@vlian/framework 1.2.25 → 1.2.38

package/dist/utils/runtimeSecurity.js

@@ -1,143 +1,3 @@
-import { SecurityUtils } from "./security";
-/**
- * 运行时安全工具类
- */ export class RuntimeSecurity {
-    /**
-   * 应用 CSP
-   * 
-   * 注意：通过 meta 标签设置 CSP 不如 HTTP 头安全，建议在服务器端设置 CSP 头。
-   * 此方法仅作为补充措施。
-   */ static applyCSP(config) {
-        if (typeof document === 'undefined') {
-            return;
-        }
-        try {
-            const cspHeader = SecurityUtils.generateCSP(config);
-            // 创建或更新 meta 标签
-            let metaCSP = document.querySelector('meta[http-equiv="Content-Security-Policy"]');
-            if (!metaCSP) {
-                metaCSP = document.createElement('meta');
-                metaCSP.setAttribute('http-equiv', 'Content-Security-Policy');
-                // 插入到 head 的开头，确保优先级
-                document.head.insertBefore(metaCSP, document.head.firstChild);
-            }
-            metaCSP.setAttribute('content', cspHeader);
-            // 添加 CSP 违规报告（如果支持）
-            if (typeof window !== 'undefined' && 'reporting' in window) {
-                // 可以添加 CSP 违规监听器
-                window.addEventListener('securitypolicyviolation', (event)=>{
-                    console.warn('CSP 违规:', {
-                        violatedDirective: event.violatedDirective,
-                        blockedURI: event.blockedURI
-                    });
-                });
-            }
-        } catch (error) {
-            console.error('应用 CSP 失败:', error);
-        }
-    }
-    /**
-   * 应用安全头（通过 meta 标签，实际应该由服务器设置）
-   */ static applySecurityHeaders(config) {
-        if (typeof document === 'undefined') {
-            return;
-        }
-        // X-Frame-Options
-        if (config.xFrameOptions) {
-            let meta = document.querySelector('meta[http-equiv="X-Frame-Options"]');
-            if (!meta) {
-                meta = document.createElement('meta');
-                meta.setAttribute('http-equiv', 'X-Frame-Options');
-                document.head.appendChild(meta);
-            }
-            meta.setAttribute('content', config.xFrameOptions);
-        }
-        // X-Content-Type-Options
-        if (config.xContentTypeOptions !== false) {
-            let meta = document.querySelector('meta[http-equiv="X-Content-Type-Options"]');
-            if (!meta) {
-                meta = document.createElement('meta');
-                meta.setAttribute('http-equiv', 'X-Content-Type-Options');
-                document.head.appendChild(meta);
-            }
-            meta.setAttribute('content', 'nosniff');
-        }
-        // X-XSS-Protection
-        if (config.xXSSProtection !== false) {
-            let meta = document.querySelector('meta[http-equiv="X-XSS-Protection"]');
-            if (!meta) {
-                meta = document.createElement('meta');
-                meta.setAttribute('http-equiv', 'X-XSS-Protection');
-                document.head.appendChild(meta);
-            }
-            meta.setAttribute('content', '1; mode=block');
-        }
-        // Referrer-Policy
-        if (config.referrerPolicy) {
-            let meta = document.querySelector('meta[name="referrer"]');
-            if (!meta) {
-                meta = document.createElement('meta');
-                meta.setAttribute('name', 'referrer');
-                document.head.appendChild(meta);
-            }
-            meta.setAttribute('content', config.referrerPolicy);
-        }
-    }
-    /**
-   * 检查运行时安全
-   */ static checkRuntimeSecurity() {
-        const issues = [];
-        if (typeof window === 'undefined') {
-            return {
-                safe: true,
-                issues: []
-            };
-        }
-        // 检查是否在 HTTPS 环境下
-        if (window.location.protocol !== 'https:' && window.location.hostname !== 'localhost') {
-            issues.push('应用未在 HTTPS 环境下运行');
-        }
-        // 检查是否有危险的全局对象
-        if (window.eval) {
-            issues.push('检测到危险的 eval 函数');
-        }
-        // 检查是否有危险的 innerHTML 使用
-        // 这个检查需要在代码层面进行，这里只是示例
-        return {
-            safe: issues.length === 0,
-            issues
-        };
-    }
-    /**
-   * 初始化运行时安全
-   */ static initialize(options = {}) {
-        const { enableCSP = false, enableSecurityHeaders = false, enableRuntimeChecks = false, csp, securityHeaders } = options;
-        // 应用 CSP
-        if (enableCSP && csp) {
-            this.applyCSP(csp);
-        }
-        // 应用安全头
-        if (enableSecurityHeaders && securityHeaders) {
-            this.applySecurityHeaders(securityHeaders);
-        }
-        // 运行时检查
-        if (enableRuntimeChecks) {
-            const checkResult = this.checkRuntimeSecurity();
-            if (!checkResult.safe) {
-                console.warn('运行时安全检查发现问题:', checkResult.issues);
-            }
-        }
-    }
-    /**
-   * 验证 URL 安全性
-   */ static validateUrl(url) {
-        return SecurityUtils.isSafeUrl(url);
-    }
-    /**
-   * 验证并清理用户输入
-   */ static sanitizeUserInput(input) {
-        return SecurityUtils.validateInput(input);
-    }
-}
+export { RuntimeSecurity } from "@vlian/utils";
 
 //# sourceMappingURL=runtimeSecurity.js.map

