circle-ir 3.16.7 → 3.17.0

package/dist/analysis/html/html-attribute-security-pass.d.ts

@@ -0,0 +1,22 @@
+/**
+ * HTML Attribute Security Pass
+ *
+ * Runs attribute-level security checks directly on the HTML AST.
+ * These rules do not require IR — they operate on element attributes.
+ *
+ * Rules:
+ *   H1: html-missing-noopener   (CWE-1022) — <a target="_blank"> without rel="noopener"
+ *   H2: html-javascript-uri     (CWE-79)   — javascript: in href/src/action
+ *   H3: html-missing-sandbox    (CWE-1021) — <iframe> without sandbox
+ *   H4: html-mixed-content      (CWE-319)  — http:// resource in script/link/img/iframe
+ *   H5: html-missing-sri        (CWE-353)  — CDN script/stylesheet without integrity
+ *   H6: html-autocomplete-sensitive (CWE-525) — sensitive input without autocomplete="off"
+ *   H7: html-inline-event-handler (CWE-79) — inline on* handler (CSP incompatible)
+ *   H8: html-form-action-javascript (CWE-79) — <form action="javascript:...">
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+import type { SastFinding } from '../../types/index.js';
+/**
+ * Run all HTML attribute security checks.
+ */
+export declare function runHtmlAttributeSecurityChecks(rootNode: SyntaxNode, filePath: string): SastFinding[];

package/dist/analysis/html/html-attribute-security-pass.js

@@ -0,0 +1,269 @@
+/**
+ * HTML Attribute Security Pass
+ *
+ * Runs attribute-level security checks directly on the HTML AST.
+ * These rules do not require IR — they operate on element attributes.
+ *
+ * Rules:
+ *   H1: html-missing-noopener   (CWE-1022) — <a target="_blank"> without rel="noopener"
+ *   H2: html-javascript-uri     (CWE-79)   — javascript: in href/src/action
+ *   H3: html-missing-sandbox    (CWE-1021) — <iframe> without sandbox
+ *   H4: html-mixed-content      (CWE-319)  — http:// resource in script/link/img/iframe
+ *   H5: html-missing-sri        (CWE-353)  — CDN script/stylesheet without integrity
+ *   H6: html-autocomplete-sensitive (CWE-525) — sensitive input without autocomplete="off"
+ *   H7: html-inline-event-handler (CWE-79) — inline on* handler (CSP incompatible)
+ *   H8: html-form-action-javascript (CWE-79) — <form action="javascript:...">
+ */
+import { getAttributeValue, getTagName, findChildByType } from './html-extractor.js';
+/**
+ * Run all HTML attribute security checks.
+ */
+export function runHtmlAttributeSecurityChecks(rootNode, filePath) {
+    const findings = [];
+    walkForSecurityChecks(rootNode, filePath, findings);
+    return findings;
+}
+function walkForSecurityChecks(node, filePath, findings) {
+    // tree-sitter-html uses special node types for <script> and <style>
+    if (node.type === 'element' || node.type === 'self_closing_tag' ||
+        node.type === 'script_element' || node.type === 'style_element') {
+        checkElement(node, filePath, findings);
+    }
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child) {
+            walkForSecurityChecks(child, filePath, findings);
+        }
+    }
+}
+function checkElement(node, filePath, findings) {
+    const tagName = getTagName(node).toLowerCase();
+    const tag = node.type === 'self_closing_tag'
+        ? node
+        : findChildByType(node, 'start_tag');
+    if (!tag)
+        return;
+    const line = tag.startPosition.row + 1;
+    const snippet = tag.text.length > 120 ? tag.text.slice(0, 120) + '...' : tag.text;
+    // H1: Missing noopener on target="_blank" links
+    if (tagName === 'a') {
+        checkMissingNoopener(tag, filePath, line, snippet, findings);
+    }
+    // H2: javascript: URI in href/src/action
+    checkJavascriptUri(tag, filePath, line, snippet, findings);
+    // H3: Missing sandbox on iframe
+    if (tagName === 'iframe') {
+        checkMissingSandbox(tag, filePath, line, snippet, findings);
+    }
+    // H4: Mixed content (http:// resources)
+    if (['script', 'link', 'img', 'iframe', 'video', 'audio', 'source', 'object', 'embed'].includes(tagName)) {
+        checkMixedContent(tag, tagName, filePath, line, snippet, findings);
+    }
+    // H5: Missing SRI on CDN resources
+    if (tagName === 'script' || tagName === 'link') {
+        checkMissingSri(tag, tagName, filePath, line, snippet, findings);
+    }
+    // H6: Autocomplete on sensitive inputs
+    if (tagName === 'input') {
+        checkAutocompleteSensitive(tag, filePath, line, snippet, findings);
+    }
+    // H7: Inline event handlers
+    checkInlineEventHandlers(tag, filePath, line, findings);
+    // H8: Form action javascript:
+    if (tagName === 'form') {
