bosia 0.4.4 → 0.5.0

package/src/core/html.ts

@@ -1,5 +1,6 @@
 import { existsSync, readFileSync } from "fs";
 import { getDeclaredEnvKeys } from "./env.ts";
+import { nonceAttr } from "./csp.ts";
 
 // ─── Dist Manifest ───────────────────────────────────────
 // Maps hashed filenames → script/link tags.
@@ -36,6 +37,22 @@ export function safeJsonStringify(data: unknown): string {
 	return json.replace(/[<>&\u2028\u2029]/g, (c) => map[c]);
 }
 
+const SCRIPT_HAZARD_RE = /<(\/script|!--)/gi;
+
+/** Escapes JSON for safe embedding inside <script type="application/json"> blocks.
+ *  Blocks premature </script> and <!-- (HTML script-data escape state) without
+ *  the JS-context overhead of safeJsonStringify. */
+export function safeJsonForScript(data: unknown): string {
+	let json: string;
+	try {
+		json = JSON.stringify(data);
+	} catch {
+		console.error("safeJsonForScript: failed to serialize data (circular reference?)");
+		json = "null";
+	}
+	return json.replace(SCRIPT_HAZARD_RE, "\\u003c$1");
+}
+
 // ─── Public Env Injection ─────────────────────────────────
 
 /**
@@ -76,6 +93,9 @@ export function buildHtml(
 	formData: any = null,
 	lang?: string,
 	ssr = true,
+	nonce?: string,
+	pageDeps: any = null,
+	layoutDeps: any[] | null = null,
 ): string {
 	const cssLinks = (distManifest.css ?? [])
 		.map((f: string) => `<link rel="stylesheet" href="/dist/client/${f}">`)
@@ -83,20 +103,35 @@ export function buildHtml(
 
 	const fallbackTitle = head.includes("<title>") ? "" : "<title>Bosia App</title>";
 
+	const n = nonceAttr(nonce);
 	const publicEnv = getPublicDynamicEnv();
 	const envScript =
 		Object.keys(publicEnv).length > 0
-			? `\n  <script>window.__BOSIA_ENV__=${safeJsonStringify(publicEnv)};</script>`
+			? `\n  <script${n}>window.__BOSIA_ENV__=${safeJsonStringify(publicEnv)};</script>`
 			: "";
 
-	const formScript =
-		formData != null ? `window.__BOSIA_FORM_DATA__=${safeJsonStringify(formData)};` : "";
 	const ssrFlag = ssr ? "" : "window.__BOSIA_SSR__=false;";
 
+	const depsScript =
+		pageDeps !== null || layoutDeps !== null
+			? `window.__BOSIA_PAGE_DEPS__=${safeJsonStringify(pageDeps)};window.__BOSIA_LAYOUT_DEPS__=${safeJsonStringify(layoutDeps ?? [])};`
+			: "";
+
+	const sysScript =
+		ssrFlag || depsScript ? `\n  <script${n}>${ssrFlag}${depsScript}</script>` : "";
+
+	const dataIslands = csr
+		? `\n  <script${n} type="application/json" id="__bosia-page-data__">${safeJsonForScript(pageData)}</script>` +
+			`\n  <script${n} type="application/json" id="__bosia-layout-data__">${safeJsonForScript(layoutData)}</script>` +
+			(formData != null
+				? `\n  <script${n} type="application/json" id="__bosia-form-data__">${safeJsonForScript(formData)}</script>`
+				: "")
+		: "";
+
 	const scripts = csr
-		? `${envScript}\n  <script>${ssrFlag}window.__BOSIA_PAGE_DATA__=${safeJsonStringify(pageData)};window.__BOSIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};${formScript}</script>\n  <script type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`
+		? `${envScript}${dataIslands}${sysScript}\n  <script${n} type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`
 		: isDev
-			? `\n  <script>!function r(){var e=new EventSource("/__bosia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`
+			? `\n  <script${n}>!function r(){var e=new EventSource("/__bosia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`
 			: "";
 
 	return `<!DOCTYPE html>
@@ -109,7 +144,7 @@ export function buildHtml(
   ${head}
   ${cssLinks}
   <link rel="stylesheet" href="/bosia-tw.css${cacheBust}">
-  <script>try{var t=localStorage.getItem('theme');if(t==='dark'||(!t&&window.matchMedia('(prefers-color-scheme: dark)').matches))document.documentElement.classList.add('dark');else document.documentElement.classList.remove('dark')}catch(_){}</script>
+  <script${n}>try{var t=localStorage.getItem('theme');if(t==='dark'||(!t&&window.matchMedia('(prefers-color-scheme: dark)').matches))document.documentElement.classList.add('dark');else document.documentElement.classList.remove('dark')}catch(_){}</script>
 </head>
 <body>
   <div id="app">${body}</div>${scripts}
@@ -121,27 +156,23 @@ export function buildHtml(
 
 import type { Metadata } from "./hooks.ts";
 
