npm - circle-ir - Versions diffs - 3.16.8 → 3.17.1 - Mend

circle-ir 3.16.8 → 3.17.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/README.md +7 -1
package/dist/analysis/html/html-attribute-security-pass.d.ts +22 -0
package/dist/analysis/html/html-attribute-security-pass.js +269 -0
package/dist/analysis/html/html-attribute-security-pass.js.map +1 -0
package/dist/analysis/html/html-extractor.d.ts +69 -0
package/dist/analysis/html/html-extractor.js +169 -0
package/dist/analysis/html/html-extractor.js.map +1 -0
package/dist/analysis/html/html-merge.d.ts +22 -0
package/dist/analysis/html/html-merge.js +164 -0
package/dist/analysis/html/html-merge.js.map +1 -0
package/dist/analysis/html/index.d.ts +11 -0
package/dist/analysis/html/index.js +12 -0
package/dist/analysis/html/index.js.map +1 -0
package/dist/analyzer.js +84 -0
package/dist/analyzer.js.map +1 -1
package/dist/browser/circle-ir.js +627 -0
package/dist/core/parser.d.ts +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/dist/languages/index.d.ts +2 -2
package/dist/languages/index.js +2 -2
package/dist/languages/index.js.map +1 -1
package/dist/languages/plugins/html.d.ts +33 -0
package/dist/languages/plugins/html.js +84 -0
package/dist/languages/plugins/html.js.map +1 -0
package/dist/languages/plugins/index.d.ts +1 -0
package/dist/languages/plugins/index.js +3 -0
package/dist/languages/plugins/index.js.map +1 -1
package/dist/languages/types.d.ts +2 -2
package/dist/languages/types.js +1 -1
package/dist/types/index.d.ts +1 -1
package/dist/wasm/tree-sitter-html.wasm +0 -0
package/docs/SPEC.md +1 -1
package/package.json +2 -1

package/README.md CHANGED Viewed

@@ -8,7 +8,7 @@ A high-performance Static Application Security Testing (SAST) library for detect
 ## Features
 - **Taint Analysis**: Track data flow from sources (user input) to sinks (dangerous operations)
-- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell
+- **Multi-language Support**: Java, JavaScript/TypeScript, Python, Rust, Bash/Shell, HTML
 - **High Accuracy**: 100% on OWASP Benchmark, 100% on Juliet Test Suite, 97.7% TPR on SecuriBench Micro
 - **36-Pass Pipeline**: 19 security taint passes + 17 reliability/performance/maintainability/architecture quality passes
 - **Metrics Engine**: 24 software quality metrics (cyclomatic complexity, Halstead, CBO, RFC, LCOM, DIT, and 4 composite scores)
@@ -207,6 +207,9 @@ const response = await analyzeForAPI(code, 'File.java', 'java');
 | **Python** | tree-sitter-python | Flask, Django, FastAPI |
 | **Rust** | tree-sitter-rust | Actix-web, Rocket, Axum |
 | **Bash/Shell** | tree-sitter-bash | Shell scripts (.sh, .bash, .zsh, .ksh) |
+| **HTML** | tree-sitter-html | Web extraction preprocessor (.html, .htm, .xhtml) |
+HTML is handled as a preprocessor: `<script>` blocks are extracted and analyzed as JavaScript, inline event handlers are analyzed as JS snippets, and 8 attribute-level security checks (missing noopener, javascript: URIs, missing sandbox/SRI, mixed content, etc.) run directly on the HTML AST.
 ### Multi-Language Examples
@@ -219,6 +222,9 @@ const pyResult = await analyze(pyCode, 'app.py', 'python');
 // Analyze Rust
 const rsResult = await analyze(rsCode, 'main.rs', 'rust');
+// Analyze HTML (extracts scripts, checks attributes)
+const htmlResult = await analyze(htmlCode, 'index.html', 'html');
 ```
 ## Detected Security Vulnerabilities

package/dist/analysis/html/html-attribute-security-pass.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * HTML Attribute Security Pass
+ *
+ * Runs attribute-level security checks directly on the HTML AST.
+ * These rules do not require IR — they operate on element attributes.