+        checkFormActionJavascript(tag, filePath, line, snippet, findings);
+    }
+}
+/** H1: <a target="_blank"> without rel="noopener" or rel="noreferrer" */
+function checkMissingNoopener(tag, filePath, line, snippet, findings) {
+    const target = getAttributeValue(tag, 'target');
+    if (target !== '_blank')
+        return;
+    const rel = getAttributeValue(tag, 'rel')?.toLowerCase() ?? '';
+    if (rel.includes('noopener') || rel.includes('noreferrer'))
+        return;
+    findings.push({
+        id: `html-missing-noopener-${filePath}-${line}`,
+        pass: 'html-missing-noopener',
+        category: 'security',
+        rule_id: 'html-missing-noopener',
+        cwe: 'CWE-1022',
+        severity: 'medium',
+        level: 'warning',
+        message: '<a target="_blank"> is missing rel="noopener" — may allow reverse tabnapping',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H2: javascript: URI in href, src, or action */
+function checkJavascriptUri(tag, filePath, line, snippet, findings) {
+    for (const attr of ['href', 'src', 'action']) {
+        const value = getAttributeValue(tag, attr);
+        if (value && value.trim().toLowerCase().startsWith('javascript:')) {
+            findings.push({
+                id: `html-javascript-uri-${filePath}-${line}-${attr}`,
+                pass: 'html-javascript-uri',
+                category: 'security',
+                rule_id: 'html-javascript-uri',
+                cwe: 'CWE-79',
+                severity: 'high',
+                level: 'error',
+                message: `${attr}="javascript:..." is an XSS vector — use event listeners instead`,
+                file: filePath,
+                line,
+                snippet,
+            });
+        }
+    }
+}
+/** H3: <iframe> without sandbox attribute */
+function checkMissingSandbox(tag, filePath, line, snippet, findings) {
+    const sandbox = getAttributeValue(tag, 'sandbox');
+    if (sandbox !== undefined)
+        return; // Present (even empty string is fine)
+    findings.push({
+        id: `html-missing-sandbox-${filePath}-${line}`,
+        pass: 'html-missing-sandbox',
+        category: 'security',
+        rule_id: 'html-missing-sandbox',
+        cwe: 'CWE-1021',
+        severity: 'medium',
+        level: 'warning',
+        message: '<iframe> without sandbox attribute — embedded content has full privileges',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H4: HTTP resource loaded (mixed content) */
+function checkMixedContent(tag, tagName, filePath, line, snippet, findings) {
+    const attrName = tagName === 'link' ? 'href' : 'src';
+    const value = getAttributeValue(tag, attrName);
+    if (!value || !value.startsWith('http://'))
+        return;
+    findings.push({
+        id: `html-mixed-content-${filePath}-${line}`,
+        pass: 'html-mixed-content',
+        category: 'security',
+        rule_id: 'html-mixed-content',
+        cwe: 'CWE-319',
+        severity: 'medium',
+        level: 'warning',
+        message: `Loading resource over HTTP (${attrName}="${truncate(value, 60)}") — use HTTPS to prevent MITM`,
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H5: External CDN script/stylesheet without integrity (SRI) */
+function checkMissingSri(tag, tagName, filePath, line, snippet, findings) {
+    // Determine the URL attribute
+    const url = tagName === 'script'
+        ? getAttributeValue(tag, 'src')
+        : getAttributeValue(tag, 'href');
+    if (!url)
+        return;
+    // Only flag external resources (starts with http:// or https:// or //)
+    if (!url.startsWith('http://') && !url.startsWith('https://') && !url.startsWith('//'))
+        return;
+    // For <link>, only flag stylesheets
+    if (tagName === 'link') {
+        const rel = getAttributeValue(tag, 'rel')?.toLowerCase();
+        if (rel !== 'stylesheet')
+            return;
+    }
+    // Check for integrity attribute
+    const integrity = getAttributeValue(tag, 'integrity');
+    if (integrity)
+        return;
+    findings.push({
+        id: `html-missing-sri-${filePath}-${line}`,
+        pass: 'html-missing-sri',
+        category: 'security',
+        rule_id: 'html-missing-sri',
+        cwe: 'CWE-353',
+        severity: 'medium',
+        level: 'warning',
+        message: `External ${tagName === 'script' ? 'script' : 'stylesheet'} without integrity attribute — vulnerable to CDN compromise`,
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H6: Sensitive input without autocomplete="off" */
+function checkAutocompleteSensitive(tag, filePath, line, snippet, findings) {
