npm - dalila - Versions diffs - 1.10.3 → 1.10.4 - Mend

dalila 1.10.3 → 1.10.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/core/persist.js +10 -6
package/dist/runtime/html-sinks.js +79 -5
package/package.json +1 -1
package/scripts/dev-server.cjs +22 -10

package/dist/core/persist.js CHANGED Viewed

@@ -492,6 +492,9 @@ function escapeInlineScriptContent(script) {
         }
     });
 }
+function stringifyInlineScriptLiteral(value) {
+    return escapeInlineScriptContent(JSON.stringify(value));
+}
 /**
  * Generate a minimal inline script to prevent FOUC.
  *
@@ -499,13 +502,14 @@ function escapeInlineScriptContent(script) {
  */
 export function createPreloadScript(options) {
     const { storageKey, defaultValue, target = 'documentElement', attribute = 'data-theme', storageType = 'localStorage', } = options;
-    // Use JSON.stringify to safely embed strings (avoid breaking quotes / injection)
-    const k = JSON.stringify(storageKey);
-    const d = JSON.stringify(defaultValue);
-    const a = JSON.stringify(attribute);
+    const safeTarget = target === 'body' ? 'body' : 'documentElement';
+    const safeStorageType = storageType === 'sessionStorage' ? 'sessionStorage' : 'localStorage';
+    const k = stringifyInlineScriptLiteral(storageKey);
+    const d = stringifyInlineScriptLiteral(defaultValue);
+    const a = stringifyInlineScriptLiteral(attribute);
     // Still minified
-    const script = `(function(){try{var s=${storageType}.getItem(${k});var v=s==null?${d}:JSON.parse(s);document.${target}.setAttribute(${a},v)}catch(e){document.${target}.setAttribute(${a},${d})}})();`;
-    return escapeInlineScriptContent(script);
+    const script = `(function(){try{var s=${safeStorageType}.getItem(${k});var v=s==null?${d}:JSON.parse(s);document.${safeTarget}.setAttribute(${a},v)}catch(e){document.${safeTarget}.setAttribute(${a},${d})}})();`;
+    return script;
 }
 export function createThemeScript(storageKey, defaultTheme = 'light') {
     return createPreloadScript({

package/dist/runtime/html-sinks.js CHANGED Viewed

@@ -1,6 +1,5 @@
 const TRUSTED_POLICY_CACHE_KEY = Symbol.for('dalila.runtime.trustedTypesPolicies');
 const TRUSTED_POLICY_PARSE_SUFFIX = '--dalila-parse';
-const EXECUTABLE_HTML_EVENT_ATTR_PATTERN = /<[^>]+\son[a-z0-9:_-]+\s*=/i;
 const EXECUTABLE_HTML_URL_ATTR_NAMES = new Set([
     'href',
     'src',
@@ -9,7 +8,6 @@ const EXECUTABLE_HTML_URL_ATTR_NAMES = new Set([
     'action',
     'poster',
 ]);
-const EXECUTABLE_DATA_URL_PATTERN = /^data:(?:text\/html|application\/xhtml\+xml|image\/svg\+xml)\b/i;
 function getTrustedPolicyCache() {
     const host = globalThis;
     if (host[TRUSTED_POLICY_CACHE_KEY] instanceof Map) {
@@ -42,7 +40,7 @@ function isHtmlAttributeNameChar(code) {
         && code !== 0x60;
 }
 function isTagBoundaryChar(char) {
-    return !char || /[\s/>]/.test(char);
+    return !char || char === '/' || char === '>' || isHtmlWhitespaceCode(char.charCodeAt(0));
 }
 function getPreviousNonWhitespaceChar(value, end, start = 0) {
     for (let index = end - 1; index >= start; index -= 1) {
@@ -82,7 +80,83 @@ function hasExecutableHtmlScriptTag(value) {
 function hasExecutableProtocol(value) {
     return value.startsWith('javascript:')
         || value.startsWith('vbscript:')
-        || EXECUTABLE_DATA_URL_PATTERN.test(value);
+        || value.startsWith('data:');
+}
+function hasExecutableHtmlEventAttribute(value) {
+    let index = 0;
+    while (index < value.length) {
+        const tagStart = value.indexOf('<', index);
+        if (tagStart === -1)
+            return false;
+        let cursor = tagStart + 1;
+        const firstCode = value.charCodeAt(cursor);
+        if (Number.isNaN(firstCode)
+            || value[cursor] === '/'
+            || value[cursor] === '!'
+            || value[cursor] === '?') {
+            index = cursor;
+            continue;
+        }
+        while (cursor < value.length
+            && !isHtmlWhitespaceCode(value.charCodeAt(cursor))
+            && value[cursor] !== '>') {
+            cursor += 1;
+        }
+        while (cursor < value.length && value[cursor] !== '>') {
+            while (cursor < value.length && isHtmlWhitespaceCode(value.charCodeAt(cursor))) {
+                cursor += 1;
+            }
+            if (cursor >= value.length || value[cursor] === '>') {
+                break;
+            }
+            if (value[cursor] === '/') {
+                cursor += 1;
+                continue;
+            }
+            const nameStart = cursor;
+            while (cursor < value.length && isHtmlAttributeNameChar(value.charCodeAt(cursor))) {
+                cursor += 1;
+            }
+            if (cursor === nameStart) {
+                cursor += 1;
+                continue;
+            }
+            const attrName = value.slice(nameStart, cursor).toLowerCase();
+            while (cursor < value.length && isHtmlWhitespaceCode(value.charCodeAt(cursor))) {
+                cursor += 1;
+            }
+            if (value[cursor] !== '=') {
+                continue;
+            }
+            if (attrName.startsWith('on')) {
+                return true;
+            }
+            cursor += 1;
+            while (cursor < value.length && isHtmlWhitespaceCode(value.charCodeAt(cursor))) {
+                cursor += 1;
+            }
+            if (cursor >= value.length) {
+                break;
+            }
+            const quote = value[cursor];
+            if (quote === '"' || quote === '\'') {
+                cursor += 1;
+                const closingQuoteIndex = value.indexOf(quote, cursor);
+                if (closingQuoteIndex === -1) {
+                    break;
+                }
+                cursor = closingQuoteIndex + 1;
+                continue;
+            }
+            while (cursor < value.length
+                && !isHtmlWhitespaceCode(value.charCodeAt(cursor))
+                && value[cursor] !== '>') {
+                cursor += 1;
+            }
+        }
+        index = cursor + 1;
+    }
+    return false;
 }
 function hasExecutableHtmlUrlAttribute(value) {
     let index = 0;
@@ -194,7 +268,7 @@ export function hasExecutableHtmlSinkPattern(value) {
     if (!value)
         return false;
     return hasExecutableHtmlScriptTag(value)
-        || EXECUTABLE_HTML_EVENT_ATTR_PATTERN.test(value)
+        || hasExecutableHtmlEventAttribute(value)
         || hasExecutableHtmlUrlAttribute(value);
 }
 function getTrustedTypesApi() {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dalila",
-  "version": "1.10.3",
+  "version": "1.10.4",
   "description": "DOM-first reactive framework based on signals",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/scripts/dev-server.cjs CHANGED Viewed

