npm - @underverse-ui/underverse - Versions diffs - 1.0.100 → 1.0.101 - Mend

@underverse-ui/underverse 1.0.100 → 1.0.101

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/api-reference.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "package": "@underverse-ui/underverse",
-  "version": "1.0.100",
+  "version": "1.0.101",
   "sourceEntry": "src/index.ts",
   "totalExports": 225,
   "exports": [

package/dist/index.cjs CHANGED Viewed

@@ -23653,6 +23653,49 @@ var SlashCommand = import_core.Extension.create({
 // src/components/UEditor/clipboard-images.ts
 var import_core2 = require("@tiptap/core");
 var import_state = require("@tiptap/pm/state");
+// src/components/UEditor/url-safety.ts
+var LINK_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]);
+var IMAGE_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+function normalizeUrlInput(raw) {
+  return raw.trim().replace(/[\u0000-\u001F\u007F\s]+/g, "");
+}
+function isProtocolRelativeUrl(value) {
+  return value.startsWith("//");
+}
+function isRelativeUrl(value) {
+  return value.startsWith("/") || value.startsWith("./") || value.startsWith("../") || value.startsWith("#");
+}
+function isDataImageUrl(value) {
+  return /^data:image\/(?:png|jpe?g|gif|webp|svg\+xml|bmp|x-icon|avif);base64,/i.test(value);
+}
+function isSafeUEditorUrl(raw, kind) {
+  const value = normalizeUrlInput(raw);
+  if (!value) return false;
+  if (kind === "image" && isDataImageUrl(value)) return true;
+  if (isRelativeUrl(value)) return true;
+  if (isProtocolRelativeUrl(value)) return false;
+  try {
+    const parsed = new URL(value);
+    return kind === "image" ? IMAGE_PROTOCOLS.has(parsed.protocol) : LINK_PROTOCOLS.has(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+function sanitizeUEditorUrl(raw, kind) {
+  const value = raw.trim();
+  if (!value) return "";
+  if (isSafeUEditorUrl(value, kind)) return normalizeUrlInput(value);
+  if (kind === "link" && !isProtocolRelativeUrl(value) && !/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(value)) {
+    const withProtocol = `https://${value}`;
+    return isSafeUEditorUrl(withProtocol, kind) ? withProtocol : "";
+  }
+  return "";
+}
+// src/components/UEditor/clipboard-images.ts
+var DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE = 10 * 1024 * 1024;
+var DEFAULT_UEDITOR_IMAGE_MIME_TYPES = ["image/png", "image/jpeg", "image/webp", "image/gif", "image/svg+xml"];
 function getImageFiles(dataTransfer) {
   if (!dataTransfer) return [];
   const itemFiles = [];
@@ -23684,7 +23727,7 @@ async function resolveImageSrc(file, options) {
   if (options.insertMode === "upload" && options.upload) {
     try {
       const result = await options.upload(file);
-      const src = typeof result === "string" ? result : "";
+      const src = typeof result === "string" ? sanitizeUEditorUrl(result, "image") : "";
       if (src) return src;
     } catch (err) {
       if (!options.fallbackToDataUrl) throw err;
@@ -23696,8 +23739,8 @@ var ClipboardImages = import_core2.Extension.create({
   name: "clipboardImages",
   addOptions() {
     return {
-      maxFileSize: 10 * 1024 * 1024,
-      allowedMimeTypes: ["image/png", "image/jpeg", "image/webp", "image/gif", "image/svg+xml"],
+      maxFileSize: DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE,
+      allowedMimeTypes: DEFAULT_UEDITOR_IMAGE_MIME_TYPES,
       upload: void 0,
       fallbackToDataUrl: true,
       insertMode: "base64"
@@ -24556,6 +24599,9 @@ function buildUEditorExtensions({
   maxCharacters,
   uploadImage,
   imageInsertMode = "base64",
+  maxImageFileSize,
+  allowedImageMimeTypes,
+  fallbackToDataUrl,
   editable = true
 }) {
