npm - @tanstack/router-core - Versions diffs - 1.159.6 → 1.160.0 - Mend

@tanstack/router-core 1.159.6 → 1.160.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/dist/cjs/index.cjs +1 -0
package/dist/cjs/index.cjs.map +1 -1
package/dist/cjs/index.d.cts +1 -1
package/dist/cjs/load-matches.cjs +24 -11
package/dist/cjs/load-matches.cjs.map +1 -1
package/dist/cjs/redirect.cjs +0 -6
package/dist/cjs/redirect.cjs.map +1 -1
package/dist/cjs/router.cjs +10 -2
package/dist/cjs/router.cjs.map +1 -1
package/dist/cjs/router.d.cts +9 -0
package/dist/cjs/utils.cjs +11 -4
package/dist/cjs/utils.cjs.map +1 -1
package/dist/cjs/utils.d.cts +8 -7
package/dist/esm/index.d.ts +1 -1
package/dist/esm/index.js +2 -1
package/dist/esm/load-matches.js +24 -11
package/dist/esm/load-matches.js.map +1 -1
package/dist/esm/redirect.js +0 -6
package/dist/esm/redirect.js.map +1 -1
package/dist/esm/router.d.ts +9 -0
package/dist/esm/router.js +11 -3
package/dist/esm/router.js.map +1 -1
package/dist/esm/utils.d.ts +8 -7
package/dist/esm/utils.js +11 -4
package/dist/esm/utils.js.map +1 -1
package/package.json +1 -1
package/src/index.ts +1 -0
package/src/load-matches.ts +35 -12
package/src/redirect.ts +0 -12
package/src/router.ts +28 -2
package/src/utils.ts +20 -8

package/dist/esm/redirect.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"redirect.js","sources":["../../src/redirect.ts"],"sourcesContent":["import ~~{ SAFE_URL_PROTOCOLS, isDangerousProtocol } from './utils'\nimport~~ type { NavigateOptions } from './link'\nimport type { AnyRouter, RegisteredRouter } from './router'\nimport type { ParsedLocation } from './location'\n\nexport type AnyRedirect = Redirect<any, any, any, any, any>\n\n/*\n @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport type Redirect<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string \| undefined = undefined,\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '.',\n> = Response & {\n options: NavigateOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo> & {\n /\n @internal\n * A trusted built location that can be used to redirect to.\n /\n _builtLocation?: ParsedLocation\n }\n redirectHandled?: boolean\n}\n\nexport type RedirectOptions<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string \| undefined = undefined,\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '.',\n> = {\n href?: string\n /\n @deprecated Use `statusCode` instead\n /\n code?: number\n /\n * The HTTP status code to use when redirecting.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#statuscode-property)\n /\n statusCode?: number\n /\n If provided, will throw the redirect object instead of returning it. This can be useful in places where `throwing` in a function might cause it to have a return type of `never`. In that case, you can use `redirect({ throw: true })` to throw the redirect object instead of returning it.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#throw-property)\n /\n throw?: any\n /\n The HTTP headers to use when redirecting.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#headers-property)\n /\n headers?: HeadersInit\n /\n @internal\n * A trusted built location that can be used to redirect to.\n /\n _builtLocation?: ParsedLocation\n} & NavigateOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n\nexport type ResolvedRedirect<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string = '',\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '',\n> = Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n\n/\n Options for route-bound redirect, where 'from' is automatically set.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport type RedirectOptionsRoute<\n TDefaultFrom extends string = string,\n TRouter extends AnyRouter = RegisteredRouter,\n TTo extends string \| undefined = undefined,\n TMaskTo extends string = '',\n> = Omit<\n RedirectOptions<TRouter, TDefaultFrom, TTo, TDefaultFrom, TMaskTo>,\n 'from'\n>\n\n/\n A redirect function bound to a specific route, with 'from' pre-set to the route's fullPath.