {\n      return cleaned.startsWith(`${scheme}:`)\n    })\n\n    if (!hasAllowedScheme) {\n      return false\n    }\n  }\n\n  return true\n}\n\n/**\n * Sanitize inline styles\n */\nfunction sanitizeStyle(style: string, allowedStyles: string[]): string {\n  const properties = style.split(';').filter(p => p.trim())\n  const sanitized: string[] = []\n\n  for (const prop of properties) {\n    const colonIndex = prop.indexOf(':')\n    if (colonIndex === -1)\n      continue\n\n    const name = prop.substring(0, colonIndex).trim().toLowerCase()\n    const value = prop.substring(colonIndex + 1).trim()\n\n    // Check if property is allowed\n    if (allowedStyles.includes(name)) {\n      // Additional validation for dangerous values\n      if (!value.toLowerCase().includes('javascript:') && !value.toLowerCase().includes('expression(')) {\n        sanitized.push(`${name}: ${value}`)\n      }\n    }\n  }\n\n  return sanitized.join('; ')\n}\n\n/**\n * Parse HTML attributes from string\n */\nfunction parseAttributes(attributesStr: string): Record<string, string> {\n  const attributes: Record<string, string> = {}\n  const attrRegex = /([\\w-]+)(?:=(?:\"([^\"]*)\"|'([^']*)'|([^\\s>]+)))?/g\n\n  let match\n  // biome-ignore lint/suspicious/noAssignInExpressions: needed for regex matching\n  // eslint-disable-next-line no-cond-assign\n  while ((match = attrRegex.exec(attributesStr))) {\n    const name = match[1]\n    const value = match[2] || match[3] || match[4] || ''\n    attributes[name] = value\n  }\n\n  return attributes\n}\n\n/**\n * Build attributes string from object\n */\nfunction buildAttributes(attributes: Record<string, string>): string {\n  const parts: string[] = []\n\n  for (const [name, value] of Object.entries(attributes)) {\n    if (value === '') {\n      parts.push(name)\n    }\n    else {\n      // Escape quotes in value\n      const escaped = value.replace(/\"/g, '&quot;')\n      parts.push(`${name}=\"${escaped}\"`)\n    }\n  }\n\n  return parts.length > 0 ? ` ${parts.join(' ')}` : ''\n}\n\n/**\n * Build tag string from name and attributes\n */\nfunction buildTag(tagName: string, attributes: Record<string, string>): string {\n  return `<${tagName}${buildAttributes(attributes)}>`\n}\n\n/**\n * Escape HTML special characters\n */\nfunction escapeHtml(text: string): string {\n  return text\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#39;')\n}\n\n/**\n * Check if HTML content is safe (quick check)\n */\nexport function isSafe(html: string, options?: SanitizerOptions | SanitizerPreset): boolean {\n  const result = sanitizeWithInfo(html, options)\n  return !result.modified\n}\n\n/**\n * Strip all HTML tags\n */\nexport function stripTags(html: string): string {\n  return html.replace(/<[^>]*>/g, '')\n}\n\n/**\n * Escape HTML for safe display\n */\nexport function escape(text: string): string {\n  return escapeHtml(text)\n}\n",
+    "/**\n * @stacksjs/sanitizer\n *\n * A fast, native Bun-powered HTML sanitizer with DOMPurify-like features.\n * Protection against XSS and malicious content.\n */\n\n// Default export\nimport { sanitize } from './sanitizer'\n\nexport * from './presets'\nexport { basic, getPreset, markdown, relaxed, strict } from './presets'\nexport * from './sanitizer'\n\n// Re-export for convenience\nexport { escape, isSafe, sanitize, sanitizeWithInfo, stripTags } from './sanitizer'\nexport * from './types'\n\nexport default sanitize\n"
+  ],
+  "mappings": ";;AAKO,IAAM,SAA2B;AAAA,EACtC,aAAa;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,mBAAmB;AAAA,IACjB,KAAK,CAAC,SAAS,IAAI;AAAA,EACrB;AAAA,EACA,gBAAgB,CAAC,QAAQ,SAAS,QAAQ;AAAA,EAC1C,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,WAAW;AAAA,EACX,eAAe;AACjB;AAKO,IAAM,QAA0B;AAAA,EACrC,aAAa;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,mBAAmB;AAAA,IACjB,KAAK,CAAC,SAAS,IAAI;AAAA,IACnB,GAAK,CAAC,SAAS,MAAM,QAAQ,SAAS,UAAU,KAAK;AAAA,IACrD,KAAO,CAAC,SAAS,MAAM,OAAO,OAAO,SAAS,SAAS,QAAQ;AAAA,IAC/D,IAAM,CAAC,SAAS,MAAM,WAAW,WAAW,OAAO;AAAA,IACnD,IAAM,CAAC,SAAS,MAAM,WAAW,WAAW,SAAS,OAAO;AAAA,EAC9D;AAAA,EACA,gBAAgB,CAAC,QAAQ,SAAS,UAAU,KAAK;AAAA,EACjD,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,WAAW;AAAA,EACX,eAAe;AACjB;AAKO,IAAM,UAA4B;AAAA,EACvC,aAAa;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,mBAAmB;AAAA,IACjB,KAAK,CAAC,SAAS,MAAM,OAAO;AAAA,IAC5B,GAAK,CAAC,SAAS,MAAM,QAAQ,SAAS,UAAU,KAAK;AAAA,IACrD,KAAO,CAAC,SAAS,MAAM,OAAO,UAAU,OAAO,SAAS,SAAS,UAAU,SAAS;AAAA,IACpF,OAAS,CAAC,SAAS,MAAM,OAAO,SAAS,UAAU,YAAY,WAAW,QAAQ;AAAA,IAClF,OAAS,CAAC,SAAS,MAAM,OAAO,YAAY,SAAS;AAAA,IACrD,QAAU,CAAC,OAAO,MAAM;AAAA,IACxB,OAAS,CAAC,OAAO,QAAQ,WAAW,OAAO;AAAA,IAC3C,IAAM,CAAC,SAAS,MAAM,WAAW,WAAW,OAAO;AAAA,IACnD,IAAM,CAAC,SAAS,MAAM,WAAW,WAAW,SAAS,OAAO;AAAA,IAC5D,MAAQ,CAAC,SAAS,MAAM,UAAU;AAAA,IAClC,MAAQ,CAAC,SAAS,MAAM,OAAO;AAAA,EACjC;AAAA,EACA,gBAAgB,CAAC,QAAQ,SAAS,UAAU,OAAO,MAAM;AAAA,EACzD,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,WAAW;AAAA,EACX,eAAe;AACjB;AAKO,IAAM,WAA6B;AAAA,EACxC,aAAa;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AAAA,EACA,mBAAmB;AAAA,IACjB,KAAK,CAAC,SAAS,IAAI;AAAA,IACnB,GAAK,CAAC,SAAS,MAAM,QAAQ,OAAO;AAAA,IACpC,KAAO,CAAC,SAAS,MAAM,OAAO,OAAO,OAAO;AAAA,IAC5C,MAAQ,CAAC,OAAO;AAAA,IAChB,IAAM,CAAC,OAAO;AAAA,IACd,IAAM,CAAC,SAAS,OAAO;AAAA,IACvB,OAAS,CAAC,QAAQ,WAAW,UAAU;AAAA,EACzC;AAAA,EACA,gBAAgB,CAAC,QAAQ,SAAS,QAAQ;AAAA,EAC1C,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,WAAW;AAAA,EACX,eAAe;AACjB;AAKO,SAAS,SAAS,CAAC,MAAgC;AAAA,EACxD,QAAQ;AAAA,SACD;AAAA,MACH,OAAO;AAAA,SACJ;AAAA,MACH,OAAO;AAAA,SACJ;AAAA,MACH,OAAO;AAAA,SACJ;AAAA,MACH,OAAO;AAAA;AAAA,MAEP,OAAO;AAAA;AAAA;;;AC3Nb,IAAM,kBAAoC;AAAA,EACxC,aAAa,CAAC;AAAA,EACd,mBAAmB,CAAC;AAAA,EACpB,gBAAgB,CAAC,QAAQ,SAAS,QAAQ;AAAA,EAC1C,qBAAqB;AAAA,EACrB,qBAAqB;AAAA,EACrB,WAAW;AAAA,EACX,eAAe;AACjB;AAGA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGA,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AAGA,IAAM,yBAAyB;AAKxB,SAAS,QAAQ,CACtB,MACA,SACQ;AAAA,EACR,MAAM,SAAS,iBAAiB,MAAM,OAAO;AAAA,EAC7C,OAAO,OAAO;AAAA;AAMT,SAAS,gBAAgB,CAC9B,MACA,SACgB;AAAA,EAEhB,MAAM,OAAyB,OAAO,YAAY,WAC9C,UAAU,OAAO,IACjB,KAAK,oBAAoB,QAAQ;AAAA,EAErC,MAAM,cAAwB,CAAC;AAAA,EAC/B,MAAM,oBAA8B,CAAC;AAAA,EAGrC,IAAI,SAAS;AAAA,EACb,IAAI,WAAW;AAAA,EAGf,IAAI,CAAC,KAAK,eAAe;AAAA,IACvB,MAAM,eAAe;AAAA,IACrB,IAAI,aAAa,KAAK,MAAM,GAAG;AAAA,MAC7B,SAAS,OAAO,QAAQ,cAAc,EAAE;AAAA,MACxC,WAAW;AAAA,IACb;AAAA,EACF;AAAA,EAIA,MAAM,WAAW;AAAA,EACjB,SAAS,OAAO,QAAQ,UAAU,CAAC,OAAO,SAAS,SAAS,kBAAkB;AAAA,IAC5E,MAAM,WAAW,QAAQ,YAAY;AAAA,IAGrC,IAAI,eAAe,SAAS,QAAQ,GAAG;AAAA,MACrC,IAAI,CAAC,YAAY,SAAS,QAAQ,GAAG;AAAA,QACnC,YAAY,KAAK,QAAQ;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,MACX,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK;AAAA,IAC/C;AAAA,IAGA,MAAM,cAAc,KAAK,eAAe,CAAC;AAAA,IACzC,IAAI,YAAY,SAAS,KAAK,CAAC,YAAY,SAAS,QAAQ,GAAG;AAAA,MAC7D,IAAI,CAAC,YAAY,SAAS,QAAQ,GAAG;AAAA,QACnC,YAAY,KAAK,QAAQ;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,MACX,OAAO,KAAK,YAAY,KAAK,WAAW,KAAK;AAAA,IAC/C;AAAA,IAGA,IAAI,SAAS;AAAA,MACX,OAAO;AAAA,IACT;AAAA,IAGA,MAAM,iBAAiB,mBACrB,eACA,UACA,MACA,iBACF;AAAA,IAEA,IAAI,mBAAmB,eAAe;AAAA,MACpC,WAAW;AAAA,IACb;AAAA,IAGA,IAAI,KAAK,cAAc;AAAA,MACrB,MAAM,aAAa,gBAAgB,cAAc;AAAA,MACjD,MAAM,cAAc,KAAK,aAAa,UAAU,UAAU;AAAA,MAE1D,IAAI