+    const type = getAttributeValue(tag, 'type')?.toLowerCase();
+    const name = getAttributeValue(tag, 'name')?.toLowerCase() ?? '';
+    const isSensitive = type === 'password' ||
+        /\b(ssn|social.?security|credit.?card|card.?number|cvv|cvc|ccv)\b/.test(name);
+    if (!isSensitive)
+        return;
+    const autocomplete = getAttributeValue(tag, 'autocomplete')?.toLowerCase();
+    if (autocomplete === 'off' || autocomplete === 'new-password')
+        return;
+    findings.push({
+        id: `html-autocomplete-sensitive-${filePath}-${line}`,
+        pass: 'html-autocomplete-sensitive',
+        category: 'security',
+        rule_id: 'html-autocomplete-sensitive',
+        cwe: 'CWE-525',
+        severity: 'low',
+        level: 'note',
+        message: 'Sensitive input field without autocomplete="off" — browser may cache sensitive data',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H7: Inline event handler attributes (on*) */
+function checkInlineEventHandlers(tag, filePath, line, findings) {
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (!nameNode)
+            continue;
+        const attrName = nameNode.text.toLowerCase();
+        if (attrName.startsWith('on') && attrName.length > 2) {
+            const attrLine = child.startPosition.row + 1;
+            findings.push({
+                id: `html-inline-event-handler-${filePath}-${attrLine}-${attrName}`,
+                pass: 'html-inline-event-handler',
+                category: 'security',
+                rule_id: 'html-inline-event-handler',
+                cwe: 'CWE-79',
+                severity: 'low',
+                level: 'note',
+                message: `Inline ${attrName} handler — incompatible with strict Content Security Policy; use addEventListener() instead`,
+                file: filePath,
+                line: attrLine,
+                snippet: child.text,
+            });
+        }
+    }
+}
+/** H8: <form action="javascript:..."> */
+function checkFormActionJavascript(tag, filePath, line, snippet, findings) {
+    const action = getAttributeValue(tag, 'action');
+    if (!action || !action.trim().toLowerCase().startsWith('javascript:'))
+        return;
+    findings.push({
+        id: `html-form-action-javascript-${filePath}-${line}`,
+        pass: 'html-form-action-javascript',
+        category: 'security',
+        rule_id: 'html-form-action-javascript',
+        cwe: 'CWE-79',
+        severity: 'high',
+        level: 'error',
+        message: '<form action="javascript:..."> is an XSS vector — use proper form submission',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+function truncate(s, maxLen) {
+    return s.length > maxLen ? s.slice(0, maxLen) + '...' : s;
+}
+//# sourceMappingURL=html-attribute-security-pass.js.map

package/dist/analysis/html/html-attribute-security-pass.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-attribute-security-pass.js","sourceRoot":"","sources":["../../../src/analysis/html/html-attribute-security-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAErF;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,QAAoB,EACpB,QAAgB;IAEhB,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAgB,EAChB,QAAgB,EAChB,QAAuB;IAEvB,oEAAoE;IACpE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAC3D,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACpE,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,CAAC;YACV,qBAAqB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,IAAgB,EAChB,QAAgB,EAChB,QAAuB;IAEvB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAC1C,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAElF,gDAAgD;IAChD,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,oBAAoB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,yCAAyC;IACzC,kBAAkB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE3D,gCAAgC;IAChC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,mBAAmB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAED,wCAAwC;IACxC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACzG,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrE,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QAC/C,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnE,CAAC;IAED,uCAAuC;IACvC,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,0BAA0B,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrE,CAAC;IAED,4BAA4B;IAC5B,wBAAwB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAExD,8BAA8B;IAC9B,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,yBAAyB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