npm - @wdprlib/render - Versions diffs - 2.0.0 → 3.0.0 - Mend

@wdprlib/render 2.0.0 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/dist/index.cjs +2332 -2032
package/dist/index.d.cts +15 -13
package/dist/index.d.ts +15 -13
package/dist/index.js +2336 -2036
package/package.json +5 -3
package/src/context/attributes.ts +14 -0
package/src/context/bibliography.ts +109 -0
package/src/context/counters.ts +51 -0
package/src/context/image-urls.ts +31 -0
package/src/context/index.ts +285 -0
package/src/context/output.ts +17 -0
package/src/context/page-urls.ts +81 -0
package/src/context/style-slots.ts +29 -0
package/src/context/urls.ts +2 -0
package/src/elements/bibliography/block.ts +27 -0
package/src/elements/bibliography/cite.ts +23 -0
package/src/elements/bibliography/ids.ts +9 -0
package/src/elements/bibliography/index.ts +9 -0
package/src/elements/clear-float.ts +27 -0
package/src/elements/code/contents.ts +18 -0
package/src/elements/code/index.ts +29 -0
package/src/elements/collapsible/index.ts +31 -0
package/src/elements/collapsible/labels.ts +35 -0
package/src/elements/collapsible/link.ts +11 -0
package/src/elements/collapsible/sections.ts +39 -0
package/src/elements/color.ts +32 -0
package/src/elements/container/attributes.ts +28 -0
package/src/elements/container/header.ts +27 -0
package/src/elements/container/index.ts +35 -0
package/src/elements/container/string-container.ts +40 -0
package/src/elements/container/string-types.ts +63 -0
package/src/elements/container/wrappers.ts +32 -0
package/src/elements/date/format.ts +20 -0
package/src/elements/date/index.ts +34 -0
package/src/elements/date/output.ts +6 -0
package/src/elements/embed/iframe.ts +8 -0
package/src/elements/embed/index.ts +28 -0
package/src/elements/embed/providers.ts +43 -0
package/src/elements/embed/validation.ts +15 -0
package/src/elements/embed-block/allowlist.ts +60 -0
package/src/elements/embed-block/boolean-attributes.ts +38 -0
package/src/elements/embed-block/iframe.ts +33 -0
package/src/elements/embed-block/index.ts +31 -0
package/src/elements/embed-block/sanitize-config.ts +22 -0
package/src/elements/embed-block/sanitize.ts +44 -0
package/src/elements/expr/branch.ts +29 -0
package/src/elements/expr/index.ts +63 -0
package/src/elements/expr/result.ts +19 -0
package/src/elements/footnote/body.ts +11 -0
package/src/elements/footnote/index.ts +35 -0
package/src/elements/footnote/ref.ts +16 -0
package/src/elements/html/attributes.ts +24 -0
package/src/elements/html/index.ts +39 -0
package/src/elements/html/url.ts +19 -0
package/src/elements/iframe/attributes.ts +28 -0
package/src/elements/iframe/index.ts +22 -0
package/src/elements/iftags/condition.ts +42 -0
package/src/elements/iftags/index.ts +39 -0
package/src/elements/iftags/style-slot.ts +23 -0
package/src/elements/iftags/tokens.ts +36 -0
package/src/elements/image/alignment.ts +44 -0
package/src/elements/image/attributes.ts +10 -0
package/src/elements/image/img-attributes.ts +26 -0
package/src/elements/image/index.ts +36 -0
package/src/elements/image/link-href.ts +24 -0
package/src/elements/image/link.ts +13 -0
package/src/elements/image/source.ts +16 -0
package/src/elements/include/index.ts +35 -0
package/src/elements/include/missing.ts +15 -0
package/src/elements/index.ts +35 -0
package/src/elements/line-break.ts +22 -0
package/src/elements/link/anchor-name.ts +6 -0
package/src/elements/link/anchor.ts +27 -0
package/src/elements/link/attributes.ts +47 -0
package/src/elements/link/index.ts +26 -0
package/src/elements/link/label.ts +23 -0
package/src/elements/link/target.ts +20 -0
package/src/elements/list/attributes.ts +19 -0
package/src/elements/list/definition-list.ts +16 -0
package/src/elements/list/index.ts +48 -0
package/src/elements/list/item-rendering.ts +38 -0
package/src/elements/list/items.ts +61 -0
package/src/elements/list/no-marker.ts +53 -0
package/src/elements/list/paragraphs.ts +34 -0