,gBAAgB,MAAM;AAAA,QACxB,IAAI,CAAC,YAAY,SAAS,QAAQ,GAAG;AAAA,UACnC,YAAY,KAAK,QAAQ;AAAA,QAC3B;AAAA,QACA,WAAW;AAAA,QACX,OAAO;AAAA,MACT;AAAA,MAEA,IAAI,YAAY,YAAY,YAAY,KAAK,UAAU,YAAY,UAAU,MAAM,KAAK,UAAU,UAAU,GAAG;AAAA,QAC7G,WAAW;AAAA,QACX,OAAO,SAAS,YAAY,SAAS,YAAY,UAAU;AAAA,MAC7D;AAAA,IACF;AAAA,IAEA,OAAO,IAAI,UAAU;AAAA,GACtB;AAAA,EAED,OAAO;AAAA,IACL,MAAM;AAAA,IACN;AAAA,IACA,aAAa,YAAY,SAAS,IAAI,cAAc;AAAA,IACpD,mBAAmB,kBAAkB,SAAS,IAAI,oBAAoB;AAAA,EACxE;AAAA;AAMF,SAAS,kBAAkB,CACzB,eACA,SACA,SACA,mBACQ;AAAA,EACR,IAAI,CAAC,cAAc,KAAK,GAAG;AAAA,IACzB,OAAO;AAAA,EACT;AAAA,EAEA,MAAM,aAAa,gBAAgB,aAAa;AAAA,EAChD,MAAM,YAAoC,CAAC;AAAA,EAE3C,YAAY,MAAM,UAAU,OAAO,QAAQ,UAAU,GAAG;AAAA,IACtD,MAAM,YAAY,KAAK,YAAY;AAAA,IAGnC,IAAI,uBAAuB,KAAK,SAAS,GAAG;AAAA,MAC1C,IAAI,CAAC,kBAAkB,SAAS,SAAS,GAAG;AAAA,QAC1C,kBAAkB,KAAK,SAAS;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAAA,IAGA,IAAI,CAAC,mBAAmB,WAAW,SAAS,OAAO,GAAG;AAAA,MACpD,IAAI,CAAC,kBAAkB,SAAS,SAAS,GAAG;AAAA,QAC1C,kBAAkB,KAAK,SAAS;AAAA,MAClC;AAAA,MACA;AAAA,IACF;AAAA,IAGA,IAAI,eAAe,SAAS,SAAS,GAAG;AAAA,MACtC,IAAI,CAAC,UAAU,OAAO,OAAO,GAAG;AAAA,QAC9B,IAAI,CAAC,kBAAkB,SAAS,SAAS,GAAG;AAAA,UAC1C,kBAAkB,KAAK,SAAS;AAAA,QAClC;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,IAGA,IAAI,cAAc,WAAW,QAAQ,eAAe;AAAA,MAClD,UAAU,QAAQ,cAAc,OAAO,QAAQ,aAAa;AAAA,IAC9D,EACK;AAAA,MACH,UAAU,QAAQ;AAAA;AAAA,EAEtB;AAAA,EAEA,OAAO,gBAAgB,SAAS;AAAA;AAMlC,SAAS,kBAAkB,CACzB,UACA,SACA,SACS;AAAA,EACT,MAAM,eAAe,QAAQ;AAAA,EAE7B,IAAI,CAAC,cAAc;AAAA,IACjB,OAAO;AAAA,EACT;AAAA,EAGA,IAAI,SAAS,WAAW,OAAO,GAAG;AAAA,IAChC,OAAO,QAAQ,uBAAuB;AAAA,EACxC;AAAA,EAGA,IAAI,SAAS,WAAW,OAAO,GAAG;AAAA,IAChC,OAAO,QAAQ,uBAAuB;AAAA,EACxC;AAAA,EAGA,IAAI,MAAM,QAAQ,YAAY,GAAG;AAAA,IAC/B,OAAO,aAAa,SAAS,QAAQ;AAAA,EACvC;AAAA,EAGA,IAAI,aAAa,UAAU,SAAS,QAAQ,GAAG;AAAA,IAC7C,OAAO;AAAA,EACT;AAAA,EAGA,IAAI,aAAa,MAAM,SAAS,QAAQ,GAAG;AAAA,IACzC,OAAO;AAAA,EACT;AAAA,EAEA,OAAO;AAAA;AAMT,SAAS,SAAS,CAAC,KAAa,SAAoC;AAAA,EAElE,IAAI,QAAQ,cAAc;AAAA,IACxB,OAAO,QAAQ,aAAa,GAAG;AAAA,EACjC;AAAA,EAGA,MAAM,UAAU,IAAI,KAAK,EAAE,YAAY;AAAA,EAIvC,MAAM,UAAU,QAAQ,QAAQ,kBAAkB,EAAE;AAAA,EAGpD,MAAM,qBAAqB,CAAC,eAAe,kBAAkB,aAAa,OAAO;AAAA,EACjF,WAAW,YAAY,oBAAoB;AAAA,IACzC,IAAI,QAAQ,WAAW,QAAQ,GAAG;AAAA,MAChC,OAAO;AAAA,IACT;AAAA,EACF;AAAA,EAGA,IAAI,QAAQ,kBAAkB,QAAQ,eAAe,SAAS,GAAG;AAAA,IAE/D,IAAI,CAAC,QAAQ,SAAS,GAAG,GAAG;AAAA,MAC1B,OAAO;AAAA,IACT;AAAA,IAEA,MAAM,mBAAmB,QAAQ,eAAe,KAAK,CAAC,WAAW;AAAA,MAC/D,OAAO,QAAQ,WAAW,GAAG,SAAS;AAAA,KACvC;AAAA,IAED,IAAI,CAAC,kBAAkB;AAAA,MACrB,OAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEA,OAAO;AAAA;AAMT,SAAS,aAAa,CAAC,OAAe,eAAiC;AAAA,EACrE,MAAM,aAAa,MAAM,MAAM,GAAG,EAAE,OAAO,OAAK,EAAE,KAAK,CAAC;AAAA,EACxD,MAAM,YAAsB,CAAC;AAAA,EAE7B,WAAW,QAAQ,YAAY;AAAA,IAC7B,MAAM,aAAa,KAAK,QAAQ,GAAG;AAAA,IACnC,IAAI,eAAe;AAAA,MACjB;AAAA,IAEF,MAAM,OAAO,KAAK,UAAU,GAAG,UAAU,EAAE,KAAK,EAAE,YAAY;AAAA,IAC9D,MAAM,QAAQ,KAAK,UAAU,aAAa,CAAC,EAAE,KAAK;AAAA,IAGlD,IAAI,cAAc,SAAS,IAAI,GAAG;AAAA,MAEhC,IAAI,CAAC,MAAM,YAAY,EAAE,SAAS,aAAa,KAAK,CAAC,MAAM,YAAY,EAAE,SAAS,aAAa,GAAG;AAAA,QAChG,UAAU,KAAK,GAAG,SAAS,OAAO;AAAA,MACpC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,OAAO,UAAU,KAAK,IAAI;AAAA;AAM5B,SAAS,eAAe,CAAC,eAA+C;AAAA,EACtE,MAAM,aAAqC,CAAC;AAAA,EAC5C,MAAM,YAAY;AAAA,EAElB,IAAI;AAAA,EAGJ,OAAQ,QAAQ,UAAU,KAAK,aAAa,GAAI;AAAA,IAC9C,MAAM,OAAO,MAAM;AAAA,IACnB,MAAM,QAAQ,MAAM,MAAM,MAAM,MAAM,MAAM,MAAM;AAAA,IAClD,WAAW,QAAQ;AAAA,EACrB;AAAA,EAEA,OAAO;AAAA;AAMT,SAAS,eAAe,CAAC,YAA4C;AAAA,EACnE,MAAM,QAAkB,CAAC;AAAA,EAEzB,YAAY,MAAM,UAAU,OAAO,QAAQ,UAAU,GAAG;AAAA,IACtD,IAAI,UAAU,IAAI;AAAA,MAChB,MAAM,KAAK,IAAI;AAAA,IACjB,EACK;AAAA,MAEH,MAAM,UAAU,MAAM,QAAQ,MAAM,QAAQ;AAAA,MAC5C,MAAM,KAAK,GAAG,SAAS,UAAU;AAAA;AAAA,EAErC;AAAA,EAEA,OAAO,MAAM,SAAS,IAAI,IAAI,MAAM,KAAK,GAAG,MAAM;AAAA;AAMpD,SAAS,QAAQ,CAAC,SAAiB,YAA4C;AAAA,EAC7E,OAAO,IAAI,UAAU,gBAAgB,UAAU;AAAA;AAMjD,SAAS,UAAU,CAAC,MAAsB;AAAA,EACxC,OAAO,KACJ,QAAQ,MAAM,OAAO,EACrB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,MAAM,EACpB,QAAQ,MAAM,QAAQ,EACtB,QAAQ,MAAM,OAAO;AAAA;AAMnB,SAAS,MAAM,CAAC,MAAc,SAAuD;AAAA,EAC1F,MAAM,SAAS,iBAAiB,MAAM,OAAO;AAAA,EAC7C,OAAO,CAAC,OAAO;AAAA;AAMV,SAAS,SAAS,CAAC,MAAsB;AAAA,EAC9C,OAAO,KAAK,QAAQ,YAAY,EAAE;AAAA;AAM7B,SAAS,MAAM,CAAC,MAAsB;AAAA,EAC3C,OAAO,WAAW,IAAI;AAAA;;;AClYxB,IAAe;",
+  "debugId": "11C850CF49E4930C64756E2164756E21",
+  "names": []
+}

package/dist/presets.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { SanitizerOptions } from './types';
+/**
+ * Get preset by name
+ */
+export declare function getPreset(name: string): SanitizerOptions;
+/**
+ * Strict preset - Only safe, basic formatting
+ */
+export declare const strict: SanitizerOptions;
+/**
+ * Basic preset - Common safe HTML elements
+ */
+export declare const basic: SanitizerOptions;
+/**
+ * Relaxed preset - More permissive, includes media and interactive elements
+ */
+export declare const relaxed: SanitizerOptions;
+/**