package/dist/utils/runtimeSecurity.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/utils/runtimeSecurity.ts"],"sourcesContent":["import { SecurityUtils } from './security';\n\n/**\n * CSP 配置\n */\nexport interface CSPConfig {\n  defaultSrc?: string[];\n  scriptSrc?: string[];\n  styleSrc?: string[];\n  imgSrc?: string[];\n  connectSrc?: string[];\n  fontSrc?: string[];\n  frameSrc?: string[];\n}\n\n/**\n * 安全头配置\n */\nexport interface SecurityHeadersConfig {\n  /**\n   * Content Security Policy\n   */\n  csp?: CSPConfig | string;\n  /**\n   * X-Frame-Options\n   */\n  xFrameOptions?: 'DENY' | 'SAMEORIGIN' | 'ALLOW-FROM';\n  /**\n   * X-Content-Type-Options\n   */\n  xContentTypeOptions?: boolean;\n  /**\n   * X-XSS-Protection\n   */\n  xXSSProtection?: boolean;\n  /**\n   * Referrer-Policy\n   */\n  referrerPolicy?: 'no-referrer' | 'no-referrer-when-downgrade' | 'origin' | 'origin-when-cross-origin' | 'same-origin' | 'strict-origin' | 'strict-origin-when-cross-origin' | 'unsafe-url';\n  /**\n   * Permissions-Policy\n   */\n  permissionsPolicy?: Record<string, string[]>;\n}\n\n/**\n * 运行时安全检查选项\n */\nexport interface RuntimeSecurityOptions {\n  /**\n   * 是否启用 CSP\n   */\n  enableCSP?: boolean;\n  /**\n   * 是否启用安全头\n   */\n  enableSecurityHeaders?: boolean;\n  /**\n   * 是否启用运行时检查\n   */\n  enableRuntimeChecks?: boolean;\n  /**\n   * CSP 配置\n   */\n  csp?: CSPConfig;\n  /**\n   * 安全头配置\n   */\n  securityHeaders?: SecurityHeadersConfig;\n}\n\n/**\n * 运行时安全工具类\n */\nexport class RuntimeSecurity {\n  /**\n   * 应用 CSP\n   * \n   * 注意：通过 meta 标签设置 CSP 不如 HTTP 头安全，建议在服务器端设置 CSP 头。\n   * 此方法仅作为补充措施。\n   */\n  static applyCSP(config: CSPConfig): void {\n    if (typeof document === 'undefined') {\n      return;\n    }\n\n    try {\n      const cspHeader = SecurityUtils.generateCSP(config);\n\n      // 创建或更新 meta 标签\n      let metaCSP = document.querySelector('meta[http-equiv=\"Content-Security-Policy\"]');\n      if (!metaCSP) {\n        metaCSP = document.createElement('meta');\n        metaCSP.setAttribute('http-equiv', 'Content-Security-Policy');\n        // 插入到 head 的开头，确保优先级\n        document.head.insertBefore(metaCSP, document.head.firstChild);\n      }\n      metaCSP.setAttribute('content', cspHeader);\n\n      // 添加 CSP 违规报告（如果支持）\n      if (typeof window !== 'undefined' && 'reporting' in window) {\n        // 可以添加 CSP 违规监听器\n        window.addEventListener('securitypolicyviolation', (event) => {\n          console.warn('CSP 违规:', {\n            violatedDirective: (event as any).violatedDirective,\n            blockedURI: (event as any).blockedURI,\n          });\n        });\n      }\n    } catch (error) {\n      console.error('应用 CSP 失败:', error);\n    }\n  }\n\n  /**\n   * 应用安全头（通过 meta 标签，实际应该由服务器设置）\n   */\n  static applySecurityHeaders(config: SecurityHeadersConfig): void {\n    if (typeof document === 'undefined') {\n      return;\n    }\n\n    // X-Frame-Options\n    if (config.xFrameOptions) {\n      let meta = document.querySelector('meta[http-equiv=\"X-Frame-Options\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-Frame-Options');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', config.xFrameOptions);\n    }\n\n    // X-Content-Type-Options\n    if (config.xContentTypeOptions !== false) {\n      let meta = document.querySelector('meta[http-equiv=\"X-Content-Type-Options\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-Content-Type-Options');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', 'nosniff');\n    }\n\n    // X-XSS-Protection\n    if (config.xXSSProtection !== false) {\n      let meta = document.querySelector('meta[http-equiv=\"X-XSS-Protection\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('http-equiv', 'X-XSS-Protection');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', '1; mode=block');\n    }\n\n    // Referrer-Policy\n    if (config.referrerPolicy) {\n      let meta = document.querySelector('meta[name=\"referrer\"]');\n      if (!meta) {\n        meta = document.createElement('meta');\n        meta.setAttribute('name', 'referrer');\n        document.head.appendChild(meta);\n      }\n      meta.setAttribute('content', config.referrerPolicy);\n    }\n  }\n\n  /**\n   * 检查运行时安全\n   */\n  static checkRuntimeSecurity(): {\n    safe: boolean;\n    issues: string[];\n  } {\n    const issues: string[] = [];\n\n    if (typeof window === 'undefined') {\n      return { safe: true, issues: [] };\n    }\n\n    // 检查是否在 HTTPS 环境下\n    if (window.location.protocol !== 'https:' && window.location.hostname !== 'localhost') {\n      issues.push('应用未在 HTTPS 环境下运行');\n    }\n\n    // 检查是否有危险的全局对象\n    if ((window as any).eval) {\n      issues.push('检测到危险的 eval 函数');\n    }\n\n    // 检查是否有危险的 innerHTML 使用\n    // 这个检查需要在代码层面进行，这里只是示例\n\n    return {\n      safe: issues.length === 0,\n      issues,\n    };\n  }\n\n  /**\n   * 初始化运行时安全\n   */\n  static initialize(options: RuntimeSecurityOptions = {}): void {\n    const {\n      enableCSP = false,\n      enableSecurityHeaders = false,\n      enableRuntimeChecks = false,\n      csp,\n      securityHeaders,\n    } = options;\n\n    // 应用 CSP\n    if (enableCSP && csp) {\n      this.applyCSP(csp);\n    }\n\n    // 应用安全头\n    if (enableSecurityHeaders && securityHeaders) {\n      this.applySecurityHeaders(securityHeaders);\n    }\n\n    // 运行时检查\n    if (enableRuntimeChecks) {\n      const checkResult = this.checkRuntimeSecurity();\n      if (!checkResult.safe) {\n        