@sveltejs/kit 1.0.0-next.405 → 1.0.0-next.408

package/src/utils/escape.js

@@ -0,0 +1,104 @@
+/**
+ * Inside a script element, only `</script` and `<!--` hold special meaning to the HTML parser.
+ *
+ * The first closes the script element, so everything after is treated as raw HTML.
+ * The second disables further parsing until `-->`, so the script element might be unexpectedly
+ * kept open until until an unrelated HTML comment in the page.
+ *
+ * U+2028 LINE SEPARATOR and U+2029 PARAGRAPH SEPARATOR are escaped for the sake of pre-2018
+ * browsers.
+ *
+ * @see tests for unsafe parsing examples.
+ * @see https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements
+ * @see https://html.spec.whatwg.org/multipage/syntax.html#cdata-rcdata-restrictions
+ * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-state
+ * @see https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escaped-state
+ * @see https://github.com/tc39/proposal-json-superset
+ * @type {Record<string, string>}
+ */
+const render_json_payload_script_dict = {
+	'<': '\\u003C',
+	'\u2028': '\\u2028',
+	'\u2029': '\\u2029'
+};
+
+const render_json_payload_script_regex = new RegExp(
+	`[${Object.keys(render_json_payload_script_dict).join('')}]`,
+	'g'
+);
+
+/**
+ * Generates a raw HTML string containing a safe script element carrying JSON data and associated attributes.
+ *
+ * It escapes all the special characters needed to guarantee the element is unbroken, but care must
+ * be taken to ensure it is inserted in the document at an acceptable position for a script element,
+ * and that the resulting string isn't further modified.
+ *
+ * Attribute names must be type-checked so we don't need to escape them.
+ *
+ * @param {import('types').PayloadScriptAttributes} attrs A list of attributes to be added to the element.
+ * @param {import('types').JSONValue} payload The data to be carried by the element. Must be serializable to JSON.
+ * @returns {string} The raw HTML of a script element carrying the JSON payload.
+ * @example const html = render_json_payload_script({ type: 'data', url: '/data.json' }, { foo: 'bar' });
+ */
+export function render_json_payload_script(attrs, payload) {
+	const safe_payload = JSON.stringify(payload).replace(
+		render_json_payload_script_regex,
+		(match) => render_json_payload_script_dict[match]
+	);
+
+	let safe_attrs = '';
+	for (const [key, value] of Object.entries(attrs)) {
+		if (value === undefined) continue;
+		safe_attrs += ` sveltekit:data-${key}=${escape_html_attr(value)}`;
+	}
+
+	return `<script type="application/json"${safe_attrs}>${safe_payload}</script>`;
+}
+
+/**
+ * When inside a double-quoted attribute value, only `&` and `"` hold special meaning.
+ * @see https://html.spec.whatwg.org/multipage/parsing.html#attribute-value-(double-quoted)-state
+ * @type {Record<string, string>}
+ */
+const escape_html_attr_dict = {
+	'&': '&amp;',
+	'"': '&quot;'
+};
+
+const escape_html_attr_regex = new RegExp(
+	// special characters
+	`[${Object.keys(escape_html_attr_dict).join('')}]|` +
+		// high surrogate without paired low surrogate
+		'[\\ud800-\\udbff](?![\\udc00-\\udfff])|' +
+		// a valid surrogate pair, the only match with 2 code units
+		// we match it so that we can match unpaired low surrogates in the same pass
+		// TODO: use lookbehind assertions once they are widely supported: (?<![\ud800-udbff])[\udc00-\udfff]
+		'[\\ud800-\\udbff][\\udc00-\\udfff]|' +
+		// unpaired low surrogate (see previous match)
+		'[\\udc00-\\udfff]',
+	'g'
+);
+
+/**
+ * Formats a string to be used as an attribute's value in raw HTML.
+ *
+ * It escapes unpaired surrogates (which are allowed in js strings but invalid in HTML), escapes
+ * characters that are special in attributes, and surrounds the whole string in double-quotes.
+ *
+ * @param {string} str
+ * @returns {string} Escaped string surrounded by double-quotes.
+ * @example const html = `<tag data-value=${escape_html_attr('value')}>...</tag>`;
+ */
+export function escape_html_attr(str) {
+	const escaped_str = str.replace(escape_html_attr_regex, (match) => {
+		if (match.length === 2) {
+			// valid surrogate pair
+			return match;
+		}
+
+		return escape_html_attr_dict[match] ?? `&#${match.charCodeAt(0)};`;
+	});
+
+	return `"${escaped_str}"`;
+}

package/{dist/chunks → src/utils}/filesystem.js

@@ -1,10 +1,10 @@
-import fs__default from 'fs';
-import path__default from 'path';
+import fs from 'fs';
+import path from 'path';
 