+ * Markdown preset - Optimized for markdown-generated HTML
+ */
+export declare const markdown: SanitizerOptions;

package/dist/sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { SanitizeResult, SanitizerOptions, SanitizerPreset } from './types';
+/**
+ * Sanitize HTML content
+ */
+export declare function sanitize(html: string, options?: SanitizerOptions | SanitizerPreset): string;
+/**
+ * Sanitize HTML content with detailed information
+ */
+export declare function sanitizeWithInfo(html: string, options?: SanitizerOptions | SanitizerPreset): SanitizeResult;
+/**
+ * Check if HTML content is safe (quick check)
+ */
+export declare function isSafe(html: string, options?: SanitizerOptions | SanitizerPreset): boolean;
+/**
+ * Strip all HTML tags
+ */
+export declare function stripTags(html: string): string;
+/**
+ * Escape HTML for safe display
+ */
+export declare function escape(text: string): string;

package/dist/types.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+/**
+ * Sanitizer configuration options
+ */
+export declare interface SanitizerOptions {
+  allowedTags?: string[]
+  allowedAttributes?: Record<string, string[]> | string[]
+  allowedSchemes?: string[]
+  allowedStyles?: string[]
+  allowDataAttributes?: boolean
+  allowAriaAttributes?: boolean
+  urlValidator?: (url: string) => boolean
+  stripTags?: boolean
+  allowComments?: boolean
+  transformTag?: (tagName: string, attributes: Record<string, string>) => { tagName: string, attributes: Record<string, string> } | null
+}
+/**
+ * HTML sanitization result
+ */
+export declare interface SanitizeResult {
+  html: string
+  modified: boolean
+  removedTags?: string[]
+  removedAttributes?: string[]
+}
+/**
+ * Preset configurations
+ */
+export type SanitizerPreset = 'strict' | 'basic' | 'relaxed' | 'markdown'

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@stacksjs/sanitizer",
   "type": "module",
-  "version": "0.2.0",
+  "version": "0.2.5",
   "description": "A fast, native Bun-powered HTML sanitizer with DOMPurify-like features. Protection against XSS and malicious content.",
   "author": "Chris Breuer <chris@stacksjs.org>",
   "license": "MIT",
@@ -40,6 +40,7 @@
   ],
   "scripts": {
     "build": "bun --bun build.ts",
+    "prepublishOnly": "bun run build",
     "test": "bun test",
     "test:watch": "bun test --watch",
     "test:coverage": "bun test --coverage",