@vlian/framework 1.0.0

package/dist/utils/runtimeSecurity.js

@@ -0,0 +1,143 @@
+import { SecurityUtils } from "./security";
+/**
+ * 运行时安全工具类
+ */ export class RuntimeSecurity {
+    /**
+   * 应用 CSP
+   * 
+   * 注意：通过 meta 标签设置 CSP 不如 HTTP 头安全，建议在服务器端设置 CSP 头。
+   * 此方法仅作为补充措施。
+   */ static applyCSP(config) {
+        if (typeof document === 'undefined') {
+            return;
+        }
+        try {
+            const cspHeader = SecurityUtils.generateCSP(config);
+            // 创建或更新 meta 标签
+            let metaCSP = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
+            if (!metaCSP) {
+                metaCSP = document.createElement('meta');
+                metaCSP.setAttribute('http-equiv', 'Content-Security-Policy');
+                // 插入到 head 的开头，确保优先级
+                document.head.insertBefore(metaCSP, document.head.firstChild);
+            }
+            metaCSP.setAttribute('content', cspHeader);
+            // 添加 CSP 违规报告（如果支持）
+            if (typeof window !== 'undefined' && 'reporting' in window) {
+                // 可以添加 CSP 违规监听器
+                window.addEventListener('securitypolicyviolation', (event)=>{
+                    console.warn('CSP 违规:', {
+                        violatedDirective: event.violatedDirective,
+                        blockedURI: event.blockedURI
+                    });
+                });
+            }
+        } catch (error) {
+            console.error('应用 CSP 失败:', error);
+        }
+    }
+    /**
+   * 应用安全头（通过 meta 标签，实际应该由服务器设置）
+   */ static applySecurityHeaders(config) {
+        if (typeof document === 'undefined') {
+            return;
+        }
+        // X-Frame-Options
+        if (config.xFrameOptions) {
+            let meta = document.querySelector('meta[http-equiv="X-Frame-Options"]');
+            if (!meta) {
+                meta = document.createElement('meta');
+                meta.setAttribute('http-equiv', 'X-Frame-Options');
+                document.head.appendChild(meta);
+            }
+            meta.setAttribute('content', config.xFrameOptions);
+        }
+        // X-Content-Type-Options
+        if (config.xContentTypeOptions !== false) {
+            let meta = document.querySelector('meta[http-equiv="X-Content-Type-Options"]');
+            if (!meta) {
+                meta = document.createElement('meta');
+                meta.setAttribute('http-equiv', 'X-Content-Type-Options');
+                document.head.appendChild(meta);
+            }
+            meta.setAttribute('content', 'nosniff');
+        }
+        // X-XSS-Protection
+        if (config.xXSSProtection !== false) {
+            let meta = document.querySelector('meta[http-equiv="X-XSS-Protection"]');
+            if (!meta) {
+                meta = document.createElement('meta');
+                meta.setAttribute('http-equiv', 'X-XSS-Protection');
+                document.head.appendChild(meta);
+            }
+            meta.setAttribute('content', '1; mode=block');
+        }
+        // Referrer-Policy
+        if (config.referrerPolicy) {
+            let meta = document.querySelector('meta[name="referrer"]');
+            if (!meta) {
+                meta = document.createElement('meta');
+                meta.setAttribute('name', 'referrer');
+                document.head.appendChild(meta);
+            }
+            meta.setAttribute('content', config.referrerPolicy);
+        }
+    }
+    /**
+   * 检查运行时安全
+   */ static checkRuntimeSecurity() {
+        const issues = [];
+        if (typeof window === 'undefined') {
+            return {
+                safe: true,
+                issues: []
+            };
+        }
+        // 检查是否在 HTTPS 环境下
+        if (window.location.protocol !== 'https:' && window.location.hostname !== 'localhost') {
+            issues.push('应用未在 HTTPS 环境下运行');
+        }
+        // 检查是否有危险的全局对象
+        if (window.eval) {
+            issues.push('检测到危险的 eval 函数');
+        }
+        // 检查是否有危险的 innerHTML 使用
+        // 这个检查需要在代码层面进行，这里只是示例
+        return {
+            safe: issues.length === 0,
+            issues
+        };
+    }
+    /**
+   * 初始化运行时安全
+   */ static initialize(options = {}) {
+        const { enableCSP = false, enableSecurityHeaders = false, enableRuntimeChecks = false, csp, securityHeaders } = options;
+        // 应用 CSP
+        if (enableCSP && csp) {
+            this.applyCSP(csp);
+        }
+        // 应用安全头
+        if (enableSecurityHeaders && securityHeaders) {
+            this.applySecurityHeaders(securityHeaders);
+        }
+        // 运行时检查
+        if (enableRuntimeChecks) {
+            const checkResult = this.checkRuntimeSecurity();
+            if (!checkResult.safe) {
+                console.warn('运行时安全检查发现问题:', checkResult.issues);
+            }
+        }
+    }
+    /**
+   * 验证 URL 安全性
+   */ static validateUrl(url) {
+        return SecurityUtils.isSafeUrl(url);
+    }
+    /**
+   * 验证并清理用户输入
+   */ static sanitizeUserInput(input) {
+        return SecurityUtils.validateInput(input);
+    }
+}
+
+//# sourceMappingURL=runtimeSecurity.js.map