 /** @param {string} dir */
-function mkdirp(dir) {
+export function mkdirp(dir) {
 	try {
-		fs__default.mkdirSync(dir, { recursive: true });
+		fs.mkdirSync(dir, { recursive: true });
 	} catch (/** @type {any} */ e) {
 		if (e.code === 'EEXIST') return;
 		throw e;
@@ -12,8 +12,8 @@ function mkdirp(dir) {
 }
 
 /** @param {string} path */
-function rimraf(path) {
-	fs__default.rmSync(path, { force: true, recursive: true });
+export function rimraf(path) {
+	fs.rmSync(path, { force: true, recursive: true });
 }
 
 /**
@@ -24,8 +24,8 @@ function rimraf(path) {
  *   replace?: Record<string, string>;
  * }} opts
  */
-function copy(source, target, opts = {}) {
-	if (!fs__default.existsSync(source)) return [];
+export function copy(source, target, opts = {}) {
+	if (!fs.existsSync(source)) return [];
 
 	/** @type {string[]} */
 	const files = [];
@@ -41,20 +41,20 @@ function copy(source, target, opts = {}) {
 	 * @param {string} to
 	 */
 	function go(from, to) {
-		if (opts.filter && !opts.filter(path__default.basename(from))) return;
+		if (opts.filter && !opts.filter(path.basename(from))) return;
 
-		const stats = fs__default.statSync(from);
+		const stats = fs.statSync(from);
 
 		if (stats.isDirectory()) {
-			fs__default.readdirSync(from).forEach((file) => {
-				go(path__default.join(from, file), path__default.join(to, file));
+			fs.readdirSync(from).forEach((file) => {
+				go(path.join(from, file), path.join(to, file));
 			});
 		} else {
-			mkdirp(path__default.dirname(to));
+			mkdirp(path.dirname(to));
 
 			if (opts.replace) {
-				const data = fs__default.readFileSync(from, 'utf-8');
-				fs__default.writeFileSync(
+				const data = fs.readFileSync(from, 'utf-8');
+				fs.writeFileSync(
 					to,
 					data.replace(
 						/** @type {RegExp} */ (regex),
@@ -62,10 +62,10 @@ function copy(source, target, opts = {}) {
 					)
 				);
 			} else {
-				fs__default.copyFileSync(from, to);
+				fs.copyFileSync(from, to);
 			}
 
-			files.push(to === target ? posixify(path__default.basename(to)) : posixify(to).replace(prefix, ''));
+			files.push(to === target ? posixify(path.basename(to)) : posixify(to).replace(prefix, ''));
 		}
 	}
 
@@ -79,17 +79,17 @@ function copy(source, target, opts = {}) {
  * @param {string} cwd - the directory to walk
  * @param {boolean} [dirs] - whether to include directories in the result
  */
-function walk(cwd, dirs = false) {
+export function walk(cwd, dirs = false) {
 	/** @type {string[]} */
 	const all_files = [];
 
 	/** @param {string} dir */
 	function walk_dir(dir) {
-		const files = fs__default.readdirSync(path__default.join(cwd, dir));
+		const files = fs.readdirSync(path.join(cwd, dir));
 
 		for (const file of files) {
-			const joined = path__default.join(dir, file);
-			const stats = fs__default.statSync(path__default.join(cwd, joined));
+			const joined = path.join(dir, file);
+			const stats = fs.statSync(path.join(cwd, joined));
 			if (stats.isDirectory()) {
 				if (dirs) all_files.push(joined);
 				walk_dir(joined);
@@ -103,8 +103,6 @@ function walk(cwd, dirs = false) {
 }
 