,SAAS,oBAAoB,CAC3B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO;IAEhC,MAAM,GAAG,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAC/D,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO;IAEnE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,yBAAyB,QAAQ,IAAI,IAAI,EAAE;QAC/C,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,uBAAuB;QAChC,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,8EAA8E;QACvF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,kDAAkD;AAClD,SAAS,kBAAkB,CACzB,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClE,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,uBAAuB,QAAQ,IAAI,IAAI,IAAI,IAAI,EAAE;gBACrD,IAAI,EAAE,qBAAqB;gBAC3B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,qBAAqB;gBAC9B,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,GAAG,IAAI,kEAAkE;gBAClF,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,6CAA6C;AAC7C,SAAS,mBAAmB,CAC1B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAClD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,CAAC,sCAAsC;IAEzE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,wBAAwB,QAAQ,IAAI,IAAI,EAAE;QAC9C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,sBAAsB;QAC/B,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,2EAA2E;QACpF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,+CAA+C;AAC/C,SAAS,iBAAiB,CACxB,GAAe,EACf,OAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,QAAQ,GAAG,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;IACrD,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO;IAEnD,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,sBAAsB,QAAQ,IAAI,IAAI,EAAE;QAC5C,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,oBAAoB;QAC7B,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,+BAA+B,QAAQ,KAAK,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC;QACxG,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,iEAAiE;AACjE,SAAS,eAAe,CACtB,GAAe,EACf,OAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,8BAA8B;IAC9B,MAAM,GAAG,GAAG,OAAO,KAAK,QAAQ;QAC9B,CAAC,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC;QAC/B,CAAC,CAAC,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,uEAAuE;IACvE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO;IAE/F,oCAAoC;IACpC,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;QACzD,IAAI,GAAG,KAAK,YAAY;YAAE,OAAO;IACnC,CAAC;IAED,gCAAgC;IAChC,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACtD,IAAI,SAAS;QAAE,OAAO;IAEtB,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,oBAAoB,QAAQ,IAAI,IAAI,EAAE;QAC1C,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,kBAAkB;QAC3B,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,YAAY,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,6DAA6D;QAChI,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,qDAAqD;AACrD,SAAS,0BAA0B,CACjC,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC;IAC3D,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAEjE,MAAM,WAAW,GACf,IAAI,KAAK,UAAU;QACnB,kEAAkE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhF,IAAI,CAAC,WAAW;QAAE,OAAO;IAEzB,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC;IAC3E,IAAI,YAAY,KAAK,KAAK,IAAI,YAAY,KAAK,cAAc;QAAE,OAAO;IAEtE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,+BAA+B,QAAQ,IAAI,IAAI,EAAE;QACrD,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,qFAAqF;QAC9F,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,gDAAgD;AAChD,SAAS,wBAAwB,CAC/B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,QAAuB;IAEvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,6BAA6B,QAAQ,IAAI,QAAQ,IAAI,QAAQ,EAAE;gBACnE,IAAI,EAAE,2BAA2B;gBACjC,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,2BAA2B;gBACpC,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,UAAU,QAAQ,6FAA6F;gBACxH,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,KAAK,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,SAAS,yBAAyB,CAChC,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC;QAAE,OAAO;IAE9E,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,+BAA+B,QAAQ,IAAI,IAAI,EAAE;QACrD,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,QAAQ;QACb,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,OAAO;QACd,OAAO,EAAE,8EAA8E;QACvF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,MAAc;IACzC,OAAO,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/analysis/html/html-extractor.d.ts

@@ -0,0 +1,69 @@
+/**
+ * HTML Content Extractor
+ *
+ * Extracts JavaScript content from HTML files for analysis:
+ * - Inline <script> blocks with line offset tracking
+ * - Inline event handler attributes (onclick, onerror, etc.)