package/dist/utils/runtimeSecurity.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utils/runtimeSecurity.ts"],"sourcesContent":["import { SecurityUtils } from './security';\n\n/**\n * CSP 配置\n */\nexport interface CSPConfig {\n  defaultSrc?: string[];\n  scriptSrc?: string[];\n  styleSrc?: string[];\n  imgSrc?: string[];\n  connectSrc?: string[];\n  fontSrc?: string[];\n  frameSrc?: string[];\n}\n\n/**\n * 安全头配置\n */\nexport interface SecurityHeadersConfig {\n  /**\n   * Content Security Policy\n   */\n  csp?: CSPConfig | string;\n  /**\n   * X-Frame-Options\n   */\n  xFrameOptions?: 'DENY' | 'SAMEORIGIN' | 'ALLOW-FROM';\n  /**\n   * X-Content-Type-Options\n   */\n  xContentTypeOptions?: boolean;\n  /**\n   * X-XSS-Protection\n   */\n  xXSSProtection?: boolean;\n  /**\n   * Referrer-Policy\n   */\n  referrerPolicy?: 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';\n  /**\n   * Permissions-Policy\n   */\n  permissionsPolicy?: Record<string, string[]>;\n}\n\n/**\n * 运行时安全检查选项\n */\nexport interface RuntimeSecurityOptions {\n  /**\n   * 是否启用 CSP\n   */\n  enableCSP?: boolean;\n  /**\n   * 是否启用安全头\n   */\n  enableSecurityHeaders?: boolean;\n  /**\n   * 是否启用运行时检查\n   */\n  enableRuntimeChecks?: boolean;\n  /**\n   * CSP 配置\n   */\n  csp?: CSPConfig;\n  /**\n   * 安全头配置\n   */\n  securityHeaders?: SecurityHeadersConfig;\n}\n\n/**\n * 运行时安全工具类\n */\nexport class RuntimeSecurity {\n  /**\n   * 应用 CSP\n   * \n   * 注意：通过 meta 标签设置 CSP 不如 HTTP 头安全，建议在服务器端设置 CSP 头。\n   * 此方法仅作为补充措施。\n   */\n  static applyCSP(config: CSPConfig): void {\n    if (typeof document === 'undefined') {\n      return;\n    }\n\n    try {\n      const cspHeader = SecurityUtils.generateCSP(config);\n\n      // 创建或更新 meta 标签\n      let metaCSP = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n      if (!metaCSP) {\n        metaCSP = document.createElement('meta');\n        metaCSP.setAttribute('http-equiv', 'Content-Security-Policy');\n        // 插入到 head 的开头，确保优先级\n        document.head.insertBefore(metaCSP, document.head.firstChild);\n      }\n      metaCSP.setAttribute('content', cspHeader);\n\n      // 添加 CSP 违规报告（如果支持）\n      if (typeof window !== 'undefined' && 'reporting' in window) {\n        // 可以添加 CSP 违规监听器\n        window.addEventListener('securitypolicyviolation', (event) => {\n          console.warn('CSP 违规:', {\n            violatedDirective: (event as any).violatedDirective,\n            blockedURI: (event as any).blockedURI,\n          });\n        });\n      }\n    } catch (error) {\n      console.error('应用 CSP 失败:', error);\n    }\n  }\n\n  /**\n   * 应用安全头（通过 meta 标签，实际应该由服务器设置）\n   */\n  static applySecurityHeaders(config: SecurityHeadersConfig): void {\n    if (typeof document === 'undefined') {\n      return;\n    }\n\n    // X-Frame-Options\n    if (config.xFrameOptions) {\n      let meta = document.querySelector('meta[http-equiv=\"X-Frame-Options\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-Frame-Options');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', config.xFrameOptions);\n    }\n\n    // X-Content-Type-Options\n    if (config.xContentTypeOptions !== false) {\n      let meta = document.querySelector('meta[http-equiv=\"X-Content-Type-Options\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-Content-Type-Options');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', 'nosniff');\n    }\n\n    // X-XSS-Protection\n    if (config.xXSSProtection !== false) {\n      let meta = document.querySelector('meta[http-equiv=\"X-XSS-Protection\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-XSS-Protection');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', '1; mode=block');\n    }\n\n    // Referrer-Policy\n    if (config.referrerPolicy) {\n      let meta = document.querySelector('meta[name=\"referrer\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('name', 'referrer');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', config.referrerPolicy);\n    }\n  }\n\n  /**\n   * 检查运行时安全\n   */\n  static checkRuntimeSecurity(): {\n    safe: boolean;\n    issues: string[];\n  } {\n    const issues: string[] = [];\n\n    if (typeof window === 'undefined') {\n      return { safe: true, issues: [] };\n    }\n\n    // 检查是否在 HTTPS 环境下\n    if (window.location.protocol !== 'https:' && window.location.hostname !== 'localhost') {\n      issues.push('应用未在 HTTPS 环境下运行');\n    }\n\n    // 检查是否有危险的全局对象\n    if ((window as any).eval) {\n      issues.push('检测到危险的 eval 函数');\n    }\n\n    // 检查是否有危险的 innerHTML 使用\n    // 这个检查需要在代码层面进行，这里只是示例\n\n    return {\n      safe: issues.length === 0,\n      issues,\n    };\n  }\n\n  /**\n   * 初始化运行时安全\n   */\n  static initialize(options: RuntimeSecurityOptions = {}): void {\n    const {\n      enableCSP = false,\n      enableSecurityHeaders = false,\n      enableRuntimeChecks = false,\n      csp,\n      securityHeaders,\n    } = options;\n\n    // 应用 CSP\n    if (enableCSP && csp) {\n      this.applyCSP(csp);\n    }\n\n    // 应用安全头\n    if (enableSecurityHeaders && securityHeaders) {\n      this.applySecurityHeaders(securityHeaders);\n    }\n\n    // 运行时检查\n    if (enableRuntimeChecks) {\n      const checkResult = this.checkRuntimeSecurity();\n      if (!checkResult.safe) {\n        console.warn('运行时安全检查发现问题:', checkResult.issues);\n      }\n    }\n  }\n\n  /**\n   * 验证 URL 安全性\n   */\n  static validateUrl(url: string): boolean {\n    return SecurityUtils.isSafeUrl(url);\n  }\n\n  /**\n   * 验证并清理用户输入\n   */\n  static sanitizeUserInput(input: unknown): {\n    safe: boolean;\n    