anentrypoint-design 0.0.205 → 0.0.206

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "anentrypoint-design",
-  "version": "0.0.205",
+  "version": "0.0.206",
   "description": "247420 design system SDK — webjsx + modified ripple-ui, single-file ESM bundle for reproducible use of the AnEntrypoint design.",
   "type": "module",
   "main": "./dist/247420.js",

package/src/components/community.js

@@ -2,6 +2,7 @@
 
 import * as webjsx from '../../vendor/webjsx/index.js';
 import { Icon } from './shell.js';
+import { sanitizeHtml } from '../markdown.js';
 const h = webjsx.createElement;
 
 // Clamp a count to a compact badge string (matches the rail's 99+ convention),
@@ -391,7 +392,13 @@ export function PageView({ title = '', html = '', isAdmin = false, onEdit } = {}
         ),
         h('div', {
             class: 'cm-page-body',
-            ref: (el) => { if (el) el.innerHTML = html || '<p class="cm-page-empty">This page is empty.</p>'; }
+            // Page bodies are host/user-authored HTML, so they pass through the
+            // DOMPurify gate before innerHTML — never injected raw (stored-XSS gate).
+            ref: (el) => {
+                if (!el) return;
+                if (!html) { el.innerHTML = '<p class="cm-page-empty">This page is empty.</p>'; return; }
+                sanitizeHtml(html).then((clean) => { el.innerHTML = clean; });
+            }
         })
     );
 }

package/src/components/content.js

@@ -53,7 +53,11 @@ export function Row({ code, rank, title, sub, meta, active, state = 'default', o
     const isLink = kind === 'link' || (href != null && !onClick);
     const isButton = !isLink && !!onClick;
     const stateCls = state === 'disabled' ? ' row-state-disabled' : (state === 'error' ? ' row-state-error' : '');
-    const cls = 'row' + (isActive ? ' active' : '') + stateCls + (cols ? ' row-grid' : '') + (rail ? ' rail-' + rail : '');
+    // With no leading/code, the title would otherwise land in the narrow code
+    // column and wrap; `row-nocode` collapses that column so the title gets the
+    // full width (meta still pinned right).
+    const noLead = codeVal == null && leading == null;
+    const cls = 'row' + (isActive ? ' active' : '') + stateCls + (cols ? ' row-grid' : '') + (noLead && !cols ? ' row-nocode' : '') + (rail ? ' rail-' + rail : '');
     const isDisabled = state === 'disabled';
     const props = { key, class: cls, style: cols ? `${style ? style + ';' : ''}grid-template-columns:${cols}` : style };
     if (isLink) {
@@ -168,7 +172,7 @@ export function WorksList({ works = [], openedIndex = -1, onToggle }) {
                     // Expand affordance: a chevron icon (down when open, right when
                     // collapsed) separated from the meta text by a CSS gap, not a
                     // literal +/- with a double-space.
-                    meta: h('span', { class: 'ds-works-meta', style: 'display:inline-flex;align-items:center;gap:.4em' },
+                    meta: h('span', { class: 'ds-works-meta' },
                         w.meta != null ? h('span', {}, w.meta) : null,
                         Icon(isOpen ? 'chevron-down' : 'chevron-right')),
                     active: isOpen,

package/src/markdown.js

@@ -52,3 +52,13 @@ export async function renderMarkdown(src) {
     const raw = _marked.parse(String(src));
     return _purify.sanitize(raw);
 }
+
+// Sanitize already-rendered HTML before it touches innerHTML. For any surface
+// that injects host/user-authored HTML (e.g. a wiki page body), this is the
+// single XSS gate — DOMPurify strips scripts/handlers. If the purifier hasn't
+// loaded, we safe-fail by escaping (raw tags show as text, never execute).
+export async function sanitizeHtml(html) {
+    const ok = await ensureReady();
+    if (!ok) return escapeHtml(html);
+    return _purify.sanitize(String(html));
+}