\n * This enables relative redirects like `Route.redirect({ to: './overview' })`.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport interface RedirectFnRoute<in out TDefaultFrom extends string = string> {\n <\n TRouter extends AnyRouter = RegisteredRouter,\n const TTo extends string \| undefined = undefined,\n const TMaskTo extends string = '',\n >(\n opts: RedirectOptionsRoute<TDefaultFrom, TRouter, TTo, TMaskTo>,\n ): Redirect<TRouter, TDefaultFrom, TTo, TDefaultFrom, TMaskTo>\n}\n\n/\n Create a redirect Response understood by TanStack Router.\n \n Use from route `loader`/`beforeLoad` or server functions to trigger a\n * navigation. If `throw: true` is set, the redirect is thrown instead of\n * returned. When an absolute `href` is supplied and `reloadDocument` is not\n * set, a full-document navigation is inferred.\n \n @param opts Options for the redirect. Common fields:\n * - `href`: absolute URL for external redirects; infers `reloadDocument`.\n * - `statusCode`: HTTP status code to use (defaults to 307).\n * - `headers`: additional headers to include on the Response.\n * - Standard navigation options like `to`, `params`, `search`, `replace`,\n * and `reloadDocument` for internal redirects.\n * @returns A Response augmented with router navigation options.\n * @link https://tanstack.com/router/latest/docs/framework/react/api/router/redirectFunction\n /\nexport function redirect<\n TRouter extends AnyRouter = RegisteredRouter,\n const TTo extends string \| undefined = '.',\n const TFrom extends string = string,\n const TMaskFrom extends string = TFrom,\n const TMaskTo extends string = '',\n>(\n opts: RedirectOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>,\n): Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo> {\n opts.statusCode = opts.statusCode \|\| opts.code \|\| 307\n\n ~~// Block dangerous protocols in redirect href\n~~ if (\n !opts._builtLocation &&\n typeof opts.href === 'string' &&\n isDangerousProtocol(opts.href)\n ) {\n throw new Error(\n `Redirect blocked: unsafe protocol in href \"${opts.href}\". Only ${SAFE_URL_PROTOCOLS.join(', ')} protocols are allowed.`,\n )\n }\n\n if (\n !opts.~~_builtLocation &&\n !opts.~~reloadDocument &&\n typeof opts.href === 'string'\n ) {\n try {\n new URL(opts.href)\n opts.reloadDocument = true\n } catch {}\n }\n\n const headers = new Headers(opts.headers)\n if (opts.href && headers.get('Location') === null) {\n headers.set('Location', opts.href)\n }\n\n const response = new Response(null, {\n status: opts.statusCode,\n headers,\n })\n\n ;(response as Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>).options =\n opts\n\n if (opts.throw) {\n throw response\n }\n\n return response as Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n}\n\n/* Check whether a value is a TanStack Router redirect Response. /\n/* Check whether a value is a TanStack Router redirect Response. /\nexport function isRedirect(obj: any): obj is AnyRedirect {\n return obj instanceof Response && !!(obj as any).options\n}\n\n/* True if value is a redirect with a resolved `href` location. /\n/* True if value is a redirect with a resolved `href` location. /\nexport function isResolvedRedirect(\n obj: any,\n): obj is AnyRedirect & { options: { href: string } } {\n return isRedirect(obj) && !!obj.options.href\n}\n\n/* Parse a serialized redirect object back into a redirect Response. /\n/* Parse a serialized redirect object back into a redirect Response. */\nexport function parseRedirect(obj: any) {\n if (obj !