sanitized?: string;\n  } {\n    return SecurityUtils.validateInput(input);\n  }\n}\n"],"names":["SecurityUtils","RuntimeSecurity","applyCSP","config","document","cspHeader","generateCSP","metaCSP","querySelector","createElement","setAttribute","head","insertBefore","firstChild","window","addEventListener","event","console","warn","violatedDirective","blockedURI","error","applySecurityHeaders","xFrameOptions","meta","appendChild","xContentTypeOptions","xXSSProtection","referrerPolicy","checkRuntimeSecurity","issues","safe","location","protocol","hostname","push","eval","length","initialize","options","enableCSP","enableSecurityHeaders","enableRuntimeChecks","csp","securityHeaders","checkResult","validateUrl","url","isSafeUrl","sanitizeUserInput","input","validateInput"],"mappings":"AAAA,SAASA,aAAa,QAAQ,aAAa;AAuE3C;;CAEC,GACD,OAAO,MAAMC;IACX;;;;;GAKC,GACD,OAAOC,SAASC,MAAiB,EAAQ;QACvC,IAAI,OAAOC,aAAa,aAAa;YACnC;QACF;QAEA,IAAI;YACF,MAAMC,YAAYL,cAAcM,WAAW,CAACH;YAE5C,gBAAgB;YAChB,IAAII,UAAUH,SAASI,aAAa,CAAC;YACrC,IAAI,CAACD,SAAS;gBACZA,UAAUH,SAASK,aAAa,CAAC;gBACjCF,QAAQG,YAAY,CAAC,cAAc;gBACnC,qBAAqB;gBACrBN,SAASO,IAAI,CAACC,YAAY,CAACL,SAASH,SAASO,IAAI,CAACE,UAAU;YAC9D;YACAN,QAAQG,YAAY,CAAC,WAAWL;YAEhC,oBAAoB;YACpB,IAAI,OAAOS,WAAW,eAAe,eAAeA,QAAQ;gBAC1D,iBAAiB;gBACjBA,OAAOC,gBAAgB,CAAC,2BAA2B,CAACC;oBAClDC,QAAQC,IAAI,CAAC,WAAW;wBACtBC,mBAAmB,AAACH,MAAcG,iBAAiB;wBACnDC,YAAY,AAACJ,MAAcI,UAAU;oBACvC;gBACF;YACF;QACF,EAAE,OAAOC,OAAO;YACdJ,QAAQI,KAAK,CAAC,cAAcA;QAC9B;IACF;IAEA;;GAEC,GACD,OAAOC,qBAAqBnB,MAA6B,EAAQ;QAC/D,IAAI,OAAOC,aAAa,aAAa;YACnC;QACF;QAEA,kBAAkB;QAClB,IAAID,OAAOoB,aAAa,EAAE;YACxB,IAAIC,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAWP,OAAOoB,aAAa;QACnD;QAEA,yBAAyB;QACzB,IAAIpB,OAAOuB,mBAAmB,KAAK,OAAO;YACxC,IAAIF,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAW;QAC/B;QAEA,mBAAmB;QACnB,IAAIP,OAAOwB,cAAc,KAAK,OAAO;YACnC,IAAIH,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAW;QAC/B;QAEA,kBAAkB;QAClB,IAAIP,OAAOyB,cAAc,EAAE;YACzB,IAAIJ,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,QAAQ;gBAC1BN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAWP,OAAOyB,cAAc;QACpD;IACF;IAEA;;GAEC,GACD,OAAOC,uBAGL;QACA,MAAMC,SAAmB,EAAE;QAE3B,IAAI,OAAOhB,WAAW,aAAa;YACjC,OAAO;gBAAEiB,MAAM;gBAAMD,QAAQ,EAAE;YAAC;QAClC;QAEA,kBAAkB;QAClB,IAAIhB,OAAOkB,QAAQ,CAACC,QAAQ,KAAK,YAAYnB,OAAOkB,QAAQ,CAACE,QAAQ,KAAK,aAAa;YACrFJ,OAAOK,IAAI,CAAC;QACd;QAEA,eAAe;QACf,IAAI,AAACrB,OAAesB,IAAI,EAAE;YACxBN,OAAOK,IAAI,CAAC;QACd;QAEA,wBAAwB;QACxB,uBAAuB;QAEvB,OAAO;YACLJ,MAAMD,OAAOO,MAAM,KAAK;YACxBP;QACF;IACF;IAEA;;GAEC,GACD,OAAOQ,WAAWC,UAAkC,CAAC,CAAC,EAAQ;QAC5D,MAAM,EACJC,YAAY,KAAK,EACjBC,wBAAwB,KAAK,EAC7BC,sBAAsB,KAAK,EAC3BC,GAAG,EACHC,eAAe,EAChB,GAAGL;QAEJ,SAAS;QACT,IAAIC,aAAaG,KAAK;YACpB,IAAI,CAACzC,QAAQ,CAACyC;QAChB;QAEA,QAAQ;QACR,IAAIF,yBAAyBG,iBAAiB;YAC5C,IAAI,CAACtB,oBAAoB,CAACsB;QAC5B;QAEA,QAAQ;QACR,IAAIF,qBAAqB;YACvB,MAAMG,cAAc,IAAI,CAAChB,oBAAoB;YAC7C,IAAI,CAACgB,YAAYd,IAAI,EAAE;gBACrBd,QAAQC,IAAI,CAAC,gBAAgB2B,YAAYf,MAAM;YACjD;QACF;IACF;IAEA;;GAEC,GACD,OAAOgB,YAAYC,GAAW,EAAW;QACvC,OAAO/C,cAAcgD,SAAS,CAACD;IACjC;IAEA;;GAEC,GACD,OAAOE,kBAAkBC,KAAc,EAGrC;QACA,OAAOlD,cAAcmD,aAAa,CAACD;IACrC;AACF"}

package/dist/utils/security.cjs

@@ -0,0 +1,332 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get SENSITIVE_FIELDS () {
+        return SENSITIVE_FIELDS;
+    },
+    get SecurityUtils () {
+        return SecurityUtils;
+    }
+});
+const _dompurify = /*#__PURE__*/ _interop_require_default(require("dompurify"));
+const _errors = require("./errors");
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+const SENSITIVE_FIELDS = [
+    'password',
+    'pwd',
+    'passwd',
+    'token',
+    'secret',
+    'key',
+    'apiKey',
+    'apikey',
+    'api_key',
+    'accessToken',
+    'access_token',
+    'refreshToken',
+    'refresh_token',
+    'authorization',
+    'auth',
+    'cookie',
+    'session',
+    'sessionId',
+    'session_id',
+    'creditCard',
+    'credit_card',
+    'cardNumber',
+    'card_number',
+    'cvv',
+    'cvc',
+    'ssn',
+    'socialSecurityNumber',
+    'social_security_number',
+    'phone',
+    'phoneNumber',
+    'phone_number',
+    'mobile',
+    'email',
+    'emailAddress',
+    'email_address',
+    'privateKey',
+    'private_key',
+    'secretKey',
+    'secret_key',
+    'apiSecret',
+    'api_secret'
+];
+/**
+ * 敏感信息检测模式（正则表达式）
+ */ const SENSITIVE_PATTERNS = [
+    /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
+    /\b\d{3}-\d{2}-\d{4}\b/,
+    /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/,
+    /\b\d{10,}\b/
+];
+let SecurityUtils = class SecurityUtils {
+    /**
+   * 清理 HTML，防止 XSS 攻击
+   */ static sanitizeHTML(html, config) {
+        if (typeof window === 'undefined') {
+            // Node.js 环境，返回原始字符串（需要服务端处理）
+            return html;
+        }
+        try {
+            if (config?.allowHTML) {
+                // 默认禁止所有标签，除非明确允许
+                const allowedTags = config.allowedTags && config.allowedTags.length > 0 ? config.allowedTags : [];
+                const allowedAttributes = config.allowedAttributes && config.allowedAttributes.length > 0 ? config.allowedAttributes : [];
+                return _dompurify.default.sanitize(html, {
+                    ALLOWED_TAGS: allowedTags,
+                    ALLOWED_ATTR: allowedAttributes,