console.warn('运行时安全检查发现问题:', checkResult.issues);\n      }\n    }\n  }\n\n  /**\n   * 验证 URL 安全性\n   */\n  static validateUrl(url: string): boolean {\n    return SecurityUtils.isSafeUrl(url);\n  }\n\n  /**\n   * 验证并清理用户输入\n   */\n  static sanitizeUserInput(input: unknown): {\n    safe: boolean;\n    sanitized?: string;\n  } {\n    return SecurityUtils.validateInput(input);\n  }\n}\n"],"names":["SecurityUtils","RuntimeSecurity","applyCSP","config","document","cspHeader","generateCSP","metaCSP","querySelector","createElement","setAttribute","head","insertBefore","firstChild","window","addEventListener","event","console","warn","violatedDirective","blockedURI","error","applySecurityHeaders","xFrameOptions","meta","appendChild","xContentTypeOptions","xXSSProtection","referrerPolicy","checkRuntimeSecurity","issues","safe","location","protocol","hostname","push","eval","length","initialize","options","enableCSP","enableSecurityHeaders","enableRuntimeChecks","csp","securityHeaders","checkResult","validateUrl","url","isSafeUrl","sanitizeUserInput","input","validateInput"],"mappings":"AAAA,SAASA,aAAa,QAAQ,aAAa;AAuE3C;;CAEC,GACD,OAAO,MAAMC;IACX;;;;;GAKC,GACD,OAAOC,SAASC,MAAiB,EAAQ;QACvC,IAAI,OAAOC,aAAa,aAAa;YACnC;QACF;QAEA,IAAI;YACF,MAAMC,YAAYL,cAAcM,WAAW,CAACH;YAE5C,gBAAgB;YAChB,IAAII,UAAUH,SAASI,aAAa,CAAC;YACrC,IAAI,CAACD,SAAS;gBACZA,UAAUH,SAASK,aAAa,CAAC;gBACjCF,QAAQG,YAAY,CAAC,cAAc;gBACnC,qBAAqB;gBACrBN,SAASO,IAAI,CAACC,YAAY,CAACL,SAASH,SAASO,IAAI,CAACE,UAAU;YAC9D;YACAN,QAAQG,YAAY,CAAC,WAAWL;YAEhC,oBAAoB;YACpB,IAAI,OAAOS,WAAW,eAAe,eAAeA,QAAQ;gBAC1D,iBAAiB;gBACjBA,OAAOC,gBAAgB,CAAC,2BAA2B,CAACC;oBAClDC,QAAQC,IAAI,CAAC,WAAW;wBACtBC,mBAAmB,AAACH,MAAcG,iBAAiB;wBACnDC,YAAY,AAACJ,MAAcI,UAAU;oBACvC;gBACF;YACF;QACF,EAAE,OAAOC,OAAO;YACdJ,QAAQI,KAAK,CAAC,cAAcA;QAC9B;IACF;IAEA;;GAEC,GACD,OAAOC,qBAAqBnB,MAA6B,EAAQ;QAC/D,IAAI,OAAOC,aAAa,aAAa;YACnC;QACF;QAEA,kBAAkB;QAClB,IAAID,OAAOoB,aAAa,EAAE;YACxB,IAAIC,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAWP,OAAOoB,aAAa;QACnD;QAEA,yBAAyB;QACzB,IAAIpB,OAAOuB,mBAAmB,KAAK,OAAO;YACxC,IAAIF,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAW;QAC/B;QAEA,mBAAmB;QACnB,IAAIP,OAAOwB,cAAc,KAAK,OAAO;YACnC,IAAIH,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,cAAc;gBAChCN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAW;QAC/B;QAEA,kBAAkB;QAClB,IAAIP,OAAOyB,cAAc,EAAE;YACzB,IAAIJ,OAAOpB,SAASI,aAAa,CAAC;YAClC,IAAI,CAACgB,MAAM;gBACTA,OAAOpB,SAASK,aAAa,CAAC;gBAC9Be,KAAKd,YAAY,CAAC,QAAQ;gBAC1BN,SAASO,IAAI,CAACc,WAAW,CAACD;YAC5B;YACAA,KAAKd,YAAY,CAAC,WAAWP,OAAOyB,cAAc;QACpD;IACF;IAEA;;GAEC,GACD,OAAOC,uBAGL;QACA,MAAMC,SAAmB,EAAE;QAE3B,IAAI,OAAOhB,WAAW,aAAa;YACjC,OAAO;gBAAEiB,MAAM;gBAAMD,QAAQ,EAAE;YAAC;QAClC;QAEA,kBAAkB;QAClB,IAAIhB,OAAOkB,QAAQ,CAACC,QAAQ,KAAK,YAAYnB,OAAOkB,QAAQ,CAACE,QAAQ,KAAK,aAAa;YACrFJ,OAAOK,IAAI,CAAC;QACd;QAEA,eAAe;QACf,IAAI,AAACrB,OAAesB,IAAI,EAAE;YACxBN,OAAOK,IAAI,CAAC;QACd;QAEA,wBAAwB;QACxB,uBAAuB;QAEvB,OAAO;YACLJ,MAAMD,OAAOO,MAAM,KAAK;YACxBP;QACF;IACF;IAEA;;GAEC,GACD,OAAOQ,WAAWC,UAAkC,CAAC,CAAC,EAAQ;QAC5D,MAAM,EACJC,YAAY,KAAK,EACjBC,wBAAwB,KAAK,EAC7BC,sBAAsB,KAAK,EAC3BC,GAAG,EACHC,eAAe,EAChB,GAAGL;QAEJ,SAAS;QACT,IAAIC,aAAaG,KAAK;YACpB,IAAI,CAACzC,QAAQ,CAACyC;QAChB;QAEA,QAAQ;QACR,IAAIF,yBAAyBG,iBAAiB;YAC5C,IAAI,CAACtB,oBAAoB,CAACsB;QAC5B;QAEA,QAAQ;QACR,IAAIF,qBAAqB;YACvB,MAAMG,cAAc,IAAI,CAAChB,oBAAoB;YAC7C,IAAI,CAACgB,YAAYd,IAAI,EAAE;gBACrBd,QAAQC,IAAI,CAAC,gBAAgB2B,YAAYf,MAAM;YACjD;QACF;IACF;IAEA;;GAEC,GACD,OAAOgB,YAAYC,GAAW,EAAW;QACvC,OAAO/C,cAAcgD,SAAS,CAACD;IACjC;IAEA;;GAEC,GACD,OAAOE,kBAAkBC,KAAc,EAGrC;QACA,OAAOlD,cAAcmD,aAAa,CAACD;IACrC;AACF"}
+{"version":3,"sources":["../../src/utils/runtimeSecurity.ts"],"sourcesContent":["export { RuntimeSecurity } from '@vlian/utils';\nexport type { RuntimeSecurityOptions, CSPConfig, SecurityHeadersConfig } from '@vlian/utils';\n"],"names":["RuntimeSecurity"],"mappings":"AAAA,SAASA,eAAe,QAAQ,eAAe"}

package/dist/utils/security.cjs

@@ -10,323 +10,12 @@ function _export(target, all) {
 }
 _export(exports, {
     get SENSITIVE_FIELDS () {
-        return SENSITIVE_FIELDS;
+        return _utils.SENSITIVE_FIELDS;
     },
     get SecurityUtils () {
-        return SecurityUtils;
+        return _utils.SecurityUtils;
     }
 });
-const _dompurify = /*#__PURE__*/ _interop_require_default(require("dompurify"));
-const _errors = require("./errors");
-function _interop_require_default(obj) {
-    return obj && obj.__esModule ? obj : {
-        default: obj
-    };
-}
-const SENSITIVE_FIELDS = [
-    'password',
-    'pwd',
-    'passwd',
-    'token',
-    'secret',
-    'key',
-    'apiKey',
-    'apikey',
-    'api_key',
-    'accessToken',
-    'access_token',
-    'refreshToken',
-    'refresh_token',
-    'authorization',
-    'auth',
-    'cookie',
-    'session',
-    'sessionId',
-    'session_id',
-    'creditCard',
-    'credit_card',
-    'cardNumber',
-    'card_number',
-    'cvv',
-    'cvc',
-    'ssn',
-    'socialSecurityNumber',
-    'social_security_number',
-    'phone',
-    'phoneNumber',
-    'phone_number',
-    'mobile',
-    'email',
-    'emailAddress',
-    'email_address',
-    'privateKey',
-    'private_key',
-    'secretKey',
-    'secret_key',
-    'apiSecret',
-    'api_secret'
-];
-/**
- * 敏感信息检测模式（正则表达式）
- */ const SENSITIVE_PATTERNS = [
-    /\b\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}\b/,
-    /\b\d{3}-\d{2}-\d{4}\b/,