+ * - External script src references (informational)
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+/**
+ * Represents an extracted <script> block from HTML.
+ */
+export interface HtmlScriptBlock {
+    /** The raw JS source code inside the <script> tags */
+    code: string;
+    /** 1-based line offset of the first line of JS within the HTML file */
+    lineOffset: number;
+    /** Whether this is an inline <script> or an external src= reference */
+    kind: 'inline' | 'external-src';
+    /** The src URL if kind === 'external-src' (informational only) */
+    src?: string;
+    /** The script type/lang attribute value, if present */
+    scriptType?: string;
+}
+/**
+ * Represents an inline event handler attribute extracted from HTML.
+ */
+export interface HtmlEventHandler {
+    /** The JS expression from the event handler attribute value */
+    code: string;
+    /** Attribute name, e.g. "onclick", "onerror" */
+    eventName: string;
+    /** 1-based line of the attribute in the HTML file */
+    line: number;
+    /** The element tag name, e.g. "img", "div" */
+    element: string;
+}
+/**
+ * Result of extracting JS content from an HTML file.
+ */
+export interface HtmlExtractionResult {
+    scriptBlocks: HtmlScriptBlock[];
+    eventHandlers: HtmlEventHandler[];
+}
+/**
+ * Extract JavaScript content from an HTML AST.
+ *
+ * Walks the tree-sitter-html AST to find:
+ * 1. <script> elements — extracts inline code or notes external src
+ * 2. Elements with on* event handler attributes
+ */
+export declare function extractHtmlContent(rootNode: SyntaxNode): HtmlExtractionResult;
+/**
+ * Get the tag name from an element or self-closing tag node.
+ */
+declare function getTagName(node: SyntaxNode): string;
+/**
+ * Get the value of a named attribute from a start_tag or self_closing_tag.
+ */
+declare function getAttributeValue(tag: SyntaxNode | null, name: string): string | undefined;
+/**
+ * Find the first child node of a given type.
+ */
+declare function findChildByType(node: SyntaxNode, type: string): SyntaxNode | null;
+/**
+ * Strip surrounding quotes from an attribute value.
+ */
+declare function stripQuotes(text: string): string;
+export { getAttributeValue, getTagName, findChildByType, stripQuotes };

package/dist/analysis/html/html-extractor.js

@@ -0,0 +1,169 @@
+/**
+ * HTML Content Extractor
+ *
+ * Extracts JavaScript content from HTML files for analysis:
+ * - Inline <script> blocks with line offset tracking
+ * - Inline event handler attributes (onclick, onerror, etc.)
+ * - External script src references (informational)
+ */
+/** Known inline event handler attribute names */
+const EVENT_HANDLER_ATTRS = new Set([
+    'onclick', 'ondblclick', 'onmousedown', 'onmouseup', 'onmouseover',
+    'onmousemove', 'onmouseout', 'onmouseenter', 'onmouseleave',
+    'onkeydown', 'onkeyup', 'onkeypress',
+    'onfocus', 'onblur', 'onchange', 'oninput', 'onsubmit', 'onreset',
+    'onload', 'onerror', 'onabort', 'onresize', 'onscroll',
+    'oncontextmenu', 'ondrag', 'ondrop', 'oncopy', 'onpaste', 'oncut',
+    'ontouchstart', 'ontouchend', 'ontouchmove',
+    'onanimationend', 'onanimationstart', 'ontransitionend',
+]);
+/**
+ * Extract JavaScript content from an HTML AST.