== null && typeof obj === 'object' && obj.isSerializedRedirect) {\n return redirect(obj)\n }\n\n return undefined\n}\n"],"names":[],"mappings":"~~;AAmHO~~,SAAS,SAOd,MACmD;AACnD,OAAK,aAAa,KAAK,cAAc,KAAK,QAAQ;~~AAGlD~~,MACE,CAAC,KAAK,kBACN,~~OAAO,KAAK,SAAS,YACrB,oBAAoB,KAAK,IAAI,GAC7B;AACA,UAAM,IAAI;AAAA,MACR,8CAA8C,KAAK,IAAI,WAAW,mBAAmB,KAAK,IAAI,~~CAAC~~;AAAA~~,~~IAAA;AAAA,EAEnG;AAEA,MACE,CAAC,~~KAAK,kBACN,~~CAAC,KAAK,kBACN,~~OAAO,KAAK,SAAS,UACrB;AACA,QAAI;AACF,UAAI,IAAI,KAAK,IAAI;AACjB,WAAK,iBAAiB;AAAA,IACxB,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,QAAM,UAAU,IAAI,QAAQ,KAAK,OAAO;AACxC,MAAI,KAAK,QAAQ,QAAQ,IAAI,UAAU,MAAM,MAAM;AACjD,YAAQ,IAAI,YAAY,KAAK,IAAI;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,SAAS,MAAM;AAAA,IAClC,QAAQ,KAAK;AAAA,IACb;AAAA,EAAA,CACD;AAEC,WAA+D,UAC/D;AAEF,MAAI,KAAK,OAAO;AACd,UAAM;AAAA,EACR;AAEA,SAAO;AACT;AAIO,SAAS,WAAW,KAA8B;AACvD,SAAO,eAAe,YAAY,CAAC,CAAE,IAAY;AACnD;AAIO,SAAS,mBACd,KACoD;AACpD,SAAO,WAAW,GAAG,KAAK,CAAC,CAAC,IAAI,QAAQ;AAC1C;AAIO,SAAS,cAAc,KAAU;AACtC,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,IAAI,sBAAsB;AACvE,WAAO,SAAS,GAAG;AAAA,EACrB;AAEA,SAAO;AACT;"}
1	+ {"version":3,"file":"redirect.js","sources":["../../src/redirect.ts"],"sourcesContent":["import type { NavigateOptions } from './link'\nimport type { AnyRouter, RegisteredRouter } from './router'\nimport type { ParsedLocation } from './location'\n\nexport type AnyRedirect = Redirect<any, any, any, any, any>\n\n/*\n @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport type Redirect<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string \| undefined = undefined,\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '.',\n> = Response & {\n options: NavigateOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo> & {\n /\n @internal\n * A trusted built location that can be used to redirect to.\n /\n _builtLocation?: ParsedLocation\n }\n redirectHandled?: boolean\n}\n\nexport type RedirectOptions<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string \| undefined = undefined,\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '.',\n> = {\n href?: string\n /\n @deprecated Use `statusCode` instead\n /\n code?: number\n /\n * The HTTP status code to use when redirecting.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#statuscode-property)\n /\n statusCode?: number\n /\n If provided, will throw the redirect object instead of returning it. This can be useful in places where `throwing` in a function might cause it to have a return type of `never`. In that case, you can use `redirect({ throw: true })` to throw the redirect object instead of returning it.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#throw-property)\n /\n throw?: any\n /\n The HTTP headers to use when redirecting.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType#headers-property)\n /\n headers?: HeadersInit\n /\n @internal\n * A trusted built location that can be used to redirect to.\n /\n _builtLocation?: ParsedLocation\n} & NavigateOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n\nexport type ResolvedRedirect<\n TRouter extends AnyRouter = RegisteredRouter,\n TFrom extends string = string,\n TTo extends string = '',\n TMaskFrom extends string = TFrom,\n TMaskTo extends string = '',\n> = Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n\n/\n Options for route-bound redirect, where 'from' is automatically set.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport type RedirectOptionsRoute<\n TDefaultFrom extends string = string,\n TRouter extends AnyRouter = RegisteredRouter,\n TTo extends string \| undefined = undefined,\n TMaskTo extends string = '',\n> = Omit<\n RedirectOptions<TRouter, TDefaultFrom, TTo, TDefaultFrom, TMaskTo>,\n 'from'\n>\n\n/\n A redirect function bound to a specific route, with 'from' pre-set to the route's fullPath.\n * This enables relative redirects like `Route.redirect({ to: './overview' })`.\n * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RedirectType)\n /\nexport interface RedirectFnRoute<in out TDefaultFrom extends string = string> {\n <\n TRouter extends AnyRouter = RegisteredRouter,\n const TTo extends string \| undefined = undefined,\n const TMaskTo extends string = '',\n >(\n opts: RedirectOptionsRoute<TDefaultFrom, TRouter, TTo, TMaskTo>,\n ): Redirect<TRouter, TDefaultFrom, TTo, TDefaultFrom, TMaskTo>\n}\n\n/\n Create a redirect Response understood by TanStack Router.