-    /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/,
-    /\b\d{10,}\b/
-];
-let SecurityUtils = class SecurityUtils {
-    /**
-   * 清理 HTML，防止 XSS 攻击
-   */ static sanitizeHTML(html, config) {
-        if (typeof window === 'undefined') {
-            // Node.js 环境，返回原始字符串（需要服务端处理）
-            return html;
-        }
-        try {
-            if (config?.allowHTML) {
-                // 默认禁止所有标签，除非明确允许
-                const allowedTags = config.allowedTags && config.allowedTags.length > 0 ? config.allowedTags : [];
-                const allowedAttributes = config.allowedAttributes && config.allowedAttributes.length > 0 ? config.allowedAttributes : [];
-                return _dompurify.default.sanitize(html, {
-                    ALLOWED_TAGS: allowedTags,
-                    ALLOWED_ATTR: allowedAttributes,
-                    FORBID_TAGS: [
-                        'script',
-                        'iframe',
-                        'object',
-                        'embed',
-                        'form',
-                        'link',
-                        'meta',
-                        'style'
-                    ],
-                    FORBID_ATTR: [
-                        'onerror',
-                        'onload',
-                        'onclick',
-                        'onmouseover',
-                        'onfocus',
-                        'onblur',
-                        'onchange'
-                    ],
-                    // 添加更多安全配置
-                    KEEP_CONTENT: false,
-                    RETURN_DOM: false,
-                    RETURN_DOM_FRAGMENT: false,
-                    RETURN_TRUSTED_TYPE: false
-                });
-            }
-            // 默认模式：完全清理，不允许任何 HTML
-            return _dompurify.default.sanitize(html, {
-                ALLOWED_TAGS: [],
-                KEEP_CONTENT: false
-            });
-        } catch (error) {
-            // 错误处理：不泄露敏感信息，记录错误但不抛出详细错误
-            const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-            // 只记录错误类型，不记录具体内容
-            console.error('HTML 清理失败:', errorMessage.substring(0, 50));
-            // 返回安全的空字符串或清理后的文本
-            return this.sanitizeText(html);
-        }
-    }
-    /**
-   * 清理文本内容（移除所有 HTML 标签）
-   */ static sanitizeText(text) {
-        if (typeof window === 'undefined') {
-            return text.replace(/<[^>]*>/g, '');
-        }
-        try {
-            return _dompurify.default.sanitize(text, {
-                ALLOWED_TAGS: []
-            });
-        } catch (error) {
-            throw new _errors.SecurityError('文本清理失败', error instanceof Error ? error : undefined);
-        }
-    }
-    /**
-   * 检查字符串是否包含潜在的危险内容
-   */ static containsDangerousContent(text) {
-        const dangerousPatterns = [
-            /<script[\s\S]*?>[\s\S]*?<\/script>/gi,
-            /javascript:/gi,
-            /on\w+\s*=/gi,
-            /<iframe[\s\S]*?>/gi,
-            /<object[\s\S]*?>/gi,
-            /<embed[\s\S]*?>/gi,
-            /<link[\s\S]*?>/gi,
-            /<meta[\s\S]*?>/gi,
-            /data:text\/html/gi,
-            /vbscript:/gi,
-            /expression\s*\(/gi,
-            /@import/gi,
-            /<style[\s\S]*?>[\s\S]*?<\/style>/gi
-        ];
-        return dangerousPatterns.some((pattern)=>pattern.test(text));
-    }
-    /**
-   * 验证 URL 是否安全
-   */ static isSafeUrl(url) {
-        try {
-            const urlObj = new URL(url);
-            // 检查协议
-            if (![
-                'http:',
-                'https:'
-            ].includes(urlObj.protocol)) {
-                return false;
-            }
-            // 检查是否包含危险内容
-            return !this.containsDangerousContent(url);
-        } catch  {
-            return false;
-        }
-    }
-    /**
-   * 检查字段名是否为敏感字段
-   */ static isSensitiveField(fieldName) {
-        const lowerFieldName = fieldName.toLowerCase();
-        return SENSITIVE_FIELDS.some((field)=>lowerFieldName.includes(field.toLowerCase()));
-    }
-    /**
-   * 检查值是否包含敏感信息（基于模式匹配）
-   */ static containsSensitiveData(value) {
-        return SENSITIVE_PATTERNS.some((pattern)=>pattern.test(value));
-    }
-    /**
-   * 生成 CSP（Content Security Policy）头
-   */ static generateCSP(config) {
-        const directives = [];
-        const allowUnsafeInline = config?.allowUnsafeInline ?? false;
-        const allowUnsafeEval = config?.allowUnsafeEval ?? false;
-        if (config?.defaultSrc) {
-            directives.push(`default-src ${config.defaultSrc.join(' ')}`);
-        } else {
-            directives.push("default-src 'self'");
-        }
-        if (config?.scriptSrc) {
-            directives.push(`script-src ${config.scriptSrc.join(' ')}`);
-        } else {
-            // 默认不允许 unsafe-inline 和 unsafe-eval，提高安全性
-            const scriptSrc = [
-                "'self'"
-            ];
-            if (allowUnsafeInline) {
-                scriptSrc.push("'unsafe-inline'");
-            }
-            if (allowUnsafeEval) {
-                scriptSrc.push("'unsafe-eval'");
-            }
-            directives.push(`script-src ${scriptSrc.join(' ')}`);
-        }
-        if (config?.styleSrc) {
-            directives.push(`style-src ${config.styleSrc.join(' ')}`);
-        } else {
-            // 对于样式，可以使用 nonce 或 hash 替代 unsafe-inline