+ *
+ * Rules:
+ *   H1: html-missing-noopener   (CWE-1022) — <a target="_blank"> without rel="noopener"
+ *   H2: html-javascript-uri     (CWE-79)   — javascript: in href/src/action
+ *   H3: html-missing-sandbox    (CWE-1021) — <iframe> without sandbox
+ *   H4: html-mixed-content      (CWE-319)  — http:// resource in script/link/img/iframe
+ *   H5: html-missing-sri        (CWE-353)  — CDN script/stylesheet without integrity
+ *   H6: html-autocomplete-sensitive (CWE-525) — sensitive input without autocomplete="off"
+ *   H7: html-inline-event-handler (CWE-79) — inline on* handler (CSP incompatible)
+ *   H8: html-form-action-javascript (CWE-79) — <form action="javascript:...">
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+import type { SastFinding } from '../../types/index.js';
+/**
+ * Run all HTML attribute security checks.
+ */
+export declare function runHtmlAttributeSecurityChecks(rootNode: SyntaxNode, filePath: string): SastFinding[];

package/dist/analysis/html/html-attribute-security-pass.js ADDED Viewed

@@ -0,0 +1,269 @@
+/**
+ * HTML Attribute Security Pass
+ *
+ * Runs attribute-level security checks directly on the HTML AST.
+ * These rules do not require IR — they operate on element attributes.
+ *
+ * Rules:
+ *   H1: html-missing-noopener   (CWE-1022) — <a target="_blank"> without rel="noopener"
+ *   H2: html-javascript-uri     (CWE-79)   — javascript: in href/src/action
+ *   H3: html-missing-sandbox    (CWE-1021) — <iframe> without sandbox
+ *   H4: html-mixed-content      (CWE-319)  — http:// resource in script/link/img/iframe
+ *   H5: html-missing-sri        (CWE-353)  — CDN script/stylesheet without integrity
+ *   H6: html-autocomplete-sensitive (CWE-525) — sensitive input without autocomplete="off"
+ *   H7: html-inline-event-handler (CWE-79) — inline on* handler (CSP incompatible)
+ *   H8: html-form-action-javascript (CWE-79) — <form action="javascript:...">
+ */
+import { getAttributeValue, getTagName, findChildByType } from './html-extractor.js';
+/**
+ * Run all HTML attribute security checks.
+ */
+export function runHtmlAttributeSecurityChecks(rootNode, filePath) {
+    const findings = [];
+    walkForSecurityChecks(rootNode, filePath, findings);
+    return findings;
+}
+function walkForSecurityChecks(node, filePath, findings) {
+    // tree-sitter-html uses special node types for <script> and <style>
+    if (node.type === 'element' || node.type === 'self_closing_tag' ||
+        node.type === 'script_element' || node.type === 'style_element') {
+        checkElement(node, filePath, findings);
+    }
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child) {
+            walkForSecurityChecks(child, filePath, findings);
+        }
+    }
+}
+function checkElement(node, filePath, findings) {
+    const tagName = getTagName(node).toLowerCase();
+    const tag = node.type === 'self_closing_tag'
+        ? node
+        : findChildByType(node, 'start_tag');
+    if (!tag)
+        return;
+    const line = tag.startPosition.row + 1;
+    const snippet = tag.text.length > 120 ? tag.text.slice(0, 120) + '...' : tag.text;
+    // H1: Missing noopener on target="_blank" links
+    if (tagName === 'a') {
+        checkMissingNoopener(tag, filePath, line, snippet, findings);
+    }
+    // H2: javascript: URI in href/src/action
+    checkJavascriptUri(tag, filePath, line, snippet, findings);
+    // H3: Missing sandbox on iframe
+    if (tagName === 'iframe') {
+        checkMissingSandbox(tag, filePath, line, snippet, findings);
+    }
+    // H4: Mixed content (http:// resources)
+    if (['script', 'link', 'img', 'iframe', 'video', 'audio', 'source', 'object', 'embed'].includes(tagName)) {
+        checkMixedContent(tag, tagName, filePath, line, snippet, findings);
+    }
+    // H5: Missing SRI on CDN resources
+    if (tagName === 'script' || tagName === 'link') {
+        checkMissingSri(tag, tagName, filePath, line, snippet, findings);
+    }
+    // H6: Autocomplete on sensitive inputs
+    if (tagName === 'input') {
+        checkAutocompleteSensitive(tag, filePath, line, snippet, findings);
+    }
+    // H7: Inline event handlers
+    checkInlineEventHandlers(tag, filePath, line, findings);
+    // H8: Form action javascript:
+    if (tagName === 'form') {
+        checkFormActionJavascript(tag, filePath, line, snippet, findings);
+    }
+}
+/** H1: <a target="_blank"> without rel="noopener" or rel="noreferrer" */
+function checkMissingNoopener(tag, filePath, line, snippet, findings) {
+    const target = getAttributeValue(tag, 'target');
+    if (target !== '_blank')
+        return;
+    const rel = getAttributeValue(tag, 'rel')?.toLowerCase() ?? '';
+    if (rel.includes('noopener') || rel.includes('noreferrer'))
+        return;
+    findings.push({