   return [
@@ -24609,12 +24655,20 @@ function buildUEditorExtensions({
     import_extension_horizontal_rule.default,
     import_extension_link.default.configure({
       openOnClick: false,
+      protocols: ["http", "https", "mailto", "tel"],
+      isAllowedUri: (url) => isSafeUEditorUrl(url ?? "", "link"),
       HTMLAttributes: {
         class: "text-primary underline underline-offset-2 hover:text-primary/80 cursor-pointer"
       }
     }),
     resizable_image_default,
-    ClipboardImages.configure({ upload: uploadImage, insertMode: imageInsertMode }),
+    ClipboardImages.configure({
+      upload: uploadImage,
+      insertMode: imageInsertMode,
+      ...maxImageFileSize !== void 0 ? { maxFileSize: maxImageFileSize } : {},
+      ...allowedImageMimeTypes ? { allowedMimeTypes: allowedImageMimeTypes } : {},
+      ...fallbackToDataUrl !== void 0 ? { fallbackToDataUrl } : {}
+    }),
     import_extension_text_style.TextStyle,
     font_family_default,
     font_size_default,
@@ -24833,11 +24887,7 @@ var import_react48 = require("react");
 var import_lucide_react43 = require("lucide-react");
 var import_jsx_runtime78 = require("react/jsx-runtime");
 function normalizeUrl(raw) {
-  const url = raw.trim();
-  if (!url) return "";
-  if (url.startsWith("#") || url.startsWith("/")) return url;
-  if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(url)) return url;
-  return `https://${url}`;
+  return sanitizeUEditorUrl(raw, "link");
 }
 var LinkInput = ({
   onSubmit,
@@ -24882,8 +24932,9 @@ var ImageInput = ({ onSubmit, onCancel }) => {
   }, []);
   const handleSubmit = (e) => {
     e.preventDefault();
-    if (url) {
-      onSubmit(url, alt);
+    const safeUrl = sanitizeUEditorUrl(url, "image");
+    if (safeUrl) {
+      onSubmit(safeUrl, alt);
     }
   };
   return /* @__PURE__ */ (0, import_jsx_runtime78.jsxs)("form", { onSubmit: handleSubmit, className: "p-3 space-y-3", children: [
@@ -25069,6 +25120,8 @@ var EditorToolbar = ({
   variant,
   uploadImage,
   imageInsertMode = "base64",
+  maxImageFileSize = DEFAULT_UEDITOR_IMAGE_MAX_FILE_SIZE,
+  allowedImageMimeTypes = DEFAULT_UEDITOR_IMAGE_MIME_TYPES,
   fontFamilies,
   fontSizes,
   lineHeights,
@@ -25136,10 +25189,13 @@ var EditorToolbar = ({
     setImageUploadError(null);
     for (const file of files) {
       if (!file.type.startsWith("image/")) continue;
+      if (file.size > maxImageFileSize) continue;
+      if (allowedImageMimeTypes.length > 0 && !allowedImageMimeTypes.includes(file.type)) continue;
       try {
         const src = imageInsertMode === "upload" && uploadImage ? await uploadImage(file) : await fileToDataUrl2(file);
-        if (!src) continue;
-        editor.chain().focus().setImage({ src, alt: file.name }).run();
+        const safeSrc = sanitizeUEditorUrl(src, "image");
+        if (!safeSrc) continue;
+        editor.chain().focus().setImage({ src: safeSrc, alt: file.name }).run();
         editor.commands.createParagraphNear();
       } catch {
         setImageUploadError(t("imageInput.uploadError"));
@@ -26334,12 +26390,12 @@ var MIME_EXTENSION_MAP = {
   "image/x-icon": "ico",
   "image/avif": "avif"
 };
-function isDataImageUrl(value) {
+function isDataImageUrl2(value) {
   return /^data:image\//i.test(value.trim());
 }
 function parseDataImageUrl(dataUrl) {
   const value = dataUrl.trim();
-  if (!isDataImageUrl(value)) return null;
+  if (!isDataImageUrl2(value)) return null;
   const commaIndex = value.indexOf(",");
   if (commaIndex < 0) return null;
   const header = value.slice(5, commaIndex);
@@ -26373,19 +26429,33 @@ function createFileFromDataImageUrl(dataUrl, index) {
 }