-            const styleSrc = [
-                "'self'"
-            ];
-            if (allowUnsafeInline) {
-                styleSrc.push("'unsafe-inline'");
-            }
-            directives.push(`style-src ${styleSrc.join(' ')}`);
-        }
-        if (config?.imgSrc) {
-            directives.push(`img-src ${config.imgSrc.join(' ')}`);
-        } else {
-            directives.push("img-src 'self' data: https:");
-        }
-        if (config?.connectSrc) {
-            directives.push(`connect-src ${config.connectSrc.join(' ')}`);
-        } else {
-            directives.push("connect-src 'self'");
-        }
-        if (config?.fontSrc) {
-            directives.push(`font-src ${config.fontSrc.join(' ')}`);
-        } else {
-            directives.push("font-src 'self' data:");
-        }
-        if (config?.frameSrc) {
-            directives.push(`frame-src ${config.frameSrc.join(' ')}`);
-        } else {
-            directives.push("frame-src 'none'");
-        }
-        return directives.join('; ');
-    }
-    /**
-   * 转义 HTML 特殊字符
-   */ static escapeHTML(text) {
-        const map = {
-            '&': '&amp;',
-            '<': '&lt;',
-            '>': '&gt;',
-            '"': '&quot;',
-            "'": '&#039;'
-        };
-        return text.replace(/[&<>"']/g, (char)=>map[char]);
-    }
-    /**
-   * 验证输入是否安全
-   */ static validateInput(input) {
-        if (typeof input !== 'string') {
-            return {
-                safe: true
-            };
-        }
-        if (this.containsDangerousContent(input)) {
-            return {
-                safe: false,
-                sanitized: this.sanitizeText(input),
-                reason: '包含潜在的危险内容'
-            };
-        }
-        // 检查是否包含敏感数据模式
-        if (this.containsSensitiveData(input)) {
-            return {
-                safe: false,
-                sanitized: this.sanitizeText(input),
-                reason: '可能包含敏感信息'
-            };
-        }
-        return {
-            safe: true,
-            sanitized: input
-        };
-    }
-    /**
-   * 深度脱敏处理（递归处理嵌套对象）
-   */ static deepSanitize(data, maxDepth = 10, currentDepth = 0) {
-        if (currentDepth >= maxDepth) {
-            return '***'; // 防止无限递归
-        }
-        if (data === null || data === undefined) {
-            return data;
-        }
-        if (typeof data === 'string') {
-            if (this.containsDangerousContent(data) || this.containsSensitiveData(data)) {
-                return this.sanitizeText(data);
-            }
-            return data;
-        }
-        if (typeof data === 'number' || typeof data === 'boolean') {
-            return data;
-        }
-        if (Array.isArray(data)) {
-            return data.map((item)=>this.deepSanitize(item, maxDepth, currentDepth + 1));
-        }
-        if (typeof data === 'object') {
-            const sanitized = {};
-            for (const [key, value] of Object.entries(data)){
-                if (this.isSensitiveField(key)) {
-                    sanitized[key] = '***';
-                } else {
-                    sanitized[key] = this.deepSanitize(value, maxDepth, currentDepth + 1);
-                }
-            }
-            return sanitized;
-        }
-        return data;
-    }
-};
+const _utils = require("@vlian/utils");
 
 //# sourceMappingURL=security.js.map

package/dist/utils/security.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/utils/security.ts"],"sourcesContent":["import DOMPurify from 'dompurify';\nimport { SecurityError } from './errors';\n\n/**\n * XSS 防护配置\n */\nexport interface XSSConfig {\n  /**\n   * 是否允许 HTML 标签\n   */\n  allowHTML?: boolean;\n  /**\n   * 允许的 HTML 标签列表\n   */\n  allowedTags?: string[];\n  /**\n   * 允许的 HTML 属性列表\n   */\n  allowedAttributes?: string[];\n}\n\n/**\n * 敏感数据标识（扩展列表）\n */\nexport const SENSITIVE_FIELDS = [\n  'password',\n  'pwd',\n  'passwd',\n  'token',\n  'secret',\n  'key',\n  'apiKey',\n  'apikey',\n  'api_key',\n  'accessToken',\n  'access_token',\n  'refreshToken',\n  'refresh_token',\n  'authorization',\n  'auth',\n  'cookie',\n  'session',\n  'sessionId',\n  'session_id',\n  'creditCard',\n  'credit_card',\n  'cardNumber',\n  'card_number',\n  'cvv',\n  'cvc',\n  'ssn',\n  'socialSecurityNumber',\n  'social_security_number',\n  'phone',\n  'phoneNumber',\n  'phone_number',\n  'mobile',\n  'email',\n  'emailAddress',\n  'email_address',\n  'privateKey',\n  'private_key',\n  'secretKey',\n  'secret_key',\n  'apiSecret',\n  'api_secret',\n] as const;\n\n/**\n * 敏感信息检测模式（正则表达式）\n */\nconst SENSITIVE_PATTERNS = [\n  /\\b\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}[\\s-]?