+        id: `html-missing-noopener-${filePath}-${line}`,
+        pass: 'html-missing-noopener',
+        category: 'security',
+        rule_id: 'html-missing-noopener',
+        cwe: 'CWE-1022',
+        severity: 'medium',
+        level: 'warning',
+        message: '<a target="_blank"> is missing rel="noopener" — may allow reverse tabnapping',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H2: javascript: URI in href, src, or action */
+function checkJavascriptUri(tag, filePath, line, snippet, findings) {
+    for (const attr of ['href', 'src', 'action']) {
+        const value = getAttributeValue(tag, attr);
+        if (value && value.trim().toLowerCase().startsWith('javascript:')) {
+            findings.push({
+                id: `html-javascript-uri-${filePath}-${line}-${attr}`,
+                pass: 'html-javascript-uri',
+                category: 'security',
+                rule_id: 'html-javascript-uri',
+                cwe: 'CWE-79',
+                severity: 'high',
+                level: 'error',
+                message: `${attr}="javascript:..." is an XSS vector — use event listeners instead`,
+                file: filePath,
+                line,
+                snippet,
+            });
+        }
+    }
+}
+/** H3: <iframe> without sandbox attribute */
+function checkMissingSandbox(tag, filePath, line, snippet, findings) {
+    const sandbox = getAttributeValue(tag, 'sandbox');
+    if (sandbox !== undefined)
+        return; // Present (even empty string is fine)
+    findings.push({
+        id: `html-missing-sandbox-${filePath}-${line}`,
+        pass: 'html-missing-sandbox',
+        category: 'security',
+        rule_id: 'html-missing-sandbox',
+        cwe: 'CWE-1021',
+        severity: 'medium',
+        level: 'warning',
+        message: '<iframe> without sandbox attribute — embedded content has full privileges',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H4: HTTP resource loaded (mixed content) */
+function checkMixedContent(tag, tagName, filePath, line, snippet, findings) {
+    const attrName = tagName === 'link' ? 'href' : 'src';
+    const value = getAttributeValue(tag, attrName);
+    if (!value || !value.startsWith('http://'))
+        return;
+    findings.push({
+        id: `html-mixed-content-${filePath}-${line}`,
+        pass: 'html-mixed-content',
+        category: 'security',
+        rule_id: 'html-mixed-content',
+        cwe: 'CWE-319',
+        severity: 'medium',
+        level: 'warning',
+        message: `Loading resource over HTTP (${attrName}="${truncate(value, 60)}") — use HTTPS to prevent MITM`,
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H5: External CDN script/stylesheet without integrity (SRI) */
+function checkMissingSri(tag, tagName, filePath, line, snippet, findings) {
+    // Determine the URL attribute
+    const url = tagName === 'script'
+        ? getAttributeValue(tag, 'src')
+        : getAttributeValue(tag, 'href');
+    if (!url)
+        return;
+    // Only flag external resources (starts with http:// or https:// or //)
+    if (!url.startsWith('http://') && !url.startsWith('https://') && !url.startsWith('//'))
+        return;
+    // For <link>, only flag stylesheets
+    if (tagName === 'link') {
+        const rel = getAttributeValue(tag, 'rel')?.toLowerCase();
+        if (rel !== 'stylesheet')
+            return;
+    }
+    // Check for integrity attribute
+    const integrity = getAttributeValue(tag, 'integrity');
+    if (integrity)
+        return;
+    findings.push({
+        id: `html-missing-sri-${filePath}-${line}`,
+        pass: 'html-missing-sri',
+        category: 'security',
+        rule_id: 'html-missing-sri',
+        cwe: 'CWE-353',
+        severity: 'medium',
+        level: 'warning',
+        message: `External ${tagName === 'script' ? 'script' : 'stylesheet'} without integrity attribute — vulnerable to CDN compromise`,
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H6: Sensitive input without autocomplete="off" */
+function checkAutocompleteSensitive(tag, filePath, line, snippet, findings) {
+    const type = getAttributeValue(tag, 'type')?.toLowerCase();
+    const name = getAttributeValue(tag, 'name')?.toLowerCase() ?? '';
+    const isSensitive = type === 'password' ||
+        /\b(ssn|social.?security|credit.?card|card.?number|cvv|cvc|ccv)\b/.test(name);
+    if (!isSensitive)
+        return;
+    const autocomplete = getAttributeValue(tag, 'autocomplete')?.toLowerCase();
+    if (autocomplete === 'off' || autocomplete === 'new-password')
+        return;
+    findings.push({
+        id: `html-autocomplete-sensitive-${filePath}-${line}`,
+        pass: 'html-autocomplete-sensitive',
+        category: 'security',
+        rule_id: 'html-autocomplete-sensitive',