 /** @param {string} str */
-function posixify(str) {
+export function posixify(str) {
 	return str.replace(/\\/g, '/');
 }
-
-export { copy as c, mkdirp as m, posixify as p, rimraf as r, walk as w };

package/src/utils/http.js

@@ -0,0 +1,55 @@
+/**
+ * Given an Accept header and a list of possible content types, pick
+ * the most suitable one to respond with
+ * @param {string} accept
+ * @param {string[]} types
+ */
+export function negotiate(accept, types) {
+	/** @type {Array<{ type: string, subtype: string, q: number, i: number }>} */
+	const parts = [];
+
+	accept.split(',').forEach((str, i) => {
+		const match = /([^/]+)\/([^;]+)(?:;q=([0-9.]+))?/.exec(str);
+
+		// no match equals invalid header — ignore
+		if (match) {
+			const [, type, subtype, q = '1'] = match;
+			parts.push({ type, subtype, q: +q, i });
+		}
+	});
+
+	parts.sort((a, b) => {
+		if (a.q !== b.q) {
+			return b.q - a.q;
+		}
+
+		if ((a.subtype === '*') !== (b.subtype === '*')) {
+			return a.subtype === '*' ? 1 : -1;
+		}
+
+		if ((a.type === '*') !== (b.type === '*')) {
+			return a.type === '*' ? 1 : -1;
+		}
+
+		return a.i - b.i;
+	});
+
+	let accepted;
+	let min_priority = Infinity;
+
+	for (const mimetype of types) {
+		const [type, subtype] = mimetype.split('/');
+		const priority = parts.findIndex(
+			(part) =>
+				(part.type === type || part.type === '*') &&
+				(part.subtype === subtype || part.subtype === '*')
+		);
+
+		if (priority !== -1 && priority < min_priority) {
+			accepted = mimetype;
+			min_priority = priority;
+		}
+	}
+
+	return accepted;
+}

package/src/utils/misc.js

@@ -0,0 +1 @@
+export const s = JSON.stringify;

package/src/utils/routing.js

@@ -0,0 +1,107 @@
+const param_pattern = /^(\.\.\.)?(\w+)(?:=(\w+))?$/;
+
+/** @param {string} id */
+export function parse_route_id(id) {
+	/** @type {string[]} */
+	const names = [];
+
+	/** @type {string[]} */
+	const types = [];
+
+	// `/foo` should get an optional trailing slash, `/foo.json` should not
+	// const add_trailing_slash = !/\.[a-z]+$/.test(key);
+	let add_trailing_slash = true;
+
+	const pattern =
+		id === ''
+			? /^\/$/
+			: new RegExp(
+					`^${decodeURIComponent(id)
+						.split(/(?:@[a-zA-Z0-9_-]+)?(?:\/|$)/)
+						.map((segment, i, segments) => {
+							// special case — /[...rest]/ could contain zero segments
+							const match = /^\[\.\.\.(\w+)(?:=(\w+))?\]$/.exec(segment);
+							if (match) {
+								names.push(match[1]);
+								types.push(match[2]);
+								return '(?:/(.*))?';
+							}
+
+							const is_last = i === segments.length - 1;
+
+							return (
+								segment &&
+								'/' +
+									segment
+										.split(/\[(.+?)\]/)
+										.map((content, i) => {
+											if (i % 2) {
+												const match = param_pattern.exec(content);
+												if (!match) {
+													throw new Error(
+														`Invalid param: ${content}. Params and matcher names can only have underscores and alphanumeric characters.`
+													);
+												}
+
+												const [, rest, name, type] = match;
+												names.push(name);
+												types.push(type);
+												return rest ? '(.*?)' : '([^/]+?)';
+											}
+
+											if (is_last && content.includes('.')) add_trailing_slash = false;
+
+											return (
+												content // allow users to specify characters on the file system in an encoded manner
+													.normalize()
+													// We use [ and ] to denote parameters, so users must encode these on the file
+													// system to match against them. We don't decode all characters since others
+													// can already be epressed and so that '%' can be easily used directly in filenames
+													.replace(/%5[Bb]/g, '[')
+													.replace(/%5[Dd]/g, ']')
+													// '#', '/', and '?' can only appear in URL path segments in an encoded manner.
+													// They will not be touched by decodeURI so need to be encoded here, so
+													// that we can match against them.
+													// We skip '/' since you can't create a file with it on any OS
+													.replace(/#/g, '%23')
+													.replace(/\?/g, '%3F')
+													// escape characters that have special meaning in regex
+													.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+											); // TODO handle encoding
+										})
+										.join('')
+							);
+						})
+						.join('')}${add_trailing_slash ? '/?' : ''}$`
+			  );
+
+	return { pattern, names, types };
+}
+
+/**
+ * @param {RegExpMatchArray} match
+ * @param {string[]} names
+ * @param {string[]} types
+ * @param {Record<string, import('types').ParamMatcher>} matchers
+ */
+export function exec(match, names, types, matchers) {
+	/** @type {Record<string, string>} */
+	const params = {};
+
+	for (let i = 0; i < names.length; i += 1) {
+		const name = names[i];
+		const type = types[i];
+		const value = match[i + 1] || '';
+
+		if (type) {
+			const matcher = matchers[type];
+			if (!matcher) throw new Error(`Missing "${type}" param matcher`); // TODO do this ahead of time?
+
+			if (!matcher(value)) return;
+		}
+
+		params[name] = value;
+	}
+
+	return params;
+}

