boltdocs 1.3.0 → 1.3.2

package/dist/{cache-EHR7SXRU.mjs → cache-GQHF6BXI.mjs}

@@ -3,7 +3,7 @@ import {
   FileCache,
   TransformCache,
   flushCache
-} from "./chunk-GSYECEZY.mjs";
+} from "./chunk-CYBWLFOG.mjs";
 export {
   AssetCache,
   FileCache,

package/dist/{chunk-GSYECEZY.mjs → chunk-CYBWLFOG.mjs}

@@ -34,7 +34,10 @@ function parseFrontmatter(filePath) {
   return { data, content };
 }
 function escapeHtml(str) {
-  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/'/g, "&apos;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function escapeXml(str) {
+  return escapeHtml(str);
 }
 function fileToRoutePath(relativePath) {
   let cleanedPath = relativePath.split("/").map(stripNumberPrefix).join("/");
@@ -372,6 +375,7 @@ export {
   isDocFile,
   parseFrontmatter,
   escapeHtml,
+  escapeXml,
   fileToRoutePath,
   capitalize,
   FileCache,

package/dist/node/index.js

@@ -57,7 +57,10 @@ function parseFrontmatter(filePath) {
   return { data, content };
 }
 function escapeHtml(str) {
-  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return str.replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/'/g, "&apos;").replace(/</g, "&lt;").replace(/>/g, "&gt;");
+}
+function escapeXml(str) {
+  return escapeHtml(str);
 }
 function fileToRoutePath(relativePath) {
   let cleanedPath = relativePath.split("/").map(stripNumberPrefix).join("/");
@@ -445,8 +448,18 @@ var import_path2 = __toESM(require("path"));
 var import_github_slugger = __toESM(require("github-slugger"));
 init_utils();
 function parseDocFile(file, docsDir, basePath, config) {
+  const decodedFile = decodeURIComponent(file);
+  const absoluteFile = import_path2.default.resolve(decodedFile);
+  const absoluteDocsDir = import_path2.default.resolve(docsDir);
+  const relativePath = normalizePath(
+    import_path2.default.relative(absoluteDocsDir, absoluteFile)
+  );
+  if (relativePath.startsWith("../") || relativePath === ".." || absoluteFile.includes("\0")) {
+    throw new Error(
+      `Security breach: File is outside of docs directory or contains null bytes: ${file}`
+    );
+  }
   const { data, content } = parseFrontmatter(file);
-  const relativePath = normalizePath(import_path2.default.relative(docsDir, file));
   let parts = relativePath.split("/");
   let locale;
   let version;
@@ -492,25 +505,30 @@ function parseDocFile(file, docsDir, basePath, config) {
     const level = match[1].length;
     const text = match[2].replace(/\[([^\]]+)\]\([^\)]+\)/g, "$1").replace(/[_*`]/g, "").trim();
     const id = slugger.slug(text);
-    headings.push({ level, text, id });
+    headings.push({ level, text: escapeHtml(text), id });
   }
+  const sanitizedTitle = data.title ? escapeHtml(data.title) : inferredTitle;
+  const sanitizedDescription = data.description ? escapeHtml(data.description) : "";
+  const sanitizedBadge = data.badge ? escapeHtml(data.badge) : void 0;
   return {
     route: {
       path: finalPath,
       componentPath: file,
       filePath: relativePath,
-      title: data.title || inferredTitle,
-      description: data.description || "",
+      title: sanitizedTitle,
+      description: sanitizedDescription,
       sidebarPosition,
       headings,
       locale,
       version,
-      badge: data.badge
+      badge: sanitizedBadge
     },
     relativeDir: cleanDirName,
     isGroupIndex,
     groupMeta: isGroupIndex ? {
-      title: data.groupTitle || data.title || (cleanDirName ? capitalize(cleanDirName) : ""),
+      title: escapeHtml(
+        data.groupTitle || data.title || (cleanDirName ? capitalize(cleanDirName) : "")
+      ),
       position: data.groupPosition ?? data.sidebarPosition ?? (rawDirName ? extractNumberPrefix(rawDirName) : void 0)
     } : void 0,
     inferredGroupPosition: rawDirName ? extractNumberPrefix(rawDirName) : void 0
@@ -707,26 +725,24 @@ var import_url2 = require("url");
 var import_module = require("module");
 