+        cwe: 'CWE-525',
+        severity: 'low',
+        level: 'note',
+        message: 'Sensitive input field without autocomplete="off" — browser may cache sensitive data',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+/** H7: Inline event handler attributes (on*) */
+function checkInlineEventHandlers(tag, filePath, line, findings) {
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (!nameNode)
+            continue;
+        const attrName = nameNode.text.toLowerCase();
+        if (attrName.startsWith('on') && attrName.length > 2) {
+            const attrLine = child.startPosition.row + 1;
+            findings.push({
+                id: `html-inline-event-handler-${filePath}-${attrLine}-${attrName}`,
+                pass: 'html-inline-event-handler',
+                category: 'security',
+                rule_id: 'html-inline-event-handler',
+                cwe: 'CWE-79',
+                severity: 'low',
+                level: 'note',
+                message: `Inline ${attrName} handler — incompatible with strict Content Security Policy; use addEventListener() instead`,
+                file: filePath,
+                line: attrLine,
+                snippet: child.text,
+            });
+        }
+    }
+}
+/** H8: <form action="javascript:..."> */
+function checkFormActionJavascript(tag, filePath, line, snippet, findings) {
+    const action = getAttributeValue(tag, 'action');
+    if (!action || !action.trim().toLowerCase().startsWith('javascript:'))
+        return;
+    findings.push({
+        id: `html-form-action-javascript-${filePath}-${line}`,
+        pass: 'html-form-action-javascript',
+        category: 'security',
+        rule_id: 'html-form-action-javascript',
+        cwe: 'CWE-79',
+        severity: 'high',
+        level: 'error',
+        message: '<form action="javascript:..."> is an XSS vector — use proper form submission',
+        file: filePath,
+        line,
+        snippet,
+    });
+}
+function truncate(s, maxLen) {
+    return s.length > maxLen ? s.slice(0, maxLen) + '...' : s;
+}
+//# sourceMappingURL=html-attribute-security-pass.js.map

package/dist/analysis/html/html-attribute-security-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"html-attribute-security-pass.js","sourceRoot":"","sources":["../../../src/analysis/html/html-attribute-security-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAErF;;GAEG;AACH,MAAM,UAAU,8BAA8B,CAC5C,QAAoB,EACpB,QAAgB;IAEhB,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,qBAAqB,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACpD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAgB,EAChB,QAAgB,EAChB,QAAuB;IAEvB,oEAAoE;IACpE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAC3D,IAAI,CAAC,IAAI,KAAK,gBAAgB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QACpE,YAAY,CAAC,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,CAAC;YACV,qBAAqB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,IAAgB,EAChB,QAAgB,EAChB,QAAuB;IAEvB,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,KAAK,kBAAkB;QAC1C,CAAC,CAAC,IAAI;QACN,CAAC,CAAC,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;IACvC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC;IAElF,gDAAgD;IAChD,IAAI,OAAO,KAAK,GAAG,EAAE,CAAC;QACpB,oBAAoB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC/D,CAAC;IAED,yCAAyC;IACzC,kBAAkB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAE3D,gCAAgC;IAChC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,mBAAmB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC9D,CAAC;IAED,wCAAwC;IACxC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACzG,iBAAiB,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrE,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QAC/C,eAAe,CAAC,GAAG,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnE,CAAC;IAED,uCAAuC;IACvC,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,0BAA0B,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACrE,CAAC;IAED,4BAA4B;IAC5B,wBAAwB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAC;IAExD,8BAA8B;IAC9B,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,yBAAyB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED,yEAAyE;AACzE,SAAS,oBAAoB,CAC3B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO;IAEhC,MAAM,GAAG,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAC/D,IAAI,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC;QAAE,OAAO;IAEnE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,yBAAyB,QAAQ,IAAI,IAAI,EAAE;QAC/C,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,uBAAuB;QAChC,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,8EAA8E;QACvF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,kDAAkD;AAClD,SAAS,kBAAkB,CACzB,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3C,IAAI,