package/src/elements/list/trim.ts +38 -0
package/src/elements/math/block.ts +29 -0
package/src/elements/math/equation-ref.ts +12 -0
package/src/elements/math/index.ts +14 -0
package/src/elements/math/inline.ts +19 -0
package/src/elements/math/latex.ts +27 -0
package/src/elements/math/source.ts +18 -0
package/src/elements/module/backlinks.ts +29 -0
package/src/elements/module/categories.ts +27 -0
package/src/elements/module/empty-container.ts +10 -0
package/src/elements/module/index.ts +65 -0
package/src/elements/module/join-markup.ts +10 -0
package/src/elements/module/join.ts +28 -0
package/src/elements/module/listpages.ts +27 -0
package/src/elements/module/listusers.ts +27 -0
package/src/elements/module/page-tree.ts +27 -0
package/src/elements/module/rate-markup.ts +10 -0
package/src/elements/module/rate.ts +35 -0
package/src/elements/module/unknown.ts +11 -0
package/src/elements/tab-view/ids.ts +16 -0
package/src/elements/tab-view/index.ts +31 -0
package/src/elements/tab-view/navigation.ts +15 -0
package/src/elements/tab-view/panels.ts +16 -0
package/src/elements/table/attributes.ts +23 -0
package/src/elements/table/cell-attributes.ts +62 -0
package/src/elements/table/cell.ts +13 -0
package/src/elements/table/index.ts +27 -0
package/src/elements/text/email.ts +20 -0
package/src/elements/text/index.ts +11 -0
package/src/elements/text/plain.ts +11 -0
package/src/elements/text/raw.ts +20 -0
package/src/elements/toc/body.ts +12 -0
package/src/elements/toc/entries.ts +34 -0
package/src/elements/toc/frame.ts +27 -0
package/src/elements/toc/index.ts +17 -0
package/src/elements/toc/link.ts +26 -0
package/src/elements/user/index.ts +40 -0
package/src/elements/user/markup.ts +34 -0
package/src/elements/user/resolve.ts +6 -0
package/src/escape/attribute-allowlists.ts +101 -0
package/src/escape/attributes.ts +62 -0
package/src/escape/css-color-functions.ts +18 -0
package/src/escape/css-colors.ts +183 -0
package/src/escape/css-danger.ts +22 -0
package/src/escape/css-normalize.ts +54 -0
package/src/escape/css-style.ts +78 -0
package/src/escape/css-urls.ts +76 -0
package/src/escape/css.ts +4 -0
package/src/escape/email.ts +22 -0
package/src/escape/html.ts +68 -0
package/src/escape/index.ts +15 -0
package/src/escape/url.ts +18 -0
package/src/hash.ts +62 -0
package/src/index.ts +26 -0
package/src/libs/highlighter/engine/end-pattern.ts +26 -0
package/src/libs/highlighter/engine/html.ts +19 -0
package/src/libs/highlighter/engine/index.ts +3 -0
package/src/libs/highlighter/engine/keywords.ts +22 -0
package/src/libs/highlighter/engine/parts.ts +36 -0
package/src/libs/highlighter/engine/preprocess.ts +10 -0
package/src/libs/highlighter/engine/render.ts +31 -0
package/src/libs/highlighter/engine/token.ts +7 -0
package/src/libs/highlighter/engine/tokenizer.ts +266 -0
package/src/libs/highlighter/engine/utils.ts +38 -0
package/src/libs/highlighter/index.ts +70 -0
package/src/libs/highlighter/languages/cpp.ts +345 -0
package/src/libs/highlighter/languages/css.ts +104 -0
package/src/libs/highlighter/languages/diff.ts +154 -0
package/src/libs/highlighter/languages/dtd.ts +99 -0
package/src/libs/highlighter/languages/html.ts +59 -0
package/src/libs/highlighter/languages/java.ts +251 -0
package/src/libs/highlighter/languages/javascript.ts +213 -0
package/src/libs/highlighter/languages/php.ts +433 -0
package/src/libs/highlighter/languages/python.ts +308 -0
package/src/libs/highlighter/languages/ruby.ts +360 -0
package/src/libs/highlighter/languages/sql.ts +125 -0
package/src/libs/highlighter/languages/xml.ts +68 -0
package/src/libs/highlighter/types.ts +44 -0
package/src/render/collected-styles.ts +22 -0
package/src/render/dispatch.ts +181 -0
package/src/render/index.ts +28 -0
package/src/render/primitives.ts +17 -0
package/src/render/style-tag.ts +6 -0
package/src/render/style.ts +15 -0
package/src/types.ts +144 -0