 // src/node/ssg/meta.ts
+init_utils();
 function replaceMetaTags(html, meta) {
-  return html.replace(/<title>.*?<\/title>/, `<title>${meta.title}</title>`).replace(
+  const title = escapeHtml(meta.title);
+  const description = escapeHtml(meta.description);
+  return html.replace(/<title>.*?<\/title>/, `<title>${title}</title>`).replace(
     /(<meta name="description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
-  ).replace(
-    /(<meta property="og:title" content=")[^"]*(")/,
-    `$1${meta.title}$2`
-  ).replace(
+    `$1${description}$2`
+  ).replace(/(<meta property="og:title" content=")[^"]*(")/, `$1${title}$2`).replace(
     /(<meta property="og:description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
-  ).replace(
-    /(<meta name="twitter:title" content=")[^"]*(")/,
-    `$1${meta.title}$2`
-  ).replace(
+    `$1${description}$2`
+  ).replace(/(<meta name="twitter:title" content=")[^"]*(")/, `$1${title}$2`).replace(
     /(<meta name="twitter:description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
+    `$1${description}$2`
   );
 }
 
 // src/node/ssg/sitemap.ts
+init_utils();
 function generateSitemap(routePaths, config) {
   const baseUrl = config?.siteUrl?.replace(/\/$/, "") || "https://example.com";
   const today = (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
@@ -755,7 +771,7 @@ function generateSitemap(routePaths, config) {
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 ${entries.map(
     (e) => `  <url>
-    <loc>${baseUrl}${e.url}</loc>
+    <loc>${escapeXml(baseUrl)}${escapeXml(e.url)}</loc>
     <lastmod>${today}</lastmod>
     <changefreq>${e.changefreq}</changefreq>
     <priority>${e.priority}</priority>

package/dist/node/index.mjs

@@ -3,13 +3,14 @@ import {
   TransformCache,
   capitalize,
   escapeHtml,
+  escapeXml,
   extractNumberPrefix,
   fileToRoutePath,
   isDocFile,
   normalizePath,
   parseFrontmatter,
   stripNumberPrefix
-} from "../chunk-GSYECEZY.mjs";
+} from "../chunk-CYBWLFOG.mjs";
 
 // src/node/plugin/index.ts
 import { loadEnv } from "vite";
@@ -30,8 +31,18 @@ function invalidateFile(filePath) {
 import path from "path";
 import GithubSlugger from "github-slugger";
 function parseDocFile(file, docsDir, basePath, config) {
+  const decodedFile = decodeURIComponent(file);
+  const absoluteFile = path.resolve(decodedFile);
+  const absoluteDocsDir = path.resolve(docsDir);
+  const relativePath = normalizePath(
+    path.relative(absoluteDocsDir, absoluteFile)
+  );
+  if (relativePath.startsWith("../") || relativePath === ".." || absoluteFile.includes("\0")) {
+    throw new Error(
+      `Security breach: File is outside of docs directory or contains null bytes: ${file}`
+    );
+  }
   const { data, content } = parseFrontmatter(file);
-  const relativePath = normalizePath(path.relative(docsDir, file));
   let parts = relativePath.split("/");
   let locale;
   let version;
@@ -77,25 +88,30 @@ function parseDocFile(file, docsDir, basePath, config) {
     const level = match[1].length;
     const text = match[2].replace(/\[([^\]]+)\]\([^\)]+\)/g, "$1").replace(/[_*`]/g, "").trim();
     const id = slugger.slug(text);
-    headings.push({ level, text, id });
+    headings.push({ level, text: escapeHtml(text), id });
   }
+  const sanitizedTitle = data.title ? escapeHtml(data.title) : inferredTitle;
+  const sanitizedDescription = data.description ? escapeHtml(data.description) : "";
+  const sanitizedBadge = data.badge ? escapeHtml(data.badge) : void 0;
   return {
     route: {
       path: finalPath,
       componentPath: file,
       filePath: relativePath,
-      title: data.title || inferredTitle,
-      description: data.description || "",
+      title: sanitizedTitle,
+      description: sanitizedDescription,
       sidebarPosition,
       headings,
       locale,
       version,
-      badge: data.badge
+      badge: sanitizedBadge
     },
     relativeDir: cleanDirName,
     isGroupIndex,
     groupMeta: isGroupIndex ? {
-      title: data.groupTitle || data.title || (cleanDirName ? capitalize(cleanDirName) : ""),
+      title: escapeHtml(
+        data.groupTitle || data.title || (cleanDirName ? capitalize(cleanDirName) : "")
+      ),
       position: data.groupPosition ?? data.sidebarPosition ?? (rawDirName ? extractNumberPrefix(rawDirName) : void 0)
     } : void 0,
     inferredGroupPosition: rawDirName ? extractNumberPrefix(rawDirName) : void 0
@@ -292,21 +308,17 @@ import { createRequire } from "module";
 