+                    FORBID_TAGS: [
+                        'script',
+                        'iframe',
+                        'object',
+                        'embed',
+                        'form',
+                        'link',
+                        'meta',
+                        'style'
+                    ],
+                    FORBID_ATTR: [
+                        'onerror',
+                        'onload',
+                        'onclick',
+                        'onmouseover',
+                        'onfocus',
+                        'onblur',
+                        'onchange'
+                    ],
+                    // 添加更多安全配置
+                    KEEP_CONTENT: false,
+                    RETURN_DOM: false,
+                    RETURN_DOM_FRAGMENT: false,
+                    RETURN_TRUSTED_TYPE: false
+                });
+            }
+            // 默认模式：完全清理，不允许任何 HTML
+            return _dompurify.default.sanitize(html, {
+                ALLOWED_TAGS: [],
+                KEEP_CONTENT: false
+            });
+        } catch (error) {
+            // 错误处理：不泄露敏感信息，记录错误但不抛出详细错误
+            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
+            // 只记录错误类型，不记录具体内容
+            console.error('HTML 清理失败:', errorMessage.substring(0, 50));
+            // 返回安全的空字符串或清理后的文本
+            return this.sanitizeText(html);
+        }
+    }
+    /**
+   * 清理文本内容（移除所有 HTML 标签）
+   */ static sanitizeText(text) {
+        if (typeof window === 'undefined') {
+            return text.replace(/<[^>]*>/g, '');
+        }
+        try {
+            return _dompurify.default.sanitize(text, {
+                ALLOWED_TAGS: []
+            });
+        } catch (error) {
+            throw new _errors.SecurityError('文本清理失败', error instanceof Error ? error : undefined);
+        }
+    }
+    /**
+   * 检查字符串是否包含潜在的危险内容
+   */ static containsDangerousContent(text) {
+        const dangerousPatterns = [
+            /<script[\s\S]*?>[\s\S]*?<\/script>/gi,
+            /javascript:/gi,
+            /on\w+\s*=/gi,
+            /<iframe[\s\S]*?>/gi,
+            /<object[\s\S]*?>/gi,
+            /<embed[\s\S]*?>/gi,
+            /<link[\s\S]*?>/gi,
+            /<meta[\s\S]*?>/gi,
+            /data:text\/html/gi,
+            /vbscript:/gi,
+            /expression\s*\(/gi,
+            /@import/gi,
+            /<style[\s\S]*?>[\s\S]*?<\/style>/gi
+        ];
+        return dangerousPatterns.some((pattern)=>pattern.test(text));
+    }
+    /**
+   * 验证 URL 是否安全
+   */ static isSafeUrl(url) {
+        try {
+            const urlObj = new URL(url);
+            // 检查协议
+            if (![
+                'http:',
+                'https:'
+            ].includes(urlObj.protocol)) {
+                return false;
+            }
+            // 检查是否包含危险内容
+            return !this.containsDangerousContent(url);
+        } catch  {
+            return false;
+        }
+    }
+    /**
+   * 检查字段名是否为敏感字段
+   */ static isSensitiveField(fieldName) {
+        const lowerFieldName = fieldName.toLowerCase();
+        return SENSITIVE_FIELDS.some((field)=>lowerFieldName.includes(field.toLowerCase()));
+    }
+    /**
+   * 检查值是否包含敏感信息（基于模式匹配）
+   */ static containsSensitiveData(value) {
+        return SENSITIVE_PATTERNS.some((pattern)=>pattern.test(value));
+    }
+    /**
+   * 生成 CSP（Content Security Policy）头
+   */ static generateCSP(config) {
+        const directives = [];
+        const allowUnsafeInline = config?.allowUnsafeInline ?? false;
+        const allowUnsafeEval = config?.allowUnsafeEval ?? false;
+        if (config?.defaultSrc) {
+            directives.push(`default-src ${config.defaultSrc.join(' ')}`);
+        } else {
+            directives.push("default-src 'self'");
+        }
+        if (config?.scriptSrc) {
+            directives.push(`script-src ${config.scriptSrc.join(' ')}`);
+        } else {
+            // 默认不允许 unsafe-inline 和 unsafe-eval，提高安全性
+            const scriptSrc = [
+                "'self'"
+            ];
+            if (allowUnsafeInline) {
+                scriptSrc.push("'unsafe-inline'");
+            }
+            if (allowUnsafeEval) {
+                scriptSrc.push("'unsafe-eval'");
+            }
+            directives.push(`script-src ${scriptSrc.join(' ')}`);
+        }
+        if (config?.styleSrc) {
+            directives.push(`style-src ${config.styleSrc.join(' ')}`);
+        } else {
+            // 对于样式，可以使用 nonce 或 hash 替代 unsafe-inline
+            const styleSrc = [
+                "'self'"
+            ];
+            if (allowUnsafeInline) {
+                styleSrc.push("'unsafe-inline'");
+            }
+            directives.push(`style-src ${styleSrc.join(' ')}`);
+        }
+        if (config?.imgSrc) {
+            directives.push(`img-src ${config.imgSrc.join(' ')}`);
+        } else {
+            directives.push("img-src 'self' data: https:");
+        }
+        if (config?.connectSrc) {
+            directives.push(`connect-src ${config.connectSrc.join(' ')}`);
+        } else {
+            directives.push("connect-src 'self'");
+        }
+        if (config?.fontSrc) {
+            directives.push(`font-src ${config.fontSrc.join(' ')}`);
+        } else {
+            directives.push("font-src 'self' data:");
+        }