package/src/elements/table/attributes.ts ADDED Viewed

@@ -0,0 +1,23 @@
+import { escapeAttr, sanitizeAttributes } from "../../escape";
+export { renderTableCellAttrs } from "./cell-attributes";
+export function renderTableAttrs(attributes: Record<string, string>): string {
+  let hasRenderableAttributes = false;
+  for (const key in attributes) {
+    if (!key.startsWith("_")) {
+      hasRenderableAttributes = true;
+      break;
+    }
+  }
+  if (!hasRenderableAttributes) return "";
+  const safe = sanitizeAttributes(attributes);
+  let result = "";
+  for (const key in safe) {
+    if (key.startsWith("_")) continue;
+    const value = safe[key]!;
+    result += ` ${key}="${escapeAttr(value)}"`;
+  }
+  return result;
+}

package/src/elements/table/cell-attributes.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import type { TableCell } from "@wdprlib/ast";
+import { escapeAttr, sanitizeAttributes } from "../../escape";
+export function renderTableCellAttrs(cell: TableCell): string {
+  const attrs: string[] = [];
+  const safeCellAttrs = sanitizeAttributes(cell.attributes);
+  appendColumnSpan(attrs, cell);
+  appendRowSpan(attrs, safeCellAttrs);
+  appendAlignmentStyle(attrs, cell, safeCellAttrs);
+  appendRemainingCellAttributes(attrs, cell, safeCellAttrs);
+  return attrs.length > 0 ? " " + attrs.join(" ") : "";
+}
+function appendColumnSpan(attrs: string[], cell: TableCell): void {
+  if (cell["column-span"] > 1) {
+    attrs.push(`colspan="${cell["column-span"]}"`);
+  }
+}
+function appendRowSpan(attrs: string[], safeCellAttrs: Record<string, string>): void {
+  if (!safeCellAttrs.rowspan) {
+    return;
+  }
+  const rowspan = parseInt(safeCellAttrs.rowspan, 10);
+  if (rowspan > 1) {
+    attrs.push(`rowspan="${rowspan}"`);
+  }
+}
+function appendAlignmentStyle(
+  attrs: string[],
+  cell: TableCell,
+  safeCellAttrs: Record<string, string>,
+): void {
+  if (!cell.align) {
+    return;
+  }
+  const existingStyle = safeCellAttrs.style ?? "";
+  const alignStyle = `text-align: ${cell.align};`;
+  if (existingStyle) {
+    attrs.push(`style="${escapeAttr(existingStyle + "; " + alignStyle)}"`);
+  } else {
+    attrs.push(`style="${alignStyle}"`);
+  }
+}
+function appendRemainingCellAttributes(
+  attrs: string[],
+  cell: TableCell,
+  safeCellAttrs: Record<string, string>,
+): void {
+  for (const key in safeCellAttrs) {
+    if (key === "style" && cell.align) continue;
+    if (key === "rowspan") continue;
+    const value = safeCellAttrs[key]!;
+    attrs.push(`${key}="${escapeAttr(value)}"`);
+  }
+}