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;YAClE,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,uBAAuB,QAAQ,IAAI,IAAI,IAAI,IAAI,EAAE;gBACrD,IAAI,EAAE,qBAAqB;gBAC3B,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,qBAAqB;gBAC9B,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,GAAG,IAAI,kEAAkE;gBAClF,IAAI,EAAE,QAAQ;gBACd,IAAI;gBACJ,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,6CAA6C;AAC7C,SAAS,mBAAmB,CAC1B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAClD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,CAAC,sCAAsC;IAEzE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,wBAAwB,QAAQ,IAAI,IAAI,EAAE;QAC9C,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,sBAAsB;QAC/B,GAAG,EAAE,UAAU;QACf,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,2EAA2E;QACpF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,+CAA+C;AAC/C,SAAS,iBAAiB,CACxB,GAAe,EACf,OAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,QAAQ,GAAG,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;IACrD,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO;IAEnD,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,sBAAsB,QAAQ,IAAI,IAAI,EAAE;QAC5C,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,oBAAoB;QAC7B,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,+BAA+B,QAAQ,KAAK,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,gCAAgC;QACxG,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,iEAAiE;AACjE,SAAS,eAAe,CACtB,GAAe,EACf,OAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,8BAA8B;IAC9B,MAAM,GAAG,GAAG,OAAO,KAAK,QAAQ;QAC9B,CAAC,CAAC,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC;QAC/B,CAAC,CAAC,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,uEAAuE;IACvE,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO;IAE/F,oCAAoC;IACpC,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,iBAAiB,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,WAAW,EAAE,CAAC;QACzD,IAAI,GAAG,KAAK,YAAY;YAAE,OAAO;IACnC,CAAC;IAED,gCAAgC;IAChC,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,EAAE,WAAW,CAAC,CAAC;IACtD,IAAI,SAAS;QAAE,OAAO;IAEtB,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,oBAAoB,QAAQ,IAAI,IAAI,EAAE;QAC1C,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,kBAAkB;QAC3B,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,SAAS;QAChB,OAAO,EAAE,YAAY,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,6DAA6D;QAChI,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,qDAAqD;AACrD,SAAS,0BAA0B,CACjC,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,CAAC;IAC3D,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC;IAEjE,MAAM,WAAW,GACf,IAAI,KAAK,UAAU;QACnB,kEAAkE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhF,IAAI,CAAC,WAAW;QAAE,OAAO;IAEzB,MAAM,YAAY,GAAG,iBAAiB,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC;IAC3E,IAAI,YAAY,KAAK,KAAK,IAAI,YAAY,KAAK,cAAc;QAAE,OAAO;IAEtE,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,+BAA+B,QAAQ,IAAI,IAAI,EAAE;QACrD,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,SAAS;QACd,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,MAAM;QACb,OAAO,EAAE,qFAAqF;QAC9F,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,gDAAgD;AAChD,SAAS,wBAAwB,CAC/B,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,QAAuB;IAEvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,MAAM,QAAQ,GAAG,KAAK,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;YAC7C,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,6BAA6B,QAAQ,IAAI,QAAQ,IAAI,QAAQ,EAAE;gBACnE,IAAI,EAAE,2BAA2B;gBACjC,QAAQ,EAAE,UAAU;gBACpB,OAAO,EAAE,2BAA2B;gBACpC,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,KAAK;gBACf,KAAK,EAAE,MAAM;gBACb,OAAO,EAAE,UAAU,QAAQ,6FAA6F;gBACxH,IAAI,EAAE,QAAQ;gBACd,IAAI,EAAE,QAAQ;gBACd,OAAO,EAAE,KAAK,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,SAAS,yBAAyB,CAChC,GAAe,EACf,QAAgB,EAChB,IAAY,EACZ,OAAe,EACf,QAAuB;IAEvB,MAAM,MAAM,GAAG,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC;QAAE,OAAO;IAE9E,QAAQ,CAAC,IAAI,CAAC;QACZ,EAAE,EAAE,+BAA+B,QAAQ,IAAI,IAAI,EAAE;QACrD,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,6BAA6B;QACtC,GAAG,EAAE,QAAQ;QACb,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,OAAO;QACd,OAAO,EAAE,8EAA8E;QACvF,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS,EAAE,MAAc;IACzC,OAAO,CAAC,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/analysis/html/html-extractor.d.ts ADDED Viewed

@@ -0,0 +1,69 @@
+/**
+ * HTML Content Extractor
+ *
+ * Extracts JavaScript content from HTML files for analysis:
+ * - Inline <script> blocks with line offset tracking
+ * - Inline event handler attributes (onclick, onerror, etc.)
+ * - External script src references (informational)
+ */
+import type { Node as SyntaxNode } from 'web-tree-sitter';
+/**
+ * Represents an extracted <script> block from HTML.