\\d{4}\\b/, // 信用卡号\n  /\\b\\d{3}-\\d{2}-\\d{4}\\b/, // SSN\n  /\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b/, // 邮箱（可选，根据需求决定是否脱敏）\n  /\\b\\d{10,}\\b/, // 长数字（可能是敏感信息）\n] as const;\n\n/**\n * 安全工具类\n */\nexport class SecurityUtils {\n  /**\n   * 清理 HTML，防止 XSS 攻击\n   */\n  static sanitizeHTML(html: string, config?: XSSConfig): string {\n    if (typeof window === 'undefined') {\n      // Node.js 环境，返回原始字符串（需要服务端处理）\n      return html;\n    }\n\n    try {\n      if (config?.allowHTML) {\n        // 默认禁止所有标签，除非明确允许\n        const allowedTags = config.allowedTags && config.allowedTags.length > 0 \n          ? config.allowedTags \n          : [];\n        const allowedAttributes = config.allowedAttributes && config.allowedAttributes.length > 0\n          ? config.allowedAttributes\n          : [];\n        \n        return DOMPurify.sanitize(html, {\n          ALLOWED_TAGS: allowedTags,\n          ALLOWED_ATTR: allowedAttributes,\n          FORBID_TAGS: ['script', 'iframe', 'object', 'embed', 'form', 'link', 'meta', 'style'],\n          FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange'],\n          // 添加更多安全配置\n          KEEP_CONTENT: false,\n          RETURN_DOM: false,\n          RETURN_DOM_FRAGMENT: false,\n          RETURN_TRUSTED_TYPE: false,\n        });\n      }\n      // 默认模式：完全清理，不允许任何 HTML\n      return DOMPurify.sanitize(html, { \n        ALLOWED_TAGS: [],\n        KEEP_CONTENT: false,\n      });\n    } catch (error) {\n      // 错误处理：不泄露敏感信息，记录错误但不抛出详细错误\n      const errorMessage = error instanceof Error ? error.message : 'Unknown error';\n      // 只记录错误类型，不记录具体内容\n      console.error('HTML 清理失败:', errorMessage.substring(0, 50));\n      // 返回安全的空字符串或清理后的文本\n      return this.sanitizeText(html);\n    }\n  }\n\n  /**\n   * 清理文本内容（移除所有 HTML 标签）\n   */\n  static sanitizeText(text: string): string {\n    if (typeof window === 'undefined') {\n      return text.replace(/<[^>]*>/g, '');\n    }\n\n    try {\n      return DOMPurify.sanitize(text, { ALLOWED_TAGS: [] });\n    } catch (error) {\n      throw new SecurityError('文本清理失败', error instanceof Error ? error : undefined);\n    }\n  }\n\n  /**\n   * 检查字符串是否包含潜在的危险内容\n   */\n  static containsDangerousContent(text: string): boolean {\n    const dangerousPatterns = [\n      /<script[\\s\\S]*?>[\\s\\S]*?<\\/script>/gi,\n      /javascript:/gi,\n      /on\\w+\\s*=/gi,\n      /<iframe[\\s\\S]*?>/gi,\n      /<object[\\s\\S]*?>/gi,\n      /<embed[\\s\\S]*?>/gi,\n      /<link[\\s\\S]*?>/gi,\n      /<meta[\\s\\S]*?>/gi,\n      /data:text\\/html/gi,\n      /vbscript:/gi,\n      /expression\\s*\\(/gi,\n      /@import/gi,\n      /<style[\\s\\S]*?>[\\s\\S]*?<\\/style>/gi,\n    ];\n\n    return dangerousPatterns.some((pattern) => pattern.test(text));\n  }\n\n  /**\n   * 验证 URL 是否安全\n   */\n  static isSafeUrl(url: string): boolean {\n    try {\n      const urlObj = new URL(url);\n      // 检查协议\n      if (!['http:', 'https:'].includes(urlObj.protocol)) {\n        return false;\n      }\n      // 检查是否包含危险内容\n      return !this.containsDangerousContent(url);\n    } catch {\n      return false;\n    }\n  }\n\n  /**\n   * 检查字段名是否为敏感字段\n   */\n  static isSensitiveField(fieldName: string): boolean {\n    const lowerFieldName = fieldName.toLowerCase();\n    return SENSITIVE_FIELDS.some((field) => lowerFieldName.includes(field.toLowerCase()));\n  }\n\n  /**\n   * 检查值是否包含敏感信息（基于模式匹配）\n   */\n  static containsSensitiveData(value: string): boolean {\n    return SENSITIVE_PATTERNS.some((pattern) => pattern.test(value));\n  }\n\n  /**\n   * 生成 CSP（Content Security Policy）头\n   */\n  static generateCSP(config?: {\n    defaultSrc?: string[];\n    scriptSrc?: string[];\n    styleSrc?: string[];\n    imgSrc?: string[];\n    connectSrc?: string[];\n    fontSrc?: string[];\n    frameSrc?: string[];\n    allowUnsafeInline?: boolean; // 是否允许 unsafe-inline（不推荐）\n    allowUnsafeEval?: boolean; // 是否允许 unsafe-eval（不推荐）\n  }): string {\n    const directives: string[] = [];\n    const allowUnsafeInline = config?.allowUnsafeInline ?? false;\n    const allowUnsafeEval = config?.allowUnsafeEval ?? false;\n\n    if (config?.defaultSrc) {\n      directives.push(`default-src ${config.defaultSrc.join(' ')}`);\n    } else {\n      directives.push(\"default-src 'self'\");\n    }\n\n    if (config?.scriptSrc) {\n      directives.push(`script-src ${config.scriptSrc.join(' ')}`);\n    } else {\n      // 默认不允许 unsafe-inline 和 unsafe-eval，提高安全性\n      const scriptSrc = [\"'self'\"];\n      if (allowUnsafeInline) {\n        scriptSrc.push(\"'unsafe-inline'\");\n      }\n      if (allowUnsafeEval) {\n        scriptSrc.push(\"'unsafe-eval'\");\n      }\n      directives.push(`script-src ${scriptSrc.join(' ')}`);\n    }\n\n    if (config?.styleSrc) {\n      directives.push(`style-src ${config.styleSrc.join(' ')}`);\n    } else {\n      // 对于样式，可以使用 nonce 或 hash 替代 unsafe-inline\n      const styleSrc = [\"'self'\"];\n      if (allowUnsafeInline) {\n        styleSrc.push(\"'unsafe-inline'\");\n      }\n      directives.push(`style-src ${styleSrc.join(' ')}`);\n    }\n\n    if (config?.imgSrc) {\n      directives.push(`img-src ${config.imgSrc.join(' ')}`);\n    } else {\n      directives.push(\"img-src 'self' data: https:\");\n    }\n\n    if (config?.connectSrc) {\n      directives.push(`connect-src ${config.connectSrc.join(' ')}`);\n    } else {\n      directives.push(\"connect-src 'self'\");\n    }\n\n    if (config?.fontSrc) {\n      directives.push(`font-src ${config.fontSrc.join(' ')}`);\n    } else {\n      directives.push(\"font-src 'self' data:\");\n    }\n\n    if (config?.frameSrc) {\n      directives.push(`frame-src ${config.frameSrc.join(' ')}`);\n    } else {\n      directives.push(\"frame-src 'none'\");\n    }\n\n    return directives.join('; ');\n  }\n\n  /**\n   * 转义 HTML 特殊字符\n   */\n  static escapeHTML(text: string): string {\n    const map: Record<string, string> = {\n      '&': '&amp;',\n      '<': '&lt;',\n      '>': '&gt;',\n      '\"': '&quot;',\n      \"'\": '&#039;',\n    };\n    return text.replace(/[&<>\"']/g, (char) => map[char]);\n  }\n\n  /**\n   * 验证输入是否安全\n   */\n  static validateInput(input: unknown): {\n    safe: boolean;\n    sanitized?: string;\n    reason?: string;\n  } {\n    if (typeof input !