package/src/elements/table/cell.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import type { TableCell } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+import { renderElements } from "../../render";
+import { renderTableCellAttrs } from "./attributes";
+export function renderTableCell(ctx: RenderContext, cell: TableCell): void {
+  const tag = cell.header ? "th" : "td";
+  const attrStr = renderTableCellAttrs(cell);
+  ctx.push(`<${tag}${attrStr}>`);
+  renderElements(ctx, cell.elements);
+  ctx.push(`</${tag}>`);
+}

package/src/elements/table/index.ts ADDED Viewed

@@ -0,0 +1,27 @@
+/**
+ *
+ * Renderer for Wikidot table elements.
+ *
+ * @module
+ */
+import type { TableData } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+import { renderTableAttrs } from "./attributes";
+import { renderTableCell } from "./cell";
+export function renderTable(ctx: RenderContext, data: TableData): void {
+  const isPipeTable = data.attributes._source === "pipe";
+  const classAttr = isPipeTable ? ' class="wiki-content-table"' : "";
+  ctx.push(`<table${classAttr}${renderTableAttrs(data.attributes)}>`);
+  for (const row of data.rows) {
+    ctx.push(`<tr${renderTableAttrs(row.attributes)}>`);
+    for (const cell of row.cells) {
+      renderTableCell(ctx, cell);
+    }
+    ctx.push("</tr>");
+  }
+  ctx.push("</table>");
+}

package/src/elements/text/email.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { RenderContext } from "../../context";
+import { escapeAttr, escapeHtml, isValidEmail } from "../../escape";
+/**
+ * Render an email address element as a `mailto:` link.
+ *
+ * The email is validated before creating the link. Invalid email addresses
+ * are rendered as plain escaped text to prevent `mailto:` injection.
+ *
+ * @param ctx - The current render context.
+ * @param email - The email address string.
+ */
+export function renderEmail(ctx: RenderContext, email: string): void {
+  if (!isValidEmail(email)) {
+    ctx.pushEscaped(email);
+    return;
+  }
+  ctx.push(`<a href="mailto:${escapeAttr(email)}">${escapeHtml(email)}</a>`);
+}

package/src/elements/text/index.ts ADDED Viewed

@@ -0,0 +1,11 @@
+/**
+ *
+ * Renderers for text-level AST nodes: plain text, raw/literal text,
+ * and email addresses.
+ *
+ * @module
+ */
+export { renderEmail } from "./email";
+export { renderRaw } from "./raw";
+export { renderText } from "./plain";

package/src/elements/text/plain.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { RenderContext } from "../../context";
+/**
+ * Render a plain text node by HTML-escaping and appending to the output.
+ *
+ * @param ctx - The current render context.
+ * @param data - The raw text content.
+ */
+export function renderText(ctx: RenderContext, data: string): void {
+  ctx.pushEscaped(data);
+}

package/src/elements/text/raw.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { RenderContext } from "../../context";
+import { escapeHtml } from "../../escape";
+/**
+ * Render raw/literal text (Wikidot `@@...@@` syntax).
+ *
+ * Raw text is rendered inside a `<span style="white-space: pre-wrap;">` with
+ * spaces encoded as `&#32;` to preserve Wikidot's exact formatting. Empty
+ * strings produce no output.
+ *
+ * @param ctx - The current render context.
+ * @param data - The raw text content.
+ */
+export function renderRaw(ctx: RenderContext, data: string): void {
+  if (data === "") return;
+  ctx.push(`<span style="white-space: pre-wrap;">`);
+  ctx.push(escapeHtml(data).replace(/ /g, "&#32;"));
+  ctx.push("</span>");
+}

package/src/elements/toc/body.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import type { RenderContext } from "../../context";
+import { renderTocEntries } from "./entries";
+export function renderTocBody(ctx: RenderContext): void {
+  ctx.push(
+    `<div id="toc-action-bar"><a href="javascript:;">Fold</a><a style="display: none" href="javascript:;">Unfold</a></div>`,
+  );
+  ctx.push(`<div class="title">Table of Contents</div>`);
+  ctx.push(`<div id="toc-list">`);
+  renderTocEntries(ctx, ctx.tocElements);
+  ctx.push("</div>");
+}