 // src/node/ssg/meta.ts
 function replaceMetaTags(html, meta) {
-  return html.replace(/<title>.*?<\/title>/, `<title>${meta.title}</title>`).replace(
+  const title = escapeHtml(meta.title);
+  const description = escapeHtml(meta.description);
+  return html.replace(/<title>.*?<\/title>/, `<title>${title}</title>`).replace(
     /(<meta name="description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
-  ).replace(
-    /(<meta property="og:title" content=")[^"]*(")/,
-    `$1${meta.title}$2`
-  ).replace(
+    `$1${description}$2`
+  ).replace(/(<meta property="og:title" content=")[^"]*(")/, `$1${title}$2`).replace(
     /(<meta property="og:description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
-  ).replace(
-    /(<meta name="twitter:title" content=")[^"]*(")/,
-    `$1${meta.title}$2`
-  ).replace(
+    `$1${description}$2`
+  ).replace(/(<meta name="twitter:title" content=")[^"]*(")/, `$1${title}$2`).replace(
     /(<meta name="twitter:description" content=")[^"]*(")/,
-    `$1${meta.description}$2`
+    `$1${description}$2`
   );
 }
 
@@ -339,7 +351,7 @@ function generateSitemap(routePaths, config) {
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 ${entries.map(
     (e) => `  <url>
-    <loc>${baseUrl}${e.url}</loc>
+    <loc>${escapeXml(baseUrl)}${escapeXml(e.url)}</loc>
     <lastmod>${today}</lastmod>
     <changefreq>${e.changefreq}</changefreq>
     <priority>${e.priority}</priority>
@@ -418,7 +430,7 @@ async function generateStaticPages(options) {
   console.log(
     `[boltdocs] Generated ${routes.length} static pages + sitemap.xml`
   );
-  const { flushCache } = await import("../cache-EHR7SXRU.mjs");
+  const { flushCache } = await import("../cache-GQHF6BXI.mjs");
   await flushCache();
 }
 
@@ -600,7 +612,7 @@ function boltdocsPlugin(options = {}, passedConfig) {
         if (!isBuild) return;
         const outDir = viteConfig?.build?.outDir ? path4.resolve(viteConfig.root, viteConfig.build.outDir) : path4.resolve(process.cwd(), "dist");
         await generateStaticPages({ docsDir, outDir, config });
-        const { flushCache } = await import("../cache-EHR7SXRU.mjs");
+        const { flushCache } = await import("../cache-GQHF6BXI.mjs");
         await flushCache();
       }
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "boltdocs",
-  "version": "1.3.0",
+  "version": "1.3.2",
   "description": "A lightweight documentation generator for React projects.",
   "main": "dist/node/index.js",
   "module": "dist/node/index.mjs",