@@ -116,19 +116,27 @@ function createForbiddenPathError() {
   return error;
 }
-function isPathInsideRoot(candidatePath) {
+function toServedRelativePath(candidatePath) {
+  if (typeof candidatePath !== 'string' || candidatePath.length === 0) {
+    return null;
+  }
   const normalizedPath = path.resolve(candidatePath);
   const relativePath = path.relative(rootDirAbs, normalizedPath);
-  return relativePath === '' || (!relativePath.startsWith('..') && !path.isAbsolute(relativePath));
-}
+  if (relativePath === '') {
+    return '';
+  }
-function normalizeServedPath(candidatePath) {
-  if (typeof candidatePath !== 'string' || candidatePath.length === 0) {
+  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
     return null;
   }
-  const normalizedPath = path.resolve(candidatePath);
-  return isPathInsideRoot(normalizedPath) ? normalizedPath : null;
+  return relativePath;
+}
+function normalizeServedPath(candidatePath) {
+  const relativePath = toServedRelativePath(candidatePath);
+  return relativePath == null ? null : path.join(rootDirAbs, relativePath);
 }
 function statServedPath(targetPath) {
@@ -219,6 +227,10 @@ function stringifyInlineScriptPayload(value, indent = 0) {
     .join('\n');
 }
+function stringifyInlineScriptLiteral(value) {
+  return escapeInlineScriptContent(JSON.stringify(value));
+}
 function normalizePreloadStorageType(storageType) {
   return storageType === 'sessionStorage' ? 'sessionStorage' : 'localStorage';
 }
@@ -763,14 +775,14 @@ function findTypeScriptFiles(dir, files = []) {
  */
 function generatePreloadScript(name, defaultValue, storageType = 'localStorage') {
   const safeStorageType = normalizePreloadStorageType(storageType);
-  const payload = JSON.stringify({
+  const payload = stringifyInlineScriptLiteral({
     key: name,
     defaultValue,
     storageType: safeStorageType,
   });
-  const fallbackValue = JSON.stringify(defaultValue);
+  const fallbackValue = stringifyInlineScriptLiteral(defaultValue);
   const script = `(function(){try{var p=${payload};var s=window[p.storageType];var v=s.getItem(p.key);document.documentElement.setAttribute('data-theme',v==null?p.defaultValue:JSON.parse(v))}catch(e){document.documentElement.setAttribute('data-theme',${fallbackValue})}})();`;
-  return escapeInlineScriptContent(script);
+  return script;
 }
 function renderPreloadScriptTags(baseDir) {