package/src/elements/toc/entries.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { Element, ListData, ListItem } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+import { escapeAttr, escapeHtml } from "../../escape";
+import { extractTocLink, rewriteTocAnchor } from "./link";
+export function renderTocEntries(ctx: RenderContext, elements: Element[]): void {
+  for (const element of elements) {
+    if (element.element === "list") {
+      renderTocList(ctx, element.data, 1);
+    }
+  }
+}
+function renderTocList(ctx: RenderContext, listData: ListData, depth: number): void {
+  for (const item of listData.items) {
+    renderTocItem(ctx, item, depth);
+  }
+}
+function renderTocItem(ctx: RenderContext, item: ListItem, depth: number): void {
+  if (item["item-type"] === "elements") {
+    for (const el of item.elements) {
+      const link = extractTocLink(el);
+      if (link) {
+        const href = rewriteTocAnchor(ctx, link.href);
+        ctx.push(
+          `<div style="margin-left: ${depth}em;"><a href="${escapeAttr(href)}">${escapeHtml(link.text)}</a></div>`,
+        );
+      }
+    }
+  } else if (item["item-type"] === "sub-list") {
+    renderTocList(ctx, item.data, depth + 1);
+  }
+}

package/src/elements/toc/frame.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { Alignment } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+export function isFloatingToc(align: Alignment | null): boolean {
+  return align === "left" || align === "right";
+}
+export function openTocFrame(ctx: RenderContext, align: Alignment | null): void {
+  if (!isFloatingToc(align)) {
+    ctx.push(`<table style="margin:0; padding:0"><tr><td style="margin:0; padding:0">`);
+  }
+  if (isFloatingToc(align)) {
+    const floatClass = align === "left" ? "floatleft" : "floatright";
+    ctx.push(`<div id="toc" class="${floatClass}">`);
+  } else {
+    ctx.push(`<div id="toc">`);
+  }
+}
+export function closeTocFrame(ctx: RenderContext, align: Alignment | null): void {
+  ctx.push("</div>");
+  if (!isFloatingToc(align)) {
+    ctx.push(`</td></tr></table>`);
+  }
+}

package/src/elements/toc/index.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ *
+ * Renderer for `[[toc]]` (Table of Contents) elements.
+ *
+ * @module
+ */
+import type { TableOfContentsData } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+import { renderTocBody } from "./body";
+import { closeTocFrame, openTocFrame } from "./frame";
+export function renderTableOfContents(ctx: RenderContext, data: TableOfContentsData): void {
+  openTocFrame(ctx, data.align);
+  renderTocBody(ctx);
+  closeTocFrame(ctx, data.align);
+}

package/src/elements/toc/link.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import type { Element } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+export interface TocLink {
+  href: string;
+  text: string;
+}
+export function extractTocLink(element: Element): TocLink | null {
+  if (element.element !== "link") return null;
+  const label = element.data.label;
+  let text = "";
+  if (typeof label === "object" && label !== null && "text" in label) {
+    text = label.text;
+  }
+  const href = typeof element.data.link === "string" ? element.data.link : "";
+  return { href, text };
+}
+export function rewriteTocAnchor(ctx: RenderContext, href: string): string {
+  const match = /^#toc(\d+)$/.exec(href);
+  if (!match) return href;
+  return `#${ctx.generateId("toc", Number(match[1]))}`;
+}