\n \n Use from route `loader`/`beforeLoad` or server functions to trigger a\n * navigation. If `throw: true` is set, the redirect is thrown instead of\n * returned. When an absolute `href` is supplied and `reloadDocument` is not\n * set, a full-document navigation is inferred.\n \n @param opts Options for the redirect. Common fields:\n * - `href`: absolute URL for external redirects; infers `reloadDocument`.\n * - `statusCode`: HTTP status code to use (defaults to 307).\n * - `headers`: additional headers to include on the Response.\n * - Standard navigation options like `to`, `params`, `search`, `replace`,\n * and `reloadDocument` for internal redirects.\n * @returns A Response augmented with router navigation options.\n * @link https://tanstack.com/router/latest/docs/framework/react/api/router/redirectFunction\n /\nexport function redirect<\n TRouter extends AnyRouter = RegisteredRouter,\n const TTo extends string \| undefined = '.',\n const TFrom extends string = string,\n const TMaskFrom extends string = TFrom,\n const TMaskTo extends string = '',\n>(\n opts: RedirectOptions<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>,\n): Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo> {\n opts.statusCode = opts.statusCode \|\| opts.code \|\| 307\n\n if (\n !opts._builtLocation &&\n !opts.reloadDocument &&\n typeof opts.href === 'string'\n ) {\n try {\n new URL(opts.href)\n opts.reloadDocument = true\n } catch {}\n }\n\n const headers = new Headers(opts.headers)\n if (opts.href && headers.get('Location') === null) {\n headers.set('Location', opts.href)\n }\n\n const response = new Response(null, {\n status: opts.statusCode,\n headers,\n })\n\n ;(response as Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>).options =\n opts\n\n if (opts.throw) {\n throw response\n }\n\n return response as Redirect<TRouter, TFrom, TTo, TMaskFrom, TMaskTo>\n}\n\n/* Check whether a value is a TanStack Router redirect Response. /\n/* Check whether a value is a TanStack Router redirect Response. /\nexport function isRedirect(obj: any): obj is AnyRedirect {\n return obj instanceof Response && !!(obj as any).options\n}\n\n/* True if value is a redirect with a resolved `href` location. /\n/* True if value is a redirect with a resolved `href` location. /\nexport function isResolvedRedirect(\n obj: any,\n): obj is AnyRedirect & { options: { href: string } } {\n return isRedirect(obj) && !!obj.options.href\n}\n\n/* Parse a serialized redirect object back into a redirect Response. /\n/* Parse a serialized redirect object back into a redirect Response. */\nexport function parseRedirect(obj: any) {\n if (obj !== null && typeof obj === 'object' && obj.isSerializedRedirect) {\n return redirect(obj)\n }\n\n return undefined\n}\n"],"names":[],"mappings":"AAkHO,SAAS,SAOd,MACmD;AACnD,OAAK,aAAa,KAAK,cAAc,KAAK,QAAQ;AAElD,MACE,CAAC,KAAK,kBACN,CAAC,KAAK,kBACN,OAAO,KAAK,SAAS,UACrB;AACA,QAAI;AACF,UAAI,IAAI,KAAK,IAAI;AACjB,WAAK,iBAAiB;AAAA,IACxB,QAAQ;AAAA,IAAC;AAAA,EACX;AAEA,QAAM,UAAU,IAAI,QAAQ,KAAK,OAAO;AACxC,MAAI,KAAK,QAAQ,QAAQ,IAAI,UAAU,MAAM,MAAM;AACjD,YAAQ,IAAI,YAAY,KAAK,IAAI;AAAA,EACnC;AAEA,QAAM,WAAW,IAAI,SAAS,MAAM;AAAA,IAClC,QAAQ,KAAK;AAAA,IACb;AAAA,EAAA,CACD;AAEC,WAA+D,UAC/D;AAEF,MAAI,KAAK,OAAO;AACd,UAAM;AAAA,EACR;AAEA,SAAO;AACT;AAIO,SAAS,WAAW,KAA8B;AACvD,SAAO,eAAe,YAAY,CAAC,CAAE,IAAY;AACnD;AAIO,SAAS,mBACd,KACoD;AACpD,SAAO,WAAW,GAAG,KAAK,CAAC,CAAC,IAAI,QAAQ;AAC1C;AAIO,SAAS,cAAc,KAAU;AACtC,MAAI,QAAQ,QAAQ,OAAO,QAAQ,YAAY,IAAI,sBAAsB;AACvE,WAAO,SAAS,GAAG;AAAA,EACrB;AAEA,SAAO;AACT;"}

package/dist/esm/router.d.ts CHANGED Viewed

@@ -333,6 +333,14 @@ export interface RouterOptions<TRouteTree extends AnyRoute, TTrailingSlashOption
      * @default false
      */
     disableGlobalCatchBoundary?: boolean;
+    /**
+     * An array of URL protocols to allow in links, redirects, and navigation.