+ *
+ * Walks the tree-sitter-html AST to find:
+ * 1. <script> elements — extracts inline code or notes external src
+ * 2. Elements with on* event handler attributes
+ */
+export function extractHtmlContent(rootNode) {
+    const scriptBlocks = [];
+    const eventHandlers = [];
+    walkNode(rootNode, scriptBlocks, eventHandlers);
+    return { scriptBlocks, eventHandlers };
+}
+function walkNode(node, scriptBlocks, eventHandlers) {
+    if (node.type === 'script_element') {
+        extractScriptBlock(node, scriptBlocks);
+    }
+    // Check for event handler attributes on any element or self-closing tag
+    if (node.type === 'element' || node.type === 'self_closing_tag') {
+        extractEventHandlers(node, eventHandlers);
+    }
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child) {
+            walkNode(child, scriptBlocks, eventHandlers);
+        }
+    }
+}
+/**
+ * Extract a <script> block — either inline code or external src reference.
+ */
+function extractScriptBlock(scriptNode, scriptBlocks) {
+    const startTag = scriptNode.childForFieldName('start_tag') ?? findChildByType(scriptNode, 'start_tag');
+    // Check for src attribute (external script)
+    const src = getAttributeValue(startTag, 'src');
+    if (src) {
+        scriptBlocks.push({
+            code: '',
+            lineOffset: scriptNode.startPosition.row + 1,
+            kind: 'external-src',
+            src,
+            scriptType: getAttributeValue(startTag, 'type') ?? getAttributeValue(startTag, 'lang'),
+        });
+        return;
+    }
+    // Look for inline script content (raw_text child)
+    const rawText = findChildByType(scriptNode, 'raw_text');
+    if (rawText && rawText.text.trim()) {
+        scriptBlocks.push({
+            code: rawText.text,
+            lineOffset: rawText.startPosition.row + 1,
+            kind: 'inline',
+            scriptType: getAttributeValue(startTag, 'type') ?? getAttributeValue(startTag, 'lang'),
+        });
+    }
+}
+/**
+ * Extract inline event handler attributes from an element.
+ */
+function extractEventHandlers(elementNode, eventHandlers) {
+    // Get the element's tag name
+    const tagName = getTagName(elementNode);
+    // Find the start_tag (or the self_closing_tag itself)
+    const tag = elementNode.type === 'self_closing_tag'
+        ? elementNode
+        : findChildByType(elementNode, 'start_tag');
+    if (!tag)
+        return;
+    // Iterate attributes looking for event handlers
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (!nameNode)
+            continue;
+        const attrName = nameNode.text.toLowerCase();
+        if (!EVENT_HANDLER_ATTRS.has(attrName))
+            continue;
+        const valueNode = findChildByType(child, 'quoted_attribute_value') ?? findChildByType(child, 'attribute_value');
+        if (!valueNode)
+            continue;
+        const code = stripQuotes(valueNode.text);
+        if (code) {
+            eventHandlers.push({
+                code,
+                eventName: attrName,
+                line: child.startPosition.row + 1,
+                element: tagName,
+            });
+        }
+    }
+}
+/**
+ * Get the tag name from an element or self-closing tag node.
+ */
+function getTagName(node) {
+    if (node.type === 'self_closing_tag') {
+        const tagNameNode = findChildByType(node, 'tag_name');
+        return tagNameNode?.text ?? 'unknown';
+    }
+    const startTag = findChildByType(node, 'start_tag');
+    if (startTag) {
+        const tagNameNode = findChildByType(startTag, 'tag_name');
+        return tagNameNode?.text ?? 'unknown';
+    }
+    return 'unknown';
+}
+/**
+ * Get the value of a named attribute from a start_tag or self_closing_tag.
+ */
+function getAttributeValue(tag, name) {
+    if (!tag)
+        return undefined;
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (nameNode?.text.toLowerCase() === name) {
+            const valueNode = findChildByType(child, 'quoted_attribute_value') ?? findChildByType(child, 'attribute_value');
+            return valueNode ? stripQuotes(valueNode.text) : '';
+        }
+    }
+    return undefined;
+}
+/**
+ * Find the first child node of a given type.
+ */
+function findChildByType(node, type) {
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child?.type === type)
+            return child;
+    }
+    return null;
+}
+/**
+ * Strip surrounding quotes from an attribute value.