 function normalizeUploadResult(result) {
   if (typeof result === "string") {
-    const url2 = result.trim();
+    const url2 = sanitizeUEditorUrl(result, "image");
     if (!url2) throw new Error("Upload handler returned an empty URL.");
     return { url: url2 };
   }
   if (!result || typeof result !== "object") {
     throw new Error("Upload handler returned invalid result.");
   }
-  const url = typeof result.url === "string" ? result.url.trim() : "";
+  const url = typeof result.url === "string" ? sanitizeUEditorUrl(result.url, "image") : "";
   if (!url) throw new Error("Upload handler object result is missing `url`.");
   const { url: _ignoredUrl, ...rest } = result;
   const meta = Object.keys(rest).length > 0 ? rest : void 0;
   return { url, meta };
 }
+async function runWithConcurrency(items, concurrency, worker) {
+  const limit = Math.max(1, Math.floor(concurrency));
+  const results = new Array(items.length);
+  let nextIndex = 0;
+  async function runNext() {
+    while (nextIndex < items.length) {
+      const currentIndex = nextIndex;
+      nextIndex += 1;
+      results[currentIndex] = await worker(items[currentIndex]);
+    }
+  }
+  await Promise.all(Array.from({ length: Math.min(limit, items.length) }, runNext));
+  return results;
+}
 function getErrorReason(error) {
   if (error instanceof Error && error.message) return error.message;
   if (typeof error === "string" && error.trim()) return error;
@@ -26397,7 +26467,7 @@ function decodeHtmlEntities(value) {
 function normalizeImageUrl(url) {
   const input = decodeHtmlEntities(url.trim());
   if (!input) return "";
-  if (isDataImageUrl(input)) return input;
+  if (isDataImageUrl2(input)) return input;
   const isAbsolute = /^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(input);
   if (!isAbsolute) {
     return input.split("#")[0] ?? input;
@@ -26481,7 +26551,8 @@ var UEditorPrepareContentForSaveError = class extends Error {
 };
 async function prepareUEditorContentForSave({
   html,
-  uploadImageForSave
+  uploadImageForSave,
+  uploadConcurrency = 3
 }) {
   if (!html || !html.includes("<img")) {
     return createResult({ html, uploaded: [], inlineUploaded: [], errors: [] });
@@ -26494,7 +26565,7 @@ async function prepareUEditorContentForSave({
   for (const match of imgMatches) {
     if (!match.srcAttr) continue;
     const src = match.srcAttr.value.trim();
-    if (!isDataImageUrl(src)) continue;
+    if (!isDataImageUrl2(src)) continue;
     base64Candidates.push({
       id: `${match.start}:${match.end}`,
       match,
@@ -26520,8 +26591,10 @@ async function prepareUEditorContentForSave({
   const inlineUploaded = [];
   const errors = [];
   const replacements = /* @__PURE__ */ new Map();
-  const uploadResults = await Promise.all(
-    base64Candidates.map(async (candidate) => {
+  const uploadResults = await runWithConcurrency(
+    base64Candidates,
+    uploadConcurrency,
+    async (candidate) => {
       try {
         const file = createFileFromDataImageUrl(candidate.src, candidate.index);
         const uploadResult = await uploadImageForSave(file);
@@ -26530,7 +26603,7 @@ async function prepareUEditorContentForSave({
       } catch (error) {
         return { candidate, error: getErrorReason(error) };
       }
-    })
+    }
   );
   for (const item of uploadResults) {
     if ("error" in item) {
@@ -31854,7 +31927,11 @@ var UEditor = import_react52.default.forwardRef(({
   onJsonChange,
   uploadImage,
   uploadImageForSave,
+  uploadImageConcurrency = 3,
   imageInsertMode = "base64",
+  maxImageFileSize,
+  allowedImageMimeTypes,
+  fallbackToDataUrl,
   placeholder,
   className,
   editable = true,