+     * Absolute URLs with protocols not in this list will be rejected.
+     *
+     * @default DEFAULT_PROTOCOL_ALLOWLIST (http:, https:, mailto:, tel:)
+     * @link [API Docs](https://tanstack.com/router/latest/docs/framework/react/api/router/RouterOptionsType#protocolallowlist-property)
+     */
+    protocolAllowlist?: Array<string>;
     serializationAdapters?: ReadonlyArray<AnySerializationAdapter>;
     /**
      * Configures how the router will rewrite the location between the actual href and the internal href of the router.
@@ -586,6 +594,7 @@ export declare class RouterCore<in out TRouteTree extends AnyRoute, in out TTrai
     resolvePathCache: LRUCache<string, string>;
     isServer: boolean;
     pathParamsDecoder?: (encoded: string) => string;
+    protocolAllowlist: Set<string>;
     /**
      * @deprecated Use the `createRouter` function instead
      */

package/dist/esm/router.js CHANGED Viewed

@@ -2,7 +2,7 @@ import { Store } from "@tanstack/store";
 import { createBrowserHistory, parseHref } from "@tanstack/history";
 import { isServer } from "@tanstack/router-core/isServer";
 import { batch } from "./utils/batch.js";
-import { createControlledPromise, isDangerousProtocol, deepEqual, replaceEqualDeep, last, decodePath, functionalUpdate, findLast, encodePathLikeUrl } from "./utils.js";
+import { createControlledPromise, isDangerousProtocol, deepEqual, DEFAULT_PROTOCOL_ALLOWLIST, replaceEqualDeep, last, decodePath, functionalUpdate, findLast, encodePathLikeUrl } from "./utils.js";
 import { processRouteTree, processRouteMasks, findSingleMatch, findRouteMatch, findFlatMatch } from "./new-process-route-tree.js";
 import { compileDecodeCharMap, trimPath, resolvePath, cleanPath, trimPathRight, interpolatePath } from "./path.js";
 import { createLRUCache } from "./lru-cache.js";
@@ -80,6 +80,7 @@ class RouterCore {
         ...newOptions
       };
       this.isServer = this.options.isServer ?? typeof document === "undefined";
+      this.protocolAllowlist = new Set(this.options.protocolAllowlist);
       if (this.options.pathParamsAllowedCharacters)
         this.pathParamsDecoder = compileDecodeCharMap(
           this.options.pathParamsAllowedCharacters
@@ -625,7 +626,7 @@ class RouterCore {
           publicHref = publicHref ?? location.publicHref;
         }
         const reloadHref = !hrefIsUrl && publicHref ? publicHref : href;
-        if (isDangerousProtocol(reloadHref)) {
+        if (isDangerousProtocol(reloadHref, this.protocolAllowlist)) {
           if (process.env.NODE_ENV !== "production") {
             console.warn(
               `Blocked navigation to dangerous protocol: ${reloadHref}`
@@ -921,6 +922,12 @@ class RouterCore {
         } catch {
         }
       }
+      if (redirect2.options.href && !redirect2.options._builtLocation && // Check for dangerous protocols before processing the redirect
+      isDangerousProtocol(redirect2.options.href, this.protocolAllowlist)) {
+        throw new Error(
+          `Redirect blocked: unsafe protocol in href "${redirect2.options.href}". Allowed protocols: ${Array.from(this.protocolAllowlist).join(", ")}.`
+        );
+      }
       if (!redirect2.headers.get("Location")) {
         redirect2.headers.set("Location", redirect2.options.href);
       }
@@ -1068,7 +1075,8 @@ class RouterCore {
       caseSensitive: options.caseSensitive ?? false,
       notFoundMode: options.notFoundMode ?? "fuzzy",
       stringifySearch: options.stringifySearch ?? defaultStringifySearch,
-      parseSearch: options.parseSearch ?? defaultParseSearch
+      parseSearch: options.parseSearch ?? defaultParseSearch,
+      protocolAllowlist: options.protocolAllowlist ?? DEFAULT_PROTOCOL_ALLOWLIST
     });
     if (typeof document !== "undefined") {
       self.__TSR_ROUTER__ = this;