== 'string') {\n      return { safe: true };\n    }\n\n    if (this.containsDangerousContent(input)) {\n      return {\n        safe: false,\n        sanitized: this.sanitizeText(input),\n        reason: '包含潜在的危险内容',\n      };\n    }\n\n    // 检查是否包含敏感数据模式\n    if (this.containsSensitiveData(input)) {\n      return {\n        safe: false,\n        sanitized: this.sanitizeText(input),\n        reason: '可能包含敏感信息',\n      };\n    }\n\n    return { safe: true, sanitized: input };\n  }\n\n  /**\n   * 深度脱敏处理（递归处理嵌套对象）\n   */\n  static deepSanitize(data: unknown, maxDepth: number = 10, currentDepth: number = 0): unknown {\n    if (currentDepth >= maxDepth) {\n      return '***'; // 防止无限递归\n    }\n\n    if (data === null || data === undefined) {\n      return data;\n    }\n\n    if (typeof data === 'string') {\n      if (this.containsDangerousContent(data) || this.containsSensitiveData(data)) {\n        return this.sanitizeText(data);\n      }\n      return data;\n    }\n\n    if (typeof data === 'number' || typeof data === 'boolean') {\n      return data;\n    }\n\n    if (Array.isArray(data)) {\n      return data.map((item) => this.deepSanitize(item, maxDepth, currentDepth + 1));\n    }\n\n    if (typeof data === 'object') {\n      const sanitized: Record<string, unknown> = {};\n      for (const [key, value] of Object.entries(data)) {\n        if (this.isSensitiveField(key)) {\n          sanitized[key] = '***';\n        } else {\n          sanitized[key] = this.deepSanitize(value, maxDepth, currentDepth + 1);\n        }\n      }\n      return sanitized;\n    }\n\n    return data;\n  }\n}\n"],"names":["SENSITIVE_FIELDS","SecurityUtils","SENSITIVE_PATTERNS","sanitizeHTML","html","config","window","allowHTML","allowedTags","length","allowedAttributes","DOMPurify","sanitize","ALLOWED_TAGS","ALLOWED_ATTR","FORBID_TAGS","FORBID_ATTR","KEEP_CONTENT","RETURN_DOM","RETURN_DOM_FRAGMENT","RETURN_TRUSTED_TYPE","error","errorMessage","Error","message","console","substring","sanitizeText","text","replace","SecurityError","undefined","containsDangerousContent","dangerousPatterns","some","pattern","test","isSafeUrl","url","urlObj","URL","includes","protocol","isSensitiveField","fieldName","lowerFieldName","toLowerCase","field","containsSensitiveData","value","generateCSP","directives","allowUnsafeInline","allowUnsafeEval","defaultSrc","push","join","scriptSrc","styleSrc","imgSrc","connectSrc","fontSrc","frameSrc","escapeHTML","map","char","validateInput","input","safe","sanitized","reason","deepSanitize","data","maxDepth","currentDepth","Array","isArray","item","key","Object","entries"],"mappings":";;;;;;;;;;;QAwBaA;eAAAA;;QAyDAC;eAAAA;;;kEAjFS;wBACQ;;;;;;AAuBvB,MAAMD,mBAAmB;IAC9B;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;IACA;CACD;AAED;;CAEC,GACD,MAAME,qBAAqB;IACzB;IACA;IACA;IACA;CACD;AAKM,IAAA,AAAMD,gBAAN,MAAMA;IACX;;GAEC,GACD,OAAOE,aAAaC,IAAY,EAAEC,MAAkB,EAAU;QAC5D,IAAI,OAAOC,WAAW,aAAa;YACjC,8BAA8B;YAC9B,OAAOF;QACT;QAEA,IAAI;YACF,IAAIC,QAAQE,WAAW;gBACrB,kBAAkB;gBAClB,MAAMC,cAAcH,OAAOG,WAAW,IAAIH,OAAOG,WAAW,CAACC,MAAM,GAAG,IAClEJ,OAAOG,WAAW,GAClB,EAAE;gBACN,MAAME,oBAAoBL,OAAOK,iBAAiB,IAAIL,OAAOK,iBAAiB,CAACD,MAAM,GAAG,IACpFJ,OAAOK,iBAAiB,GACxB,EAAE;gBAEN,OAAOC,kBAAS,CAACC,QAAQ,CAACR,MAAM;oBAC9BS,cAAcL;oBACdM,cAAcJ;oBACdK,aAAa;wBAAC;wBAAU;wBAAU;wBAAU;wBAAS;wBAAQ;wBAAQ;wBAAQ;qBAAQ;oBACrFC,aAAa;wBAAC;wBAAW;wBAAU;wBAAW;wBAAe;wBAAW;wBAAU;qBAAW;oBAC7F,WAAW;oBACXC,cAAc;oBACdC,YAAY;oBACZC,qBAAqB;oBACrBC,qBAAqB;gBACvB;YACF;YACA,uBAAuB;YACvB,OAAOT,kBAAS,CAACC,QAAQ,CAACR,MAAM;gBAC9BS,cAAc,EAAE;gBAChBI,cAAc;YAChB;QACF,EAAE,OAAOI,OAAO;YACd,4BAA4B;YAC5B,MAAMC,eAAeD,iBAAiBE,QAAQF,MAAMG,OAAO,GAAG;YAC9D,kBAAkB;YAClBC,QAAQJ,KAAK,CAAC,cAAcC,aAAaI,SAAS,CAAC,GAAG;YACtD,mBAAmB;YACnB,OAAO,IAAI,CAACC,YAAY,CAACvB;QAC3B;IACF;IAEA;;GAEC,GACD,OAAOuB,aAAaC,IAAY,EAAU;QACxC,IAAI,OAAOtB,WAAW,aAAa;YACjC,OAAOsB,KAAKC,OAAO,CAAC,YAAY;QAClC;QAEA,IAAI;YACF,OAAOlB,kBAAS,CAACC,QAAQ,CAACgB,MAAM;gBAAEf,cAAc,EAAE;YAAC;QACrD,EAAE,OAAOQ,OAAO;YACd,MAAM,IAAIS,qBAAa,CAAC,UAAUT,iBAAiBE,QAAQF,QAAQU;QACrE;IACF;IAEA;;GAEC,GACD,OAAOC,yBAAyBJ,IAAY,EAAW;QACrD,MAAMK,oBAAoB;YACxB;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;SACD;QAED,OAAOA,kBAAkBC,IAAI,CAAC,CAACC,UAAYA,QAAQC,IAAI,CAACR;IAC1D;IAEA;;GAEC,GACD,OAAOS,UAAUC,GAAW,EAAW;QACrC,IAAI;YACF,MAAMC,SAAS,IAAIC,IAAIF;YACvB,OAAO;YACP,IAAI,CAAC;gBAAC;gBAAS;aAAS,CAACG,QAAQ,CAACF,OAAOG,QAAQ,GAAG;gBAClD,OAAO;YACT;YACA,aAAa;YACb,OAAO,CAAC,IAAI,CAACV,wBAAwB,CAACM;QACxC,EAAE,OAAM;YACN,OAAO;QACT;IACF;IAEA;;GAEC,GACD,OAAOK,iBAAiBC,SAAiB,EAAW;QAClD,MAAMC,iBAAiBD,UAAUE,WAAW;QAC5C,OAAO9C,iBAAiBkC,IAAI,CAAC,CAACa,QAAUF,eAAeJ,QAAQ,CAACM,MAAMD,WAAW;IACnF;IAEA;;GAEC,GACD,OAAOE,sBAAsBC,KAAa,EAAW;QACnD,OAAO/C,mBAAmBgC,IAAI,CAAC,CAACC,UAAYA,QAAQC,IAAI,CAACa;IAC3D;IAEA;;GAEC,GACD,OAAOC,YAAY7C,MAUlB,EAAU;QACT,MAAM8C,aAAuB,EAAE;QAC/B,MAAMC,oBAAoB/C,QAAQ+C,qBAAqB;QACvD,MAAMC,kBAAkBhD,QAAQgD,mBAAmB;QAEnD,IAAIhD,QAAQiD,YAAY;YACtBH,WAAWI,IAAI,CAAC,CAAC,YAAY,EAAElD,OAAOiD,UAAU,CAACE,IAAI,CAAC,MAAM;QAC9D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQoD,WAAW;YACrBN,WAAWI,IAAI,CAAC,CAAC,WAAW,EAAElD,OAAOoD,SAAS,CAACD,IAAI,CAAC,MAAM;QAC5D,OAAO;YACL,0CAA0C;YAC1C,MAAMC,YAAY;gBAAC;aAAS;YAC5B,IAAIL,mBAAmB;gBACrBK,UAAUF,IAAI,CAAC;YACjB;YACA,IAAIF,iBAAiB;gBACnBI,UAAUF,IAAI,CAAC;YACjB;YACAJ,WAAWI,IAAI,CAAC,CAAC,WAAW,EAAEE,UAAUD,IAAI,CAAC,MAAM;QACrD;QAEA,IAAInD,QAAQqD,UAAU;YACpBP,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAElD,OAAOqD,QAAQ,CAACF,IAAI,CAAC,MAAM;QAC1D,OAAO;YACL,0CAA0C;YAC1C,MAAME,WAAW;gBAAC;aAAS;YAC3B,IAAIN,mBAAmB;gBACrBM,SAASH,IAAI,CAAC;YAChB;YACAJ,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAEG,SAASF,IAAI,CAAC,MAAM;QACnD;QAEA,IAAInD,QAAQsD,QAAQ;YAClBR,WAAWI,IAAI,CAAC,CAAC,QAAQ,EAAElD,OAAOsD,MAAM,CAACH,IAAI,CAAC,MAAM;QACtD,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQuD,YAAY;YACtBT,WAAWI,IAAI,CAAC,CAAC,YAAY,EAAElD,OAAOuD,UAAU,CAACJ,IAAI,CAAC,MAAM;QAC9D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQwD,SAAS;YACnBV,WAAWI,IAAI,CAAC,CAAC,SAAS,EAAElD,OAAOwD,OAAO,CAACL,IAAI,CAAC,MAAM;QACxD,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,IAAIlD,QAAQyD,UAAU;YACpBX,WAAWI,IAAI,CAAC,CAAC,UAAU,EAAElD,OAAOyD,QAAQ,CAACN,IAAI,CAAC,MAAM;QAC1D,OAAO;YACLL,WAAWI,IAAI,CAAC;QAClB;QAEA,OAAOJ,WAAWK,IAAI,CAAC;IACzB;IAEA;;GAEC,GACD,OAAOO,WAAWnC,IAAY,EAAU;QACtC,MAAMoC,MAA8B;YAClC,KAAK;YACL,KAAK;YACL,KAAK;YACL,KAAK;YACL,KAAK;QACP;QACA,OAAOpC,KAAKC,OAAO,CAAC,YAAY,CAACoC,OAASD,GAAG,CAACC,KAAK;IACrD;IAEA;;GAEC,GACD,OAAOC,cAAcC,KAAc,EAIjC;QACA,IAAI,OAAOA,UAAU,UAAU;YAC7B,OAAO;gBAAEC,MAAM;YAAK;QACtB;QAEA,IAAI,IAAI,CAACpC,wBAAwB,CAACmC,QAAQ;YACxC,OAAO;gBACLC,MAAM;gBACNC,WAAW,IAAI,CAAC1C,YAAY,CAACwC;gBAC7BG,QAAQ;YACV;QACF;QAEA,eAAe;QACf,IAAI,IAAI,CAACtB,qBAAqB,CAACmB,QAAQ;YACrC,OAAO;gBACLC,MAAM;gBACNC,WAAW,IAAI,CAAC1C,YAAY,CAACwC;gBAC7BG,QAAQ;YACV;QACF;QAEA,OAAO;YAAEF,MAAM;YAAMC,WAAWF;QAAM;IACxC;IAEA;;GAEC,GACD,OAAOI,aAAaC,IAAa,EAAEC,WAAmB,EAAE,EAAEC,eAAuB,CAAC,EAAW;QAC3F,IAAIA,gBAAgBD,UAAU;YAC5B,OAAO,OAAO,SAAS;QACzB;QAEA,IAAID,SAAS,QAAQA,SAASzC,WAAW;YACvC,OAAOyC;QACT;QAEA,IAAI,OAAOA,SAAS,UAAU;YAC5B,IAAI,IAAI,CAACxC,wBAAwB,CAACwC,SAAS,IAAI,CAACxB,qBAAqB,CAACwB,OAAO;gBAC3E,OAAO,IAAI,CAAC7C,YAAY,CAAC6C;YAC3B;YACA,OAAOA;QACT;QAEA,IAAI,OAAOA,SAAS,YAAY,OAAOA,SAAS,WAAW;YACzD,OAAOA;QACT;QAEA,IAAIG,MAAMC,OAAO,CAACJ,OAAO;YACvB,OAAOA,KAAKR,GAAG,CAAC,CAACa,OAAS,IAAI,CAACN,YAAY,CAACM,MAAMJ,UAAUC,eAAe;QAC7E;QAEA,IAAI,OAAOF,SAAS,UAAU;YAC5B,MAAMH,YAAqC,CAAC;YAC5C,KAAK,MAAM,CAACS,KAAK7B,MAAM,IAAI8B,OAAOC,OAAO,CAACR,MAAO;gBAC/C,IAAI,IAAI,CAAC7B,gBAAgB,CAACmC,MAAM;oBAC9BT,SAAS,CAACS,IAAI,GAAG;gBACnB,OAAO;oBACLT,SAAS,CAACS,IAAI,GAAG,IAAI,CAACP,YAAY,CAACtB,OAAOwB,UAAUC,eAAe;gBACrE;YACF;YACA,OAAOL;QACT;QAEA,OAAOG;IACT;AACF"}
+{"version":3,"sources":["../../src/utils/security.ts"],"sourcesContent":["export { SecurityUtils, SENSITIVE_FIELDS } from '@vlian/utils';\nexport type { XSSConfig } from '@vlian/utils';\n"],"names":["SENSITIVE_FIELDS","SecurityUtils"],"mappings":";;;;;;;;;;;QAAwBA;eAAAA,uBAAgB;;QAA/BC;eAAAA,oBAAa;;;uBAA0B"}

package/dist/utils/security.d.ts

@@ -1,80 +1,2 @@
-/**
- * XSS 防护配置
- */
-export interface XSSConfig {
-    /**
-     * 是否允许 HTML 标签
-     */
-    allowHTML?: boolean;
-    /**
-     * 允许的 HTML 标签列表
-     */
-    allowedTags?: string[];
-    /**
-     * 允许的 HTML 属性列表
-     */
-    allowedAttributes?: string[];
-}
-/**
- * 敏感数据标识（扩展列表）
- */
-export declare const SENSITIVE_FIELDS: readonly ["password", "pwd", "passwd", "token", "secret", "key", "apiKey", "apikey", "api_key", "accessToken", "access_token", "refreshToken", "refresh_token", "authorization", "auth", "cookie", "session", "sessionId", "session_id", "creditCard", "credit_card", "cardNumber", "card_number", "cvv", "cvc", "ssn", "socialSecurityNumber", "social_security_number", "phone", "phoneNumber", "phone_number", "mobile", "email", "emailAddress", "email_address", "privateKey", "private_key", "secretKey", "secret_key", "apiSecret", "api_secret"];
-/**
- * 安全工具类
- */
-export declare class SecurityUtils {
-    /**
-     * 清理 HTML，防止 XSS 攻击
-     */
-    static sanitizeHTML(html: string, config?: XSSConfig): string;
-    /**
-     * 清理文本内容（移除所有 HTML 标签）
-     */
-    static sanitizeText(text: string): string;
-    /**
-     * 检查字符串是否包含潜在的危险内容
-     */
-    static containsDangerousContent(text: string): boolean;
-    /**
-     * 验证 URL 是否安全
-     */
-    static isSafeUrl(url: string): boolean;
-    /**
-     * 检查字段名是否为敏感字段
-     */
-    static isSensitiveField(fieldName: string): boolean;
-    /**
-     * 检查值是否包含敏感信息（基于模式匹配）
-     */
-    static containsSensitiveData(value: string): boolean;
-    /**
-     * 生成 CSP（Content Security Policy）头
-     */
-    static generateCSP(config?: {
-        defaultSrc?: string[];
-        scriptSrc?: string[];
-        styleSrc?: string[];
-        imgSrc?: string[];
-        connectSrc?: string[];
-        fontSrc?: string[];
-        frameSrc?: string[];
-        allowUnsafeInline?: boolean;
-        allowUnsafeEval?: boolean;
-    }): string;
-    /**
-     * 转义 HTML 特殊字符
-     */
-    static escapeHTML(text: string): string;
-    /**
-     * 验证输入是否安全
-     */
-    static validateInput(input: unknown): {
-        safe: boolean;
-        sanitized?: string;
-        reason?: string;
-    };
-    /**
-     * 深度脱敏处理（递归处理嵌套对象）
-     */
-    static deepSanitize(data: unknown, maxDepth?: number, currentDepth?: number): unknown;
-}
+export { SecurityUtils, SENSITIVE_FIELDS } from '@vlian/utils';
+export type { XSSConfig } from '@vlian/utils';