+ */
+export interface HtmlScriptBlock {
+    /** The raw JS source code inside the <script> tags */
+    code: string;
+    /** 1-based line offset of the first line of JS within the HTML file */
+    lineOffset: number;
+    /** Whether this is an inline <script> or an external src= reference */
+    kind: 'inline' | 'external-src';
+    /** The src URL if kind === 'external-src' (informational only) */
+    src?: string;
+    /** The script type/lang attribute value, if present */
+    scriptType?: string;
+}
+/**
+ * Represents an inline event handler attribute extracted from HTML.
+ */
+export interface HtmlEventHandler {
+    /** The JS expression from the event handler attribute value */
+    code: string;
+    /** Attribute name, e.g. "onclick", "onerror" */
+    eventName: string;
+    /** 1-based line of the attribute in the HTML file */
+    line: number;
+    /** The element tag name, e.g. "img", "div" */
+    element: string;
+}
+/**
+ * Result of extracting JS content from an HTML file.
+ */
+export interface HtmlExtractionResult {
+    scriptBlocks: HtmlScriptBlock[];
+    eventHandlers: HtmlEventHandler[];
+}
+/**
+ * Extract JavaScript content from an HTML AST.
+ *
+ * Walks the tree-sitter-html AST to find:
+ * 1. <script> elements — extracts inline code or notes external src
+ * 2. Elements with on* event handler attributes
+ */
+export declare function extractHtmlContent(rootNode: SyntaxNode): HtmlExtractionResult;
+/**
+ * Get the tag name from an element or self-closing tag node.
+ */
+declare function getTagName(node: SyntaxNode): string;
+/**
+ * Get the value of a named attribute from a start_tag or self_closing_tag.
+ */
+declare function getAttributeValue(tag: SyntaxNode | null, name: string): string | undefined;
+/**
+ * Find the first child node of a given type.
+ */
+declare function findChildByType(node: SyntaxNode, type: string): SyntaxNode | null;
+/**
+ * Strip surrounding quotes from an attribute value.
+ */
+declare function stripQuotes(text: string): string;
+export { getAttributeValue, getTagName, findChildByType, stripQuotes };

package/dist/analysis/html/html-extractor.js ADDED Viewed

@@ -0,0 +1,169 @@
+/**
+ * HTML Content Extractor
+ *
+ * Extracts JavaScript content from HTML files for analysis:
+ * - Inline <script> blocks with line offset tracking
+ * - Inline event handler attributes (onclick, onerror, etc.)
+ * - External script src references (informational)
+ */
+/** Known inline event handler attribute names */
+const EVENT_HANDLER_ATTRS = new Set([
+    'onclick', 'ondblclick', 'onmousedown', 'onmouseup', 'onmouseover',
+    'onmousemove', 'onmouseout', 'onmouseenter', 'onmouseleave',
+    'onkeydown', 'onkeyup', 'onkeypress',
+    'onfocus', 'onblur', 'onchange', 'oninput', 'onsubmit', 'onreset',
+    'onload', 'onerror', 'onabort', 'onresize', 'onscroll',
+    'oncontextmenu', 'ondrag', 'ondrop', 'oncopy', 'onpaste', 'oncut',
+    'ontouchstart', 'ontouchend', 'ontouchmove',
+    'onanimationend', 'onanimationstart', 'ontransitionend',
+]);
+/**
+ * Extract JavaScript content from an HTML AST.
+ *
+ * Walks the tree-sitter-html AST to find:
+ * 1. <script> elements — extracts inline code or notes external src
+ * 2. Elements with on* event handler attributes
+ */
+export function extractHtmlContent(rootNode) {
+    const scriptBlocks = [];
+    const eventHandlers = [];
+    walkNode(rootNode, scriptBlocks, eventHandlers);
+    return { scriptBlocks, eventHandlers };
+}
+function walkNode(node, scriptBlocks, eventHandlers) {
+    if (node.type === 'script_element') {
+        extractScriptBlock(node, scriptBlocks);
+    }
+    // Check for event handler attributes on any element or self-closing tag
+    if (node.type === 'element' || node.type === 'self_closing_tag') {
+        extractEventHandlers(node, eventHandlers);
+    }
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child) {
+            walkNode(child, scriptBlocks, eventHandlers);
+        }
+    }
+}
+/**
+ * Extract a <script> block — either inline code or external src reference.