package/src/elements/user/index.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ *
+ * Renderer for `[[user username]]` elements.
+ *
+ * @module
+ */
+import type { UserData } from "@wdprlib/ast";
+import type { RenderContext } from "../../context";
+import { escapeHtml } from "../../escape";
+import { getResolvedUser } from "./resolve";
+import { renderAvatarUser, renderLinkedUser } from "./markup";
+/**
+ * Render a `[[user username]]` element.
+ *
+ * @param ctx - The current render context.
+ * @param data - User element data with username and show-avatar flag.
+ */
+export function renderUser(ctx: RenderContext, data: UserData): void {
+  const normalized = data.name.toLowerCase().trim();
+  if (normalized === "anonymous") {
+    ctx.push("Anonymous");
+    return;
+  }
+  const resolved = getResolvedUser(ctx, data.name);
+  if (resolved === null) {
+    ctx.push(escapeHtml(data.name));
+    return;
+  }
+  const showAvatar = data["show-avatar"] && resolved.url && resolved.avatarUrl;
+  if (showAvatar) {
+    renderAvatarUser(ctx, data.name, resolved);
+  } else {
+    renderLinkedUser(ctx, data.name, resolved);
+  }
+}

package/src/elements/user/markup.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { RenderContext } from "../../context";
+import type { ResolvedUser } from "../../types";
+import { escapeAttr, escapeHtml } from "../../escape";
+export function renderLinkedUser(ctx: RenderContext, username: string, user: ResolvedUser): void {
+  const displayName = user.name ?? username;
+  const hrefAttr = user.url ? ` href="${escapeAttr(user.url)}"` : "";
+  ctx.push(`<span class="printuser">`);
+  ctx.push(`<a${hrefAttr}>`);
+  ctx.push(escapeHtml(displayName));
+  ctx.push("</a>");
+  ctx.push("</span>");
+}
+export function renderAvatarUser(ctx: RenderContext, username: string, user: ResolvedUser): void {
+  const displayName = user.name ?? username;
+  const hrefAttr = user.url ? ` href="${escapeAttr(user.url)}"` : "";
+  const avatarUrl = user.avatarUrl ?? "";
+  const styleAttr = user.karmaUrl
+    ? ` style="background-image:url(${escapeAttr(user.karmaUrl)})"`
+    : "";
+  ctx.push(`<span class="printuser avatarhover">`);
+  ctx.push(`<a${hrefAttr}>`);
+  ctx.push(
+    `<img class="small" src="${escapeAttr(avatarUrl)}" alt="${escapeAttr(displayName)}"${styleAttr} />`,
+  );
+  ctx.push("</a>");
+  ctx.push(`<a${hrefAttr}>`);
+  ctx.push(escapeHtml(displayName));
+  ctx.push("</a>");
+  ctx.push("</span>");
+}

package/src/elements/user/resolve.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { RenderContext } from "../../context";
+import type { ResolvedUser } from "../../types";
+export function getResolvedUser(ctx: RenderContext, username: string): ResolvedUser | null {
+  return ctx.options.resolvers?.user?.(username) ?? null;
+}

package/src/escape/attribute-allowlists.ts ADDED Viewed

@@ -0,0 +1,101 @@
+/**
+ * HTML attribute names considered safe for rendering.
+ */
+export const SAFE_ATTRIBUTES: ReadonlySet<string> = new Set([
+  "accept",
+  "align",
+  "alt",
+  "autocapitalize",
+  "autoplay",
+  "background",
+  "bgcolor",
+  "border",
+  "buffered",
+  "checked",
+  "cite",
+  "class",
+  "cols",
+  "colspan",
+  "contenteditable",
+  "controls",
+  "coords",
+  "datetime",
+  "decoding",
+  "default",
+  "dir",
+  "dirname",
+  "disabled",
+  "download",
+  "draggable",
+  "for",
+  "form",
+  "headers",
+  "height",
+  "hidden",
+  "high",
+  "href",
+  "hreflang",
+  "id",
+  "inputmode",
+  "ismap",
+  "itemprop",
+  "kind",
+  "label",
+  "lang",
+  "list",
+  "loop",
+  "low",
+  "max",
+  "maxlength",
+  "min",
+  "minlength",
+  "multiple",
+  "muted",
+  "name",
+  "optimum",
+  "pattern",
+  "placeholder",
+  "poster",
+  "preload",
+  "readonly",
+  "required",
+  "reversed",
+  "role",
+  "rows",
+  "rowspan",
+  "scope",
+  "selected",
+  "shape",
+  "size",
+  "sizes",
+  "span",
+  "spellcheck",
+  "src",
+  "srclang",
+  "srcset",
+  "start",
+  "step",
+  "style",
+  "tabindex",
+  "target",
+  "title",
+  "translate",
+  "type",
+  "usemap",
+  "value",
+  "width",
+  "wrap",
+]);
+/**
+ * Attribute names whose values are interpreted as URLs by browsers.
+ */
+export const URL_ATTRIBUTES: ReadonlySet<string> = new Set([
+  "href",
+  "src",
+  "action",
+  "formaction",
+  "srcset",
+  "poster",
+  "background",
+]);