package/src/utils/url.js

@@ -0,0 +1,97 @@
+const absolute = /^([a-z]+:)?\/?\//;
+const scheme = /^[a-z]+:/;
+
+/**
+ * @param {string} base
+ * @param {string} path
+ */
+export function resolve(base, path) {
+	if (scheme.test(path)) return path;
+
+	const base_match = absolute.exec(base);
+	const path_match = absolute.exec(path);
+
+	if (!base_match) {
+		throw new Error(`bad base path: "${base}"`);
+	}
+
+	const baseparts = path_match ? [] : base.slice(base_match[0].length).split('/');
+	const pathparts = path_match ? path.slice(path_match[0].length).split('/') : path.split('/');
+
+	baseparts.pop();
+
+	for (let i = 0; i < pathparts.length; i += 1) {
+		const part = pathparts[i];
+		if (part === '.') continue;
+		else if (part === '..') baseparts.pop();
+		else baseparts.push(part);
+	}
+
+	const prefix = (path_match && path_match[0]) || (base_match && base_match[0]) || '';
+
+	return `${prefix}${baseparts.join('/')}`;
+}
+
+/** @param {string} path */
+export function is_root_relative(path) {
+	return path[0] === '/' && path[1] !== '/';
+}
+
+/**
+ * @param {string} path
+ * @param {import('types').TrailingSlash} trailing_slash
+ */
+export function normalize_path(path, trailing_slash) {
+	if (path === '/' || trailing_slash === 'ignore') return path;
+
+	if (trailing_slash === 'never') {
+		return path.endsWith('/') ? path.slice(0, -1) : path;
+	} else if (trailing_slash === 'always' && !path.endsWith('/')) {
+		return path + '/';
+	}
+
+	return path;
+}
+
+/** @param {Record<string, string>} params */
+export function decode_params(params) {
+	for (const key in params) {
+		// input has already been decoded by decodeURI
+		// now handle the rest that decodeURIComponent would do
+		params[key] = params[key]
+			.replace(/%23/g, '#')
+			.replace(/%3[Bb]/g, ';')
+			.replace(/%2[Cc]/g, ',')
+			.replace(/%2[Ff]/g, '/')
+			.replace(/%3[Ff]/g, '?')
+			.replace(/%3[Aa]/g, ':')
+			.replace(/%40/g, '@')
+			.replace(/%26/g, '&')
+			.replace(/%3[Dd]/g, '=')
+			.replace(/%2[Bb]/g, '+')
+			.replace(/%24/g, '$');
+	}
+
+	return params;
+}
+
+export class LoadURL extends URL {
+	/** @returns {string} */
+	get hash() {
+		throw new Error(
+			'url.hash is inaccessible from load. Consider accessing hash from the page store within the script tag of your component.'
+		);
+	}
+}
+
+export class PrerenderingURL extends URL {
+	/** @returns {string} */
+	get search() {
+		throw new Error('Cannot access url.search on a page with prerendering enabled');
+	}
+
+	/** @returns {URLSearchParams} */
+	get searchParams() {
+		throw new Error('Cannot access url.searchParams on a page with prerendering enabled');
+	}
+}