-const _shellOpenCache = new Map<string, string>();
-
 /** Chunk 1: everything from <!DOCTYPE> through CSS/modulepreload links (head still open) */
-export function buildHtmlShellOpen(lang?: string): string {
+export function buildHtmlShellOpen(lang?: string, nonce?: string): string {
 	const key = safeLang(lang);
-	const cached = _shellOpenCache.get(key);
-	if (cached) return cached;
+	const n = nonceAttr(nonce);
 	const cssLinks = (distManifest.css ?? [])
 		.map((f: string) => `<link rel="stylesheet" href="/dist/client/${f}">`)
 		.join("\n  ");
-	const result =
+	return (
 		`<!DOCTYPE html>\n<html lang="${key}">\n<head>\n` +
 		`  <meta charset="UTF-8">\n` +
 		`  <meta name="viewport" content="width=device-width, initial-scale=1.0">\n` +
 		`  <link rel="icon" type="image/svg+xml" href="/favicon.svg">\n` +
 		`  ${cssLinks}\n` +
 		`  <link rel="stylesheet" href="/bosia-tw.css${cacheBust}">\n` +
-		`  <script>try{var t=localStorage.getItem('theme');if(t==='dark'||(!t&&window.matchMedia('(prefers-color-scheme: dark)').matches))document.documentElement.classList.add('dark');else document.documentElement.classList.remove('dark')}catch(_){}</script>\n` +
-		`  <link rel="modulepreload" href="/dist/client/${distManifest.entry}${cacheBust}">`;
-	_shellOpenCache.set(key, result);
-	return result;
+		`  <script${n}>try{var t=localStorage.getItem('theme');if(t==='dark'||(!t&&window.matchMedia('(prefers-color-scheme: dark)').matches))document.documentElement.classList.add('dark');else document.documentElement.classList.remove('dark')}catch(_){}</script>\n` +
+		`  <link rel="modulepreload" href="/dist/client/${distManifest.entry}${cacheBust}">`
+	);
 }
 
 const SPINNER =
@@ -208,25 +239,36 @@ export function buildHtmlTail(
 	formData: any = null,
 	ssr = true,
 	bodyEndExtras?: string[],
+	nonce?: string,
+	pageDeps: any = null,
+	layoutDeps: any[] | null = null,
 ): string {
-	let out = `<script>document.getElementById('__bs__').remove()</script>`;
+	const n = nonceAttr(nonce);
+	let out = `<script${n}>document.getElementById('__bs__').remove()</script>`;
 	out += `\n<div id="app">${body}</div>`;
 	if (head)
-		out += `\n<script>document.head.insertAdjacentHTML('beforeend',${safeJsonStringify(head)})</script>`;
+		out += `\n<script${n}>document.head.insertAdjacentHTML('beforeend',${safeJsonStringify(head)})</script>`;
 	if (csr) {
 		const publicEnv = getPublicDynamicEnv();
 		if (Object.keys(publicEnv).length > 0) {
-			out += `\n<script>window.__BOSIA_ENV__=${safeJsonStringify(publicEnv)};</script>`;
+			out += `\n<script${n}>window.__BOSIA_ENV__=${safeJsonStringify(publicEnv)};</script>`;
+		}
+		out += `\n<script${n} type="application/json" id="__bosia-page-data__">${safeJsonForScript(pageData)}</script>`;
+		out += `\n<script${n} type="application/json" id="__bosia-layout-data__">${safeJsonForScript(layoutData)}</script>`;
+		if (formData != null) {
+			out += `\n<script${n} type="application/json" id="__bosia-form-data__">${safeJsonForScript(formData)}</script>`;
 		}
-		const formInject =
-			formData != null ? `window.__BOSIA_FORM_DATA__=${safeJsonStringify(formData)};` : "";
 		const ssrFlag = ssr ? "" : "window.__BOSIA_SSR__=false;";
-		out +=
-			`\n<script>${ssrFlag}window.__BOSIA_PAGE_DATA__=${safeJsonStringify(pageData)};` +
-			`window.__BOSIA_LAYOUT_DATA__=${safeJsonStringify(layoutData)};${formInject}</script>`;
-		out += `\n<script type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`;
+		const depsInject =
+			pageDeps !== null || layoutDeps !== null
+				? `window.__BOSIA_PAGE_DEPS__=${safeJsonStringify(pageDeps)};window.__BOSIA_LAYOUT_DEPS__=${safeJsonStringify(layoutDeps ?? [])};`
+				: "";
+		if (ssrFlag || depsInject) {
+			out += `\n<script${n}>${ssrFlag}${depsInject}</script>`;
+		}
+		out += `\n<script${n} type="module" src="/dist/client/${distManifest.entry}${cacheBust}"></script>`;
 	} else if (isDev) {
-		out += `\n<script>!function r(){var e=new EventSource("/__bosia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`;
+		out += `\n<script${n}>!function r(){var e=new EventSource("/__bosia/sse");e.addEventListener("reload",()=>location.reload());e.onopen=()=>r._ok||(r._ok=1);e.onerror=()=>{e.close();setTimeout(r,2000)}}()</script>`;
 	}
 	if (bodyEndExtras?.length) {
 		for (const fragment of bodyEndExtras) {

package/src/core/prerender.ts

@@ -44,6 +44,17 @@ interface PrerenderTarget {
 export function substituteParams(pattern: string, entry: Record<string, string>): string {
 	let resolved = pattern;
 	for (const [key, value] of Object.entries(entry)) {
+		// `..` and `\` are never legitimate in a route segment — they let a build
+		// emit prerendered HTML outside the intended output tree. Forward slashes
+		// are only allowed for catch-all (`[...key]`) segments, which by design
+		// expand to multiple path parts. Validate accordingly.
+		const isRest = pattern.includes(`[...${key}]`);
+		if (/\\|\.\./.test(value) || (!isRest && value.includes("/"))) {
+			throw new Error(
+				`Prerender entries(): unsafe value "${value}" for [${key}] — ` +
+					`path traversal characters are not allowed in dynamic segment values.`,
+			);
+		}
 		resolved = resolved.replace(`[...${key}]`, value);
 		resolved = resolved.replace(`[${key}]`, value);
 	}