@@ -31965,8 +32042,18 @@ var UEditor = import_react52.default.forwardRef(({
     setEditorResizeCursor("row-resize");
   }, [setEditorResizeCursor]);
   const extensions = (0, import_react52.useMemo)(
-    () => buildUEditorExtensions({ placeholder: effectivePlaceholder, translate: t, maxCharacters, uploadImage, imageInsertMode, editable }),
-    [effectivePlaceholder, t, maxCharacters, uploadImage, imageInsertMode, editable]
+    () => buildUEditorExtensions({
+      placeholder: effectivePlaceholder,
+      translate: t,
+      maxCharacters,
+      uploadImage,
+      imageInsertMode,
+      maxImageFileSize,
+      allowedImageMimeTypes,
+      fallbackToDataUrl,
+      editable
+    }),
+    [effectivePlaceholder, t, maxCharacters, uploadImage, imageInsertMode, maxImageFileSize, allowedImageMimeTypes, fallbackToDataUrl, editable]
   );
   const editor = (0, import_react53.useEditor)({
     immediatelyRender: false,
@@ -32163,7 +32250,8 @@ var UEditor = import_react52.default.forwardRef(({
           const htmlSnapshot = editor?.getHTML() ?? content ?? "";
           inFlightPrepareRef.current = prepareUEditorContentForSave({
             html: htmlSnapshot,
-            uploadImageForSave
+            uploadImageForSave,
+            uploadConcurrency: uploadImageConcurrency
           }).finally(() => {
             inFlightPrepareRef.current = null;
           });
@@ -32175,7 +32263,7 @@ var UEditor = import_react52.default.forwardRef(({
         return result;
       }
     }),
-    [content, editor, uploadImageForSave]
+    [content, editor, uploadImageForSave, uploadImageConcurrency]
   );
   (0, import_react52.useEffect)(() => {
     if (!editor) return;
@@ -32305,21 +32393,6 @@ var UEditor = import_react52.default.forwardRef(({
       }
       state.previewHeight = nextHeight;
       applyPreviewRowHeight(state.rowElement, nextHeight);
-      const tr = editor.view.state.tr;
-      tr.setNodeMarkup(state.rowPos, void 0, {
-        ...state.rowNode.attrs,
-        rowHeight: nextHeight
-      });
-      editor.view.dispatch(tr);
-      state.rowNode = editor.view.state.doc.nodeAt(state.rowPos) ?? state.rowNode;
-      const refreshedRow = state.tableElement.rows.item(state.rowElement.rowIndex);
-      if (refreshedRow instanceof HTMLTableRowElement) {
-        state.rowElement = refreshedRow;
-        const refreshedCell = refreshedRow.cells.item(state.cellIndex);
-        if (refreshedCell instanceof HTMLTableCellElement) {
-          state.cellElement = refreshedCell;
-        }
-      }
       document.body.style.cursor = "row-resize";
       showRowGuide(state.tableElement, state.rowElement, state.cellElement);
     };
@@ -32330,7 +32403,16 @@ var UEditor = import_react52.default.forwardRef(({
         MIN_TABLE_ROW_HEIGHT,
         Math.round(state.startHeight + (event.clientY - state.startY))
       );
+      const rowNode = editor.view.state.doc.nodeAt(state.rowPos) ?? state.rowNode;
       clearPreviewRowHeight(state.rowElement);
+      if (rowNode.attrs.rowHeight !== nextHeight) {
+        const tr = editor.view.state.tr;
+        tr.setNodeMarkup(state.rowPos, void 0, {
+          ...rowNode.attrs,
+          rowHeight: nextHeight
+        });
+        editor.view.dispatch(tr);
+      }
       rowResizeStateRef.current = null;
       document.body.style.cursor = "";
       clearHoveredTableCell();
@@ -32418,6 +32500,8 @@ var UEditor = import_react52.default.forwardRef(({
             variant,
             uploadImage,
             imageInsertMode,
+            maxImageFileSize,
+            allowedImageMimeTypes,
             fontFamilies,
             fontSizes,
             lineHeights,