+        if (config?.frameSrc) {
+            directives.push(`frame-src ${config.frameSrc.join(' ')}`);
+        } else {
+            directives.push("frame-src 'none'");
+        }
+        return directives.join('; ');
+    }
+    /**
+   * 转义 HTML 特殊字符
+   */ static escapeHTML(text) {
+        const map = {
+            '&': '&amp;',
+            '<': '&lt;',
+            '>': '&gt;',
+            '"': '&quot;',
+            "'": '&#039;'
+        };
+        return text.replace(/[&<>"']/g, (char)=>map[char]);
+    }
+    /**
+   * 验证输入是否安全
+   */ static validateInput(input) {
+        if (typeof input !== 'string') {
+            return {
+                safe: true
+            };
+        }
+        if (this.containsDangerousContent(input)) {
+            return {
+                safe: false,
+                sanitized: this.sanitizeText(input),
+                reason: '包含潜在的危险内容'
+            };
+        }
+        // 检查是否包含敏感数据模式
+        if (this.containsSensitiveData(input)) {
+            return {
+                safe: false,
+                sanitized: this.sanitizeText(input),
+                reason: '可能包含敏感信息'
+            };
+        }
+        return {
+            safe: true,
+            sanitized: input
+        };
+    }
+    /**
+   * 深度脱敏处理（递归处理嵌套对象）
+   */ static deepSanitize(data, maxDepth = 10, currentDepth = 0) {
+        if (currentDepth >= maxDepth) {
+            return '***'; // 防止无限递归
+        }
+        if (data === null || data === undefined) {
+            return data;
+        }
+        if (typeof data === 'string') {
+            if (this.containsDangerousContent(data) || this.containsSensitiveData(data)) {
+                return this.sanitizeText(data);
+            }
+            return data;
+        }
+        if (typeof data === 'number' || typeof data === 'boolean') {
+            return data;
+        }
+        if (Array.isArray(data)) {
+            return data.map((item)=>this.deepSanitize(item, maxDepth, currentDepth + 1));
+        }
+        if (typeof data === 'object') {
+            const sanitized = {};
+            for (const [key, value] of Object.entries(data)){
+                if (this.isSensitiveField(key)) {
+                    sanitized[key] = '***';
+                } else {
+                    sanitized[key] = this.deepSanitize(value, maxDepth, currentDepth + 1);
+                }
+            }
+            return sanitized;
+        }
+        return data;
+    }
+};
+
+//# sourceMappingURL=security.js.map

package/dist/utils/security.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utils/security.ts"],"sourcesContent":["import DOMPurify from 'dompurify';\nimport { SecurityError } from './errors';\n\n/**\n * XSS 防护配置\n */\nexport interface XSSConfig {\n  /**\n   * 是否允许 HTML 标签\n   */\n  allowHTML?: boolean;\n  /**\n   * 允许的 HTML 标签列表\n   */\n  allowedTags?: string[];\n  /**\n   * 允许的 HTML 属性列表\n   */\n  allowedAttributes?: string[];\n}\n\n/**\n * 敏感数据标识（扩展列表）\n */\nexport const SENSITIVE_FIELDS = [\n  'password',\n  'pwd',\n  'passwd',\n  'token',\n  'secret',\n  'key',\n  'apiKey',\n  'apikey',\n  'api_key',\n  'accessToken',\n  'access_token',\n  'refreshToken',\n  'refresh_token',\n  'authorization',\n  'auth',\n  'cookie',\n  'session',\n  'sessionId',\n  'session_id',\n  'creditCard',\n  'credit_card',\n  'cardNumber',\n  'card_number',\n  'cvv',\n  'cvc',\n  'ssn',\n  'socialSecurityNumber',\n  'social_security_number',\n  'phone',\n  'phoneNumber',\n  'phone_number',\n  'mobile',\n  'email',\n  'emailAddress',\n  'email_address',\n  'privateKey',\n  'private_key',\n  'secretKey',\n  'secret_key',\n  'apiSecret',\n  'api_secret',\n] as const;\n\n/**\n * 敏感信息检测模式（正则表达式）\n */\nconst SENSITIVE_PATTERNS = [\n  /\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/, // 信用卡号\n  /\\b\\d{3}-\\d{2}-\\d{4}\\b/, // SSN\n  /\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b/, // 邮箱（可选，根据需求决定是否脱敏）\n  /\\b\\d{10,}\\b/, // 长数字（可能是敏感信息）\n] as const;\n\n/**\n * 安全工具类\n */\nexport class SecurityUtils {\n  /**\n   * 清理 HTML，防止 XSS 攻击\n   */\n  static sanitizeHTML(html: string, config?: XSSConfig): string {\n    if (typeof window === 'undefined') {\n      // Node.js 环境，返回原始字符串（需要服务端处理）\n      return html;\n    }\n\n    try {\n      if (config?.allowHTML) {\n        // 默认禁止所有标签，除非明确允许\n        const allowedTags = config.allowedTags && config.allowedTags.length > 0 \n          ? config.allowedTags \n          : [];\n        const allowedAttributes = config.allowedAttributes && config.allowedAttributes.length > 0\n          ? config.allowedAttributes\n          : [];\n        \n        return DOMPurify.sanitize(html, {\n          ALLOWED_TAGS: allowedTags,\n          ALLOWED_ATTR: allowedAttributes,\n          FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'form', 'link', 'meta', 'style'],\n          FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange'],\n          // 添加更多安全配置\n          KEEP_CONTENT: false,\n          RETURN_DOM: false,\n          RETURN_DOM_FRAGMENT: false,\n          RETURN_TRUSTED_TYPE: false,\n        });\n      }\n      // 默认模式：完全清理，不允许任何 HTML\n      return DOMPurify.sanitize(html, { \n        ALLOWED_TAGS: [],\n        KEEP_CONTENT: false,\n      });\n    } catch (error) {\n      // 错误处理：不泄露敏感信息，记录错误但不抛出详细错误\n      const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n      // 只记录错误类型，不记录具体内容\n      console.error('HTML 清理失败:', errorMessage.substring(0, 50));\n      // 返回安全的空字符串或清理后的文本\n      return this.sanitizeText(html);\n    }\n  }\n\n  /**\n   * 清理文本内容（移除所有 HTML 标签）\n   */\n  static sanitizeText(text: string): string {\n    if (typeof window === 'undefined') {\n      return text.replace(/<[^>]*>/g, '');\n    }\n\n    try {\n      return DOMPurify.sanitize(text, { ALLOWED_TAGS: [] });\n    } catch (error) {\n      throw new SecurityError('文本清理失败', error instanceof Error ? error : undefined);\n    }\n  }\n\n  /**\n   * 检查字符串是否包含潜在的危险内容\n   */\n  static containsDangerousContent(text: string): boolean {\n    const dangerousPatterns = [\n      /<script[\\s\\S]*?