+ */
+function extractScriptBlock(scriptNode, scriptBlocks) {
+    const startTag = scriptNode.childForFieldName('start_tag') ?? findChildByType(scriptNode, 'start_tag');
+    // Check for src attribute (external script)
+    const src = getAttributeValue(startTag, 'src');
+    if (src) {
+        scriptBlocks.push({
+            code: '',
+            lineOffset: scriptNode.startPosition.row + 1,
+            kind: 'external-src',
+            src,
+            scriptType: getAttributeValue(startTag, 'type') ?? getAttributeValue(startTag, 'lang'),
+        });
+        return;
+    }
+    // Look for inline script content (raw_text child)
+    const rawText = findChildByType(scriptNode, 'raw_text');
+    if (rawText && rawText.text.trim()) {
+        scriptBlocks.push({
+            code: rawText.text,
+            lineOffset: rawText.startPosition.row + 1,
+            kind: 'inline',
+            scriptType: getAttributeValue(startTag, 'type') ?? getAttributeValue(startTag, 'lang'),
+        });
+    }
+}
+/**
+ * Extract inline event handler attributes from an element.
+ */
+function extractEventHandlers(elementNode, eventHandlers) {
+    // Get the element's tag name
+    const tagName = getTagName(elementNode);
+    // Find the start_tag (or the self_closing_tag itself)
+    const tag = elementNode.type === 'self_closing_tag'
+        ? elementNode
+        : findChildByType(elementNode, 'start_tag');
+    if (!tag)
+        return;
+    // Iterate attributes looking for event handlers
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (!nameNode)
+            continue;
+        const attrName = nameNode.text.toLowerCase();
+        if (!EVENT_HANDLER_ATTRS.has(attrName))
+            continue;
+        const valueNode = findChildByType(child, 'quoted_attribute_value') ?? findChildByType(child, 'attribute_value');
+        if (!valueNode)
+            continue;
+        const code = stripQuotes(valueNode.text);
+        if (code) {
+            eventHandlers.push({
+                code,
+                eventName: attrName,
+                line: child.startPosition.row + 1,
+                element: tagName,
+            });
+        }
+    }
+}
+/**
+ * Get the tag name from an element or self-closing tag node.
+ */
+function getTagName(node) {
+    if (node.type === 'self_closing_tag') {
+        const tagNameNode = findChildByType(node, 'tag_name');
+        return tagNameNode?.text ?? 'unknown';
+    }
+    const startTag = findChildByType(node, 'start_tag');
+    if (startTag) {
+        const tagNameNode = findChildByType(startTag, 'tag_name');
+        return tagNameNode?.text ?? 'unknown';
+    }
+    return 'unknown';
+}
+/**
+ * Get the value of a named attribute from a start_tag or self_closing_tag.
+ */
+function getAttributeValue(tag, name) {
+    if (!tag)
+        return undefined;
+    for (let i = 0; i < tag.childCount; i++) {
+        const child = tag.child(i);
+        if (!child || child.type !== 'attribute')
+            continue;
+        const nameNode = findChildByType(child, 'attribute_name');
+        if (nameNode?.text.toLowerCase() === name) {
+            const valueNode = findChildByType(child, 'quoted_attribute_value') ?? findChildByType(child, 'attribute_value');
+            return valueNode ? stripQuotes(valueNode.text) : '';
+        }
+    }
+    return undefined;
+}
+/**
+ * Find the first child node of a given type.
+ */
+function findChildByType(node, type) {
+    for (let i = 0; i < node.childCount; i++) {
+        const child = node.child(i);
+        if (child?.type === type)
+            return child;
+    }
+    return null;
+}
+/**
+ * Strip surrounding quotes from an attribute value.