+ */
+function stripQuotes(text) {
+    if ((text.startsWith('"') && text.endsWith('"')) ||
+        (text.startsWith("'") && text.endsWith("'"))) {
+        return text.slice(1, -1);
+    }
+    return text;
+}
+// Re-export getAttributeValue and getTagName for use by security pass
+export { getAttributeValue, getTagName, findChildByType, stripQuotes };
+//# sourceMappingURL=html-extractor.js.map

package/dist/analysis/html/html-extractor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"html-extractor.js","sourceRoot":"","sources":["../../../src/analysis/html/html-extractor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA0CH,iDAAiD;AACjD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa;IAClE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc;IAC3D,WAAW,EAAE,SAAS,EAAE,YAAY;IACpC,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS;IACjE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU;IACtD,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO;IACjE,cAAc,EAAE,YAAY,EAAE,aAAa;IAC3C,gBAAgB,EAAE,kBAAkB,EAAE,iBAAiB;CACxD,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAoB;IACrD,MAAM,YAAY,GAAsB,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAuB,EAAE,CAAC;IAE7C,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;IAEhD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,QAAQ,CACf,IAAgB,EAChB,YAA+B,EAC/B,aAAiC;IAEjC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACnC,kBAAkB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IACzC,CAAC;IAED,wEAAwE;IACxE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAChE,oBAAoB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,KAAK,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,UAAsB,EACtB,YAA+B;IAE/B,MAAM,QAAQ,GAAG,UAAU,CAAC,iBAAiB,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAEvG,4CAA4C;IAC5C,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,GAAG,EAAE,CAAC;QACR,YAAY,CAAC,IAAI,CAAC;YAChB,IAAI,EAAE,EAAE;YACR,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;YAC5C,IAAI,EAAE,cAAc;YACpB,GAAG;YACH,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC;SACvF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,kDAAkD;IAClD,MAAM,OAAO,GAAG,eAAe,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QACnC,YAAY,CAAC,IAAI,CAAC;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;YACzC,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC;SACvF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,WAAuB,EACvB,aAAiC;IAEjC,6BAA6B;IAC7B,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;IAExC,sDAAsD;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,KAAK,kBAAkB;QACjD,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,gDAAgD;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEjD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,wBAAwB,CAAC,IAAI,eAAe,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAChH,IAAI,CAAC,SAAS;YAAE,SAAS;QAEzB,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,IAAI,EAAE,CAAC;YACT,aAAa,CAAC,IAAI,CAAC;gBACjB,IAAI;gBACJ,SAAS,EAAE,QAAQ;gBACnB,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;gBACjC,OAAO,EAAE,OAAO;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,IAAgB;IAClC,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QACtD,OAAO,WAAW,EAAE,IAAI,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACpD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAC1D,OAAO,WAAW,EAAE,IAAI,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAsB,EAAE,IAAY;IAC7D,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAE3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;YAC1C,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,wBAAwB,CAAC,IAAI,eAAe,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;YAChH,OAAO,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAgB,EAAE,IAAY;IACrD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,IAAI,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sEAAsE;AACtE,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC"}

package/dist/analysis/html/html-merge.d.ts

@@ -0,0 +1,22 @@
+/**
+ * HTML Result Merger
+ *
+ * Merges multiple CircleIR results (one per script block) and attribute-level
+ * security findings into a single CircleIR for the HTML file.
+ *
+ * Key operation: adjusts all line numbers by (lineOffset - 1) for each script block
+ * and normalizes file paths to the HTML file path.
+ */
+import type { CircleIR, Meta, SastFinding } from '../../types/index.js';
+export interface ScriptBlockResult {
+    ir: CircleIR;
+    lineOffset: number;
+}
+/**
+ * Merge HTML analysis results into a single CircleIR.
+ *
+ * @param htmlMeta - Meta for the HTML file itself
+ * @param scriptResults - CircleIR results from each script block with line offsets
+ * @param attributeFindings - SastFindings from attribute-level security checks
+ */
+export declare function mergeHtmlResults(htmlMeta: Meta, scriptResults: ScriptBlockResult[], attributeFindings: SastFinding[]): CircleIR;