>[\\s\\S]*?<\\/script>/gi,\n      /javascript:/gi,\n      /on\\w+\\s*=/gi,\n      /<iframe[\\s\\S]*?>/gi,\n      /<object[\\s\\S]*?>/gi,\n      /<embed[\\s\\S]*?>/gi,\n      /<link[\\s\\S]*?>/gi,\n      /<meta[\\s\\S]*?>/gi,\n      /data:text\\/html/gi,\n      /vbscript:/gi,\n      /expression\\s*\\(/gi,\n      /@import/gi,\n      /<style[\\s\\S]*?>[\\s\\S]*?<\\/style>/gi,\n    ];\n\n    return dangerousPatterns.some((pattern) => pattern.test(text));\n  }\n\n  /**\n   * 验证 URL 是否安全\n   */\n  static isSafeUrl(url: string): boolean {\n    try {\n      const urlObj = new URL(url);\n      // 检查协议\n      if (!['http:', 'https:'].includes(urlObj.protocol)) {\n        return false;\n      }\n      // 检查是否包含危险内容\n      return !this.containsDangerousContent(url);\n    } catch {\n      return false;\n    }\n  }\n\n  /**\n   * 检查字段名是否为敏感字段\n   */\n  static isSensitiveField(fieldName: string): boolean {\n    const lowerFieldName = fieldName.toLowerCase();\n    return SENSITIVE_FIELDS.some((field) => lowerFieldName.includes(field.toLowerCase()));\n  }\n\n  /**\n   * 检查值是否包含敏感信息（基于模式匹配）\n   */\n  static containsSensitiveData(value: string): boolean {\n    return SENSITIVE_PATTERNS.some((pattern) => pattern.test(value));\n  }\n\n  /**\n   * 生成 CSP（Content Security Policy）头\n   */\n  static generateCSP(config?: {\n    defaultSrc?: string[];\n    scriptSrc?: string[];\n    styleSrc?: string[];\n    imgSrc?: string[];\n    connectSrc?: string[];\n    fontSrc?: string[];\n    frameSrc?: string[];\n    allowUnsafeInline?: boolean; // 是否允许 unsafe-inline（不推荐）\n    allowUnsafeEval?: boolean; // 是否允许 unsafe-eval（不推荐）\n  }): string {\n    const directives: string[] = [];\n    const allowUnsafeInline = config?.allowUnsafeInline ?? false;\n    const allowUnsafeEval = config?.allowUnsafeEval ?? false;\n\n    if (config?.defaultSrc) {\n      directives.push(`default-src ${config.defaultSrc.join(' ')}`);\n    } else {\n      directives.push(\"default-src 'self'\");\n    }\n\n    if (config?.scriptSrc) {\n      directives.push(`script-src ${config.scriptSrc.join(' ')}`);\n    } else {\n      // 默认不允许 unsafe-inline 和 unsafe-eval，提高安全性\n      const scriptSrc = [\"'self'\"];\n      if (allowUnsafeInline) {\n        scriptSrc.push(\"'unsafe-inline'\");\n      }\n      if (allowUnsafeEval) {\n        scriptSrc.push(\"'unsafe-eval'\");\n      }\n      directives.push(`script-src ${scriptSrc.join(' ')}`);\n    }\n\n    if (config?.styleSrc) {\n      directives.push(`style-src ${config.styleSrc.join(' ')}`);\n    } else {\n      // 对于样式，可以使用 nonce 或 hash 替代 unsafe-inline\n      const styleSrc = [\"'self'\"];\n      if (allowUnsafeInline) {\n        styleSrc.push(\"'unsafe-inline'\");\n      }\n      directives.push(`style-src ${styleSrc.join(' ')}`);\n    }\n\n    if (config?.imgSrc) {\n      directives.push(`img-src ${config.imgSrc.join(' ')}`);\n    } else {\n      directives.push(\"img-src 'self' data: https:\");\n    }\n\n    if (config?.connectSrc) {\n      directives.push(`connect-src ${config.connectSrc.join(' ')}`);\n    } else {\n      directives.push(\"connect-src 'self'\");\n    }\n\n    if (config?.fontSrc) {\n      directives.push(`font-src ${config.fontSrc.join(' ')}`);\n    } else {\n      directives.push(\"font-src 'self' data:\");\n    }\n\n    if (config?.frameSrc) {\n      directives.push(`frame-src ${config.frameSrc.join(' ')}`);\n    } else {\n      directives.push(\"frame-src 'none'\");\n    }\n\n    return directives.join('; ');\n  }\n\n  /**\n   * 转义 HTML 特殊字符\n   */\n  static escapeHTML(text: string): string {\n    const map: Record<string, string> = {\n      '&': '&amp;',\n      '<': '&lt;',\n      '>': '&gt;',\n      '\"': '&quot;',\n      \"'\": '&#039;',\n    };\n    return text.replace(/[&<>\"']/g, (char) => map[char]);\n  }\n\n  /**\n   * 验证输入是否安全\n   */\n  static validateInput(input: unknown): {\n    safe: boolean;\n    sanitized?: string;\n    reason?: string;\n  } {\n    if (typeof input !