+ */
+function stripQuotes(text) {
+    if ((text.startsWith('"') && text.endsWith('"')) ||
+        (text.startsWith("'") && text.endsWith("'"))) {
+        return text.slice(1, -1);
+    }
+    return text;
+}
+// Re-export getAttributeValue and getTagName for use by security pass
+export { getAttributeValue, getTagName, findChildByType, stripQuotes };
+//# sourceMappingURL=html-extractor.js.map

package/dist/analysis/html/html-extractor.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"html-extractor.js","sourceRoot":"","sources":["../../../src/analysis/html/html-extractor.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AA0CH,iDAAiD;AACjD,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa;IAClE,aAAa,EAAE,YAAY,EAAE,cAAc,EAAE,cAAc;IAC3D,WAAW,EAAE,SAAS,EAAE,YAAY;IACpC,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS;IACjE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,UAAU;IACtD,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO;IACjE,cAAc,EAAE,YAAY,EAAE,aAAa;IAC3C,gBAAgB,EAAE,kBAAkB,EAAE,iBAAiB;CACxD,CAAC,CAAC;AAEH;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAoB;IACrD,MAAM,YAAY,GAAsB,EAAE,CAAC;IAC3C,MAAM,aAAa,GAAuB,EAAE,CAAC;IAE7C,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;IAEhD,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,QAAQ,CACf,IAAgB,EAChB,YAA+B,EAC/B,aAAiC;IAEjC,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QACnC,kBAAkB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;IACzC,CAAC;IAED,wEAAwE;IACxE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QAChE,oBAAoB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,KAAK,EAAE,YAAY,EAAE,aAAa,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,UAAsB,EACtB,YAA+B;IAE/B,MAAM,QAAQ,GAAG,UAAU,CAAC,iBAAiB,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAEvG,4CAA4C;IAC5C,MAAM,GAAG,GAAG,iBAAiB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IAC/C,IAAI,GAAG,EAAE,CAAC;QACR,YAAY,CAAC,IAAI,CAAC;YAChB,IAAI,EAAE,EAAE;YACR,UAAU,EAAE,UAAU,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;YAC5C,IAAI,EAAE,cAAc;YACpB,GAAG;YACH,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC;SACvF,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,kDAAkD;IAClD,MAAM,OAAO,GAAG,eAAe,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;QACnC,YAAY,CAAC,IAAI,CAAC;YAChB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;YACzC,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,iBAAiB,CAAC,QAAQ,EAAE,MAAM,CAAC;SACvF,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,WAAuB,EACvB,aAAiC;IAEjC,6BAA6B;IAC7B,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,CAAC;IAExC,sDAAsD;IACtD,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,KAAK,kBAAkB;QACjD,CAAC,CAAC,WAAW;QACb,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC;IAC9C,IAAI,CAAC,GAAG;QAAE,OAAO;IAEjB,gDAAgD;IAChD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,QAAQ,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEjD,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,wBAAwB,CAAC,IAAI,eAAe,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QAChH,IAAI,CAAC,SAAS;YAAE,SAAS;QAEzB,MAAM,IAAI,GAAG,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACzC,IAAI,IAAI,EAAE,CAAC;YACT,aAAa,CAAC,IAAI,CAAC;gBACjB,IAAI;gBACJ,SAAS,EAAE,QAAQ;gBACnB,IAAI,EAAE,KAAK,CAAC,aAAa,CAAC,GAAG,GAAG,CAAC;gBACjC,OAAO,EAAE,OAAO;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,IAAgB;IAClC,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACrC,MAAM,WAAW,GAAG,eAAe,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QACtD,OAAO,WAAW,EAAE,IAAI,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,eAAe,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC;IACpD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,WAAW,GAAG,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAC1D,OAAO,WAAW,EAAE,IAAI,IAAI,SAAS,CAAC;IACxC,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAsB,EAAE,IAAY;IAC7D,IAAI,CAAC,GAAG;QAAE,OAAO,SAAS,CAAC;IAE3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC3B,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW;YAAE,SAAS;QAEnD,MAAM,QAAQ,GAAG,eAAe,CAAC,KAAK,EAAE,gBAAgB,CAAC,CAAC;QAC1D,IAAI,QAAQ,EAAE,IAAI,CAAC,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;YAC1C,MAAM,SAAS,GAAG,eAAe,CAAC,KAAK,EAAE,wBAAwB,CAAC,IAAI,eAAe,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;YAChH,OAAO,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,IAAgB,EAAE,IAAY;IACrD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,IAAI,KAAK,IAAI;YAAE,OAAO,KAAK,CAAC;IACzC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACjD,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,sEAAsE;AACtE,OAAO,EAAE,iBAAiB,EAAE,UAAU,EAAE,eAAe,EAAE,WAAW,EAAE,CAAC"}

package/dist/analysis/html/html-merge.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * HTML Result Merger
+ *
+ * Merges multiple CircleIR results (one per script block) and attribute-level
+ * security findings into a single CircleIR for the HTML file.
+ *
+ * Key operation: adjusts all line numbers by (lineOffset - 1) for each script block
+ * and normalizes file paths to the HTML file path.
+ */
+import type { CircleIR, Meta, SastFinding } from '../../types/index.js';
+export interface ScriptBlockResult {
+    ir: CircleIR;
+    lineOffset: number;
+}
+/**
+ * Merge HTML analysis results into a single CircleIR.
+ *
+ * @param htmlMeta - Meta for the HTML file itself
+ * @param scriptResults - CircleIR results from each script block with line offsets
+ * @param attributeFindings - SastFindings from attribute-level security checks
+ */
+export declare function mergeHtmlResults(htmlMeta: Meta, scriptResults: ScriptBlockResult[], attributeFindings: SastFinding[]): CircleIR;