package/src/escape/attributes.ts ADDED Viewed

@@ -0,0 +1,62 @@
+import { sanitizeStyleValue } from "./css";
+import { SAFE_ATTRIBUTES, URL_ATTRIBUTES } from "./attribute-allowlists";
+import { isDangerousUrl } from "./url";
+/**
+ * Check whether an HTML attribute name is safe to include in rendered output.
+ *
+ * The check applies three rules in order:
+ * 1. Block all event handlers (`on*` prefix) unconditionally
+ * 2. Allow accessibility (`aria-*`) and custom data (`data-*`) attributes
+ * 3. Allow only attributes in the `SAFE_ATTRIBUTES` allowlist
+ *
+ * @param name - The attribute name to validate (case-insensitive).
+ * @returns `true` if the attribute is safe to render.
+ */
+export function isSafeAttribute(name: string): boolean {
+  const lower = name.toLowerCase();
+  return isSafeAttributeLower(lower);
+}
+export function isSafeAttributeLower(lower: string): boolean {
+  // Block all event handlers
+  if (lower.startsWith("on")) return false;
+  // Allow aria-* and data-* prefixes
+  if (lower.startsWith("aria-") || lower.startsWith("data-")) return true;
+  return SAFE_ATTRIBUTES.has(lower);
+}
+/**
+ * Sanitize a map of HTML attributes, returning a new map containing
+ * only entries that pass all safety checks.
+ *
+ * For each attribute, this function:
+ * 1. Drops attributes that fail {@link isSafeAttribute} (event handlers, unknown names)
+ * 2. Drops URL-bearing attributes whose values fail {@link isDangerousUrl}
+ * 3. Sanitizes `style` values via {@link sanitizeStyleValue}, dropping them entirely
+ *    if the result is empty
+ * 4. Passes all other safe attributes through unchanged
+ *
+ * @param attributes - The raw attribute name-value map to sanitize.
+ * @returns A new map containing only the safe attributes and their (possibly sanitized) values.
+ */
+export function sanitizeAttributes(attributes: Record<string, string>): Record<string, string> {
+  const result: Record<string, string> = {};
+  for (const key in attributes) {
+    const value = attributes[key]!;
+    const lower = key.toLowerCase();
+    if (!isSafeAttributeLower(lower)) continue;
+    // Check URL attributes for dangerous schemes
+    if (URL_ATTRIBUTES.has(lower) && isDangerousUrl(value)) continue;
+    // Sanitize style attribute
+    if (lower === "style") {
+      const sanitized = sanitizeStyleValue(value);
+      if (sanitized) {
+        result[key] = sanitized;
+      }
+      continue;
+    }
+    result[key] = value;
+  }
+  return result;
+}

package/src/escape/css-color-functions.ts ADDED Viewed

@@ -0,0 +1,18 @@
+export function isValidCssColorFunction(color: string): boolean {
+  const fnMatch = color.match(/^(rgba?|hsla?)\(([^)]*)\)$/);
+  if (!fnMatch) {
+    return false;
+  }
+  const fn = fnMatch[1]!;
+  const args = fnMatch[2]!
+    .split(",")
+    .map((s) => s.trim())
+    .join(",");
+  if (fn.startsWith("rgb")) {
+    return /^\d{1,3},\d{1,3},\d{1,3}(,(0|1|0?\.\d+))?$/.test(args);
+  }
+  return /^\d{1,3},\d{1,3}%,\d{1,3}%(,(0|1|0?\.\d+))?$/.test(args);
+}