== 'string') {\n      return { safe: true };\n    }\n\n    if (this.containsDangerousContent(input)) {\n      return {\n        safe: false,\n        sanitized: this.sanitizeText(input),\n        reason: '包含潜在的危险内容',\n      };\n    }\n\n    // 检查是否包含敏感数据模式\n    if (this.containsSensitiveData(input)) {\n      return {\n        safe: false,\n        sanitized: this.sanitizeText(input),\n        reason: '可能包含敏感信息',\n      };\n    }\n\n    return { safe: true, sanitized: input };\n  }\n\n  /**\n   * 深度脱敏处理（递归处理嵌套对象）\n   */\n  static deepSanitize(data: unknown, maxDepth: number = 10, currentDepth: number = 0): unknown {\n    if (currentDepth >= maxDepth) {\n      return '***'; // 防止无限递归\n    }\n\n    if (data === null || data === undefined) {\n      return data;\n    }\n\n    if (typeof data === 'string') {\n      if (this.containsDangerousContent(data) || this.containsSensitiveData(data)) {\n        return this.sanitizeText(data);\n      }\n      return data;\n    }\n\n    if (typeof data === 'number' || typeof data === 'boolean') {\n      return data;\n    }\n\n    if (Array.isArray(data)) {\n      return data.map((item) => this.deepSanitize(item, maxDepth, currentDepth + 1));\n    }\n\n    if (typeof data === 'object') {\n      const sanitized: Record<string, unknown> = {};\n      for (const [key, value] of Object.entries(data)) {\n        if (this.isSensitiveField(key)) {\n          sanitized[key] = '***';\n        } else {\n          sanitized[key] = this.deepSanitize(value, maxDepth, currentDepth + 1);\n        }\n      }\n      return sanitized;\n    }\n\n    return data;\n  }\n}\n"],"names":["SENSITIVE_FIELDS","SecurityUtils","SENSITIVE_PATTERNS","sanitizeHTML","html","config","window","allowHTML","allowedTags","length","allowedAttributes","DOMPurify","sanitize","ALLOWED_TAGS","ALLOWED_ATTR","FORBID_TAGS","FORBID_ATTR","KEEP_CONTENT","RETURN_DOM","RETURN_DOM_FRAGMENT","RETURN_TRUSTED_TYPE","error","errorMessage","Error","message","console","substring","sanitizeText","text","replace","SecurityError","undefined","containsDangerousContent","dangerousPatterns","some","pattern","test","isSafeUrl","url","urlObj","URL","includes","protocol","isSensitiveField","fieldName","lowerFieldName","toLowerCase","field","containsSensitiveData","value","generateCSP","directives","allowUnsafeInline","allowUnsafeEval","defaultSrc","push","join","scriptSrc","styleSrc","imgSrc","connectSrc","fontSrc","frameSrc","escapeHTML","map","char","validateInput","input","safe","sanitized","reason","deepSanitize","data","maxDepth","currentDepth","Array","isArray","item","key","Object","entries"],"mappings":";;;;;;;;;;;QAwBaA;eAAAA;;QAyDAC;eAAAA;;;kEAjFS;wBACQ;;;;;;AAuBvB,MAAMD,mBAAmB;IAC9B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED;;CAEC,GACD,MAAME,qBAAqB;IACzB;IACA;IACA;IACA;CACD;AAKM,IAAA,AAAMD,gBAAN,MAAMA;IACX;;GAEC,GACD,OAAOE,aAAaC,IAAY,EAAEC,MAAkB,EAAU;QAC5D,IAAI,OAAOC,WAAW,aAAa;YACjC,8BAA8B;YAC9B,OAAOF;QACT;QAEA,IAAI;YACF,IAAIC,QAAQE,WAAW;gBACrB,kBAAkB;gBAClB,MAAMC,cAAcH,OAAOG,WAAW,IAAIH,OAAOG,WAAW,CAACC,MAAM,GAAG,IAClEJ,OAAOG,WAAW,GAClB,EAAE;gBACN,MAAME,oBAAoBL,OAAOK,iBAAiB,IAAIL,OAAOK,iBAAiB,CAACD,MAAM,GAAG,IACpFJ,OAAOK,iBAAiB,GACxB,EAAE;gBAEN,OAAOC,kBAAS,CAACC,QAAQ,CAACR,MAAM;oBAC9BS,cAAcL;oBACdM,cAAcJ;oBACdK,aAAa;wBAAC;wBAAU;wBAAU;wBAAU;wBAAS;wBAAQ;wBAAQ;wBAAQ;qBAAQ;oBACrFC,aAAa;wBAAC;wBAAW;wBAAU;wBAAW;wBAAe;wBAAW;wBAAU;qBAAW;oBAC7F,WAAW;oBACXC,cAAc;oBACdC,YAAY;oBACZC,qBAAqB;oBACrBC,qBAAqB;gBACvB;YACF;YACA,uBAAuB;YACvB,OAAOT,kBAAS,CAACC,QAAQ,CAACR,MAAM;gBAC9BS,cAAc,EAAE;gBAChBI,cAAc;YAChB;QACF,EAAE,OAAOI,OAAO;YACd,4BAA4B;YAC5B,MAAMC,eAAeD,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG;YAC9D,kBAAkB;YAClBC,QAAQJ,KAAK,CAAC,cAAcC,aAAaI,SAAS,CAAC,GAAG;YACtD,mBAAmB;YACnB,OAAO,IAAI,CAACC,YAAY,CAACvB;QAC3B;IACF;IAEA;;GAEC,GACD,OAAOuB,aAAaC,IAAY,EAAU;QACxC,IAAI,OAAOtB,WAAW,aAAa;YACjC,OAAOsB,KAAKC,OAAO,CAAC,YAAY;QAClC;QAEA,IAAI;YACF,OAAOlB,kBAAS,CAACC,QAAQ,CAACgB,MAAM;gBAAEf,cAAc,EAAE;YAAC;QACrD,EAAE,OAAOQ,OAAO;YACd,MAAM,IAAIS,qBAAa,CAAC,UAAUT,iBAAiBE,QAAQF,QAAQU;QACrE;IACF;IAEA;;GAEC,GACD,OAAOC,yBAAyBJ,IAAY,EAAW;QACrD,MAAMK,oBAAoB;YACxB;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;SACD;QAED,OAAOA,kBAAkBC,IAAI,CAAC,CAACC,UAAYA,QAAQC,IAAI,CAACR;IAC1D;IAEA;;GAEC,GACD,OAAOS,UAAUC,GAAW,EAAW;QACrC,IAAI;YACF,MAAMC,SAAS,IAAIC,IAAIF;YACvB,OAAO;YACP,IAAI,CAAC;gBAAC;gBAAS;aAAS,CAACG,QAAQ,CAACF,OAAOG,QAAQ,GAAG;gBAClD,OAAO;YACT;YACA,aAAa;YACb,OAAO,CAAC,IAAI,CAACV,wBAAwB,CAACM;QACxC,EAAE,OAAM;YACN,OAAO;QACT;IACF;IAEA;;GAEC,GACD,OAAOK,iBAAiBC,SAAiB,EAAW;QAClD,MAAMC,iBAAiBD,UAAUE,WAAW;QAC5C,OAAO9C,iBAAiBkC,IAAI,CAAC,CAACa,QAAUF,eAAeJ,QAAQ,CAACM,MAAMD,WAAW;IACnF;IAEA;;GAEC,GACD,OAAOE,sBAAsBC,KAAa,EAAW;QACnD,OAAO/C,mBAAmBgC,IAAI,CAAC,CAACC,UAAYA,QAAQC,IAAI,CAACa;IAC3D;IAEA;;GAEC,GACD,OAAOC,YAAY7C,MAUlB,EAAU;QACT,MAAM8C,aAAuB,EAAE;QAC/B,MAAMC,oBAAoB/C,QAAQ+C,qBAAqB;QACvD,MAAMC,kBAAkBhD,QAAQgD,mBAAmB;QAEnD,IAAIhD,QAAQiD,YAAY;YACtBH,WAAWI,IAAI,CAAC,CAAC,YAAY,EAAElD,OAAOiD,UAAU,CAACE,IAAI,CAAC,MAAM;QAC9D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQoD,WAAW;YACrBN,WAAWI,IAAI,CAAC,CAAC,WAAW,EAAElD,OAAOoD,SAAS,CAACD,IAAI,CAAC,MAAM;QAC5D,OAAO;YACL,0CAA0C;YAC1C,MAAMC,YAAY;gBAAC;aAAS;YAC5B,IAAIL,mBAAmB;gBACrBK,UAAUF,IAAI,CAAC;YACjB;YACA,IAAIF,iBAAiB;gBACnBI,UAAUF,IAAI,CAAC;YACjB;YACAJ,WAAWI,IAAI,CAAC,CAAC,WAAW,EAAEE,UAAUD,IAAI,CAAC,MAAM;QACrD;QAEA,IAAInD,QAAQqD,UAAU;YACpBP,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAElD,OAAOqD,QAAQ,CAACF,IAAI,CAAC,MAAM;QAC1D,OAAO;YACL,0CAA0C;YAC1C,MAAME,WAAW;gBAAC;aAAS;YAC3B,IAAIN,mBAAmB;gBACrBM,SAASH,IAAI,CAAC;YAChB;YACAJ,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAEG,SAASF,IAAI,CAAC,MAAM;QACnD;QAEA,IAAInD,QAAQsD,QAAQ;YAClBR,WAAWI,IAAI,CAAC,CAAC,QAAQ,EAAElD,OAAOsD,MAAM,CAACH,IAAI,CAAC,MAAM;QACtD,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQuD,YAAY;YACtBT,WAAWI,IAAI,CAAC,CAAC,YAAY,EAAElD,OAAOuD,UAAU,CAACJ,IAAI,CAAC,MAAM;QAC9D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQwD,SAAS;YACnBV,WAAWI,IAAI,CAAC,CAAC,SAAS,EAAElD,OAAOwD,OAAO,CAACL,IAAI,CAAC,MAAM;QACxD,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQyD,UAAU;YACpBX,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAElD,OAAOyD,QAAQ,CAACN,IAAI,CAAC,MAAM;QAC1D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,OAAOJ,WAAWK,IAAI,CAAC;IACzB;IAEA;;GAEC,GACD,OAAOO,WAAWnC,IAAY,EAAU;QACtC,MAAMoC,MAA8B;YAClC,KAAK;YACL,KAAK;YACL,KAAK;YACL,KAAK;YACL,KAAK;QACP;QACA,OAAOpC,KAAKC,OAAO,CAAC,YAAY,CAACoC,OAASD,GAAG,CAACC,KAAK;IACrD;IAEA;;GAEC,GACD,OAAOC,cAAcC,KAAc,EAIjC;QACA,IAAI,OAAOA,UAAU,UAAU;YAC7B,OAAO;gBAAEC,MAAM;YAAK;QACtB;QAEA,IAAI,IAAI,CAACpC,wBAAwB,CAACmC,QAAQ;YACxC,OAAO;gBACLC,MAAM;gBACNC,WAAW,IAAI,CAAC1C,YAAY,CAACwC;gBAC7BG,QAAQ;YACV;QACF;QAEA,eAAe;QACf,IAAI,IAAI,CAACtB,qBAAqB,CAACmB,QAAQ;YACrC,OAAO;gBACLC,MAAM;gBACNC,WAAW,IAAI,CAAC1C,YAAY,CAACwC;gBAC7BG,QAAQ;YACV;QACF;QAEA,OAAO;YAAEF,MAAM;YAAMC,WAAWF;QAAM;IACxC;IAEA;;GAEC,GACD,OAAOI,aAAaC,IAAa,EAAEC,WAAmB,EAAE,EAAEC,eAAuB,CAAC,EAAW;QAC3F,IAAIA,gBAAgBD,UAAU;YAC5B,OAAO,OAAO,SAAS;QACzB;QAEA,IAAID,SAAS,QAAQA,SAASzC,WAAW;YACvC,OAAOyC;QACT;QAEA,IAAI,OAAOA,SAAS,UAAU;YAC5B,IAAI,IAAI,CAACxC,wBAAwB,CAACwC,SAAS,IAAI,CAACxB,qBAAqB,CAACwB,OAAO;gBAC3E,OAAO,IAAI,CAAC7C,YAAY,CAAC6C;YAC3B;YACA,OAAOA;QACT;QAEA,IAAI,OAAOA,SAAS,YAAY,OAAOA,SAAS,WAAW;YACzD,OAAOA;QACT;QAEA,IAAIG,MAAMC,OAAO,CAACJ,OAAO;YACvB,OAAOA,KAAKR,GAAG,CAAC,CAACa,OAAS,IAAI,CAACN,YAAY,CAACM,MAAMJ,UAAUC,eAAe;QAC7E;QAEA,IAAI,OAAOF,SAAS,UAAU;YAC5B,MAAMH,YAAqC,CAAC;YAC5C,KAAK,MAAM,CAACS,KAAK7B,MAAM,IAAI8B,OAAOC,OAAO,CAACR,MAAO;gBAC/C,IAAI,IAAI,CAAC7B,gBAAgB,CAACmC,MAAM;oBAC9BT,SAAS,CAACS,IAAI,GAAG;gBACnB,OAAO;oBACLT,SAAS,CAACS,IAAI,GAAG,IAAI,CAACP,YAAY,CAACtB,OAAOwB,UAAUC,eAAe;gBACrE;YACF;YACA,OAAOL;QACT;QAEA,OAAOG;IACT;AACF"}

package/dist/utils/security.d.ts

@@ -0,0 +1,81 @@
+/**
+ * XSS 防护配置
+ */
+export interface XSSConfig {
+    /**
+     * 是否允许 HTML 标签
+     */
+    allowHTML?: boolean;
+    /**
+     * 允许的 HTML 标签列表
+     */
+    allowedTags?: string[];
+    /**
+     * 允许的 HTML 属性列表
+     */
+    allowedAttributes?: string[];
+}
+/**
+ * 敏感数据标识（扩展列表）
+ */
+export declare const SENSITIVE_FIELDS: readonly ["password", "pwd", "passwd", "token", "secret", "key", "apiKey", "apikey", "api_key", "accessToken", "access_token", "refreshToken", "refresh_token", "authorization", "auth", "cookie", "session", "sessionId", "session_id", "creditCard", "credit_card", "cardNumber", "card_number", "cvv", "cvc", "ssn", "socialSecurityNumber", "social_security_number", "phone", "phoneNumber", "phone_number", "mobile", "email", "emailAddress", "email_address", "privateKey", "private_key", "secretKey", "secret_key", "apiSecret", "api_secret"];
+/**
+ * 安全工具类
+ */
+export declare class SecurityUtils {
+    /**
+     * 清理 HTML，防止 XSS 攻击
+     */
+    static sanitizeHTML(html: string, config?: XSSConfig): string;
+    /**
+     * 清理文本内容（移除所有 HTML 标签）
+     */
+    static sanitizeText(text: string): string;
+    /**
+     * 检查字符串是否包含潜在的危险内容
+     */
+    static containsDangerousContent(text: string): boolean;
+    /**
+     * 验证 URL 是否安全
+     */
+    static isSafeUrl(url: string): boolean;
+    /**
+     * 检查字段名是否为敏感字段
+     */
+    static isSensitiveField(fieldName: string): boolean;
+    /**
+     * 检查值是否包含敏感信息（基于模式匹配）
+     */
+    static containsSensitiveData(value: string): boolean;
+    /**
+     * 生成 CSP（Content Security Policy）头
+     */
+    static generateCSP(config?: {
+        defaultSrc?: string[];
+        scriptSrc?: string[];
+        styleSrc?: string[];
+        imgSrc?: string[];
+        connectSrc?: string[];
+        fontSrc?: string[];
+        frameSrc?: string[];
+        allowUnsafeInline?: boolean;
+        allowUnsafeEval?: boolean;
+    }): string;
+    /**
+     * 转义 HTML 特殊字符
+     */
+    static escapeHTML(text: string): string;
+    /**
+     * 验证输入是否安全
+     */
+    static validateInput(input: unknown): {
+        safe: boolean;
+        sanitized?: string;
+        reason?: string;
+    };
+    /**
+     * 深度脱敏处理（递归处理嵌套对象）
+     */
+    static deepSanitize(data: unknown, maxDepth?: number, currentDepth?: number): unknown;
+}
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB;;OAEG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC9B;AAED;;GAEG;AACH,eAAO,MAAM,gBAAgB,0hBA0CnB,CAAC;AAYX;;GAEG;AACH,qBAAa,aAAa;IACxB;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,SAAS,GAAG,MAAM;IA2C7D;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAYzC;;OAEG;IACH,MAAM,CAAC,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAoBtD;;OAEG;IACH,MAAM,CAAC,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IActC;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO;IAKnD;;OAEG;IACH,MAAM,CAAC,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAIpD;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,EAAE;QAC1B,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;QAClB,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;QACpB,iBAAiB,CAAC,EAAE,OAAO,CAAC;QAC5B,eAAe,CAAC,EAAE,OAAO,CAAC;KAC3B,GAAG,MAAM;IA+DV;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAWvC;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG;QACpC,IAAI,EAAE,OAAO,CAAC;QACd,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;IAyBD;;OAEG;IACH,MAAM,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,GAAE,MAAW,EAAE,YAAY,GAAE,MAAU,GAAG,OAAO;CAsC7F"}