ghtml 2.0.1 → 2.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.eslintrc.json +2 -1
- package/README.md +4 -4
- package/SECURITY.md +12 -0
- package/package.json +1 -1
- package/src/html.js +18 -20
package/.eslintrc.json
CHANGED
package/README.md
CHANGED
|
@@ -8,7 +8,7 @@ Inspired by [html-template-tag](https://github.com/AntonioVdlC/html-template-tag
|
|
|
8
8
|
npm i ghtml
|
|
9
9
|
```
|
|
10
10
|
|
|
11
|
-
## API
|
|
11
|
+
## API
|
|
12
12
|
|
|
13
13
|
### `html`
|
|
14
14
|
|
|
@@ -26,13 +26,13 @@ Keep in mind that, in Node.js, all else being equal, streaming a response using
|
|
|
26
26
|
|
|
27
27
|
This version of HTML generator should be preferred for asynchronous and streaming use cases. The output is generated as the promise expressions resolve or stream expressions send data.
|
|
28
28
|
|
|
29
|
-
**
|
|
29
|
+
**Note:**
|
|
30
30
|
|
|
31
31
|
Because they return generators instead of strings, a key difference of `htmlGenerator` and `htmlAsyncGenerator` is their ability to recognize and properly handle iterable elements within array expressions. This is to detect nested `htmlGenerator` and `htmlAsyncGenerator` usage, enabling scenarios such as ``${[1, 2, 3].map(i => htmlGenerator`<li>${i}</li>`)}``.
|
|
32
32
|
|
|
33
33
|
### `includeFile`
|
|
34
34
|
|
|
35
|
-
Available in Node.js, the `includeFile` function is a wrapper around `readFileSync`. It reads and
|
|
35
|
+
Available in Node.js, the `includeFile` function is a wrapper around `readFileSync`. It reads and returns the content of a file while also caching it in memory for faster future reuse.
|
|
36
36
|
|
|
37
37
|
## Usage
|
|
38
38
|
|
|
@@ -171,4 +171,4 @@ console.log(logo);
|
|
|
171
171
|
|
|
172
172
|
## Security
|
|
173
173
|
|
|
174
|
-
Like [similar](https://
|
|
174
|
+
Like [similar](https://github.com/mde/ejs/blob/main/SECURITY.md#out-of-scope-vulnerabilities) [tools](https://handlebarsjs.com/guide/#html-escaping), ghtml does not prevent all kinds of XSS attacks. It is the responsibility of developers to sanitize user inputs. Some inherently insecure uses include dynamically generating JavaScript, failing to quote HTML attribute values (especially when they contain expressions), and relying on unsanitized user-provided URLs.
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
| Version | Supported |
|
|
6
|
+
| ------- | ------------------ |
|
|
7
|
+
| ^1 | :x: |
|
|
8
|
+
| ^2 | :white_check_mark: |
|
|
9
|
+
|
|
10
|
+
## Reporting a Vulnerability
|
|
11
|
+
|
|
12
|
+
Please report all vulnerabilities to [https://github.com/gurgunday/ghtml/security](https://github.com/gurgunday/ghtml/security).
|
package/package.json
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"description": "Replace your template engine with fast JavaScript by leveraging the power of tagged templates.",
|
|
4
4
|
"author": "Gürgün Dayıoğlu",
|
|
5
5
|
"license": "MIT",
|
|
6
|
-
"version": "2.0.
|
|
6
|
+
"version": "2.0.3",
|
|
7
7
|
"type": "module",
|
|
8
8
|
"main": "./src/index.js",
|
|
9
9
|
"exports": {
|
package/src/html.js
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
const arrayIsArray = Array.isArray;
|
|
2
|
+
|
|
3
|
+
const symbolIterator = Symbol.iterator;
|
|
4
|
+
|
|
5
|
+
const symbolAsyncIterator = Symbol.asyncIterator;
|
|
6
|
+
|
|
1
7
|
const escapeDictionary = {
|
|
2
8
|
'"': """,
|
|
3
9
|
"&": "&",
|
|
@@ -7,10 +13,7 @@ const escapeDictionary = {
|
|
|
7
13
|
"`": "`",
|
|
8
14
|
};
|
|
9
15
|
|
|
10
|
-
const escapeRegExp = new RegExp(
|
|
11
|
-
`[${Object.keys(escapeDictionary).join("")}]`,
|
|
12
|
-
"u",
|
|
13
|
-
);
|
|
16
|
+
const escapeRegExp = new RegExp(`[${Object.keys(escapeDictionary).join("")}]`);
|
|
14
17
|
|
|
15
18
|
const escapeFunction = (string) => {
|
|
16
19
|
const stringLength = string.length;
|
|
@@ -30,8 +33,6 @@ const escapeFunction = (string) => {
|
|
|
30
33
|
return escaped + string.slice(start, end);
|
|
31
34
|
};
|
|
32
35
|
|
|
33
|
-
const arrayIsArray = Array.isArray;
|
|
34
|
-
|
|
35
36
|
/**
|
|
36
37
|
* @param {{ raw: string[] }} literals Tagged template literals.
|
|
37
38
|
* @param {...any} expressions Expressions to interpolate.
|
|
@@ -48,7 +49,7 @@ const html = ({ raw: literals }, ...expressions) => {
|
|
|
48
49
|
let string =
|
|
49
50
|
typeof expression === "string"
|
|
50
51
|
? expression
|
|
51
|
-
: expression
|
|
52
|
+
: expression == null
|
|
52
53
|
? ""
|
|
53
54
|
: arrayIsArray(expression)
|
|
54
55
|
? expression.join("")
|
|
@@ -82,10 +83,10 @@ const htmlGenerator = function* ({ raw: literals }, ...expressions) {
|
|
|
82
83
|
|
|
83
84
|
if (typeof expression === "string") {
|
|
84
85
|
string = expression;
|
|
85
|
-
} else if (expression
|
|
86
|
+
} else if (expression == null) {
|
|
86
87
|
string = "";
|
|
87
88
|
} else {
|
|
88
|
-
if (expression[
|
|
89
|
+
if (expression[symbolIterator]) {
|
|
89
90
|
const isRaw =
|
|
90
91
|
literal !== "" && literal.charCodeAt(literal.length - 1) === 33;
|
|
91
92
|
|
|
@@ -101,16 +102,16 @@ const htmlGenerator = function* ({ raw: literals }, ...expressions) {
|
|
|
101
102
|
if (typeof expression === "string") {
|
|
102
103
|
string = expression;
|
|
103
104
|
} else {
|
|
104
|
-
if (expression
|
|
105
|
+
if (expression == null) {
|
|
105
106
|
continue;
|
|
106
107
|
}
|
|
107
108
|
|
|
108
|
-
if (expression[
|
|
109
|
+
if (expression[symbolIterator]) {
|
|
109
110
|
for (expression of expression) {
|
|
110
111
|
if (typeof expression === "string") {
|
|
111
112
|
string = expression;
|
|
112
113
|
} else {
|
|
113
|
-
if (expression
|
|
114
|
+
if (expression == null) {
|
|
114
115
|
continue;
|
|
115
116
|
}
|
|
116
117
|
|
|
@@ -179,10 +180,10 @@ const htmlAsyncGenerator = async function* ({ raw: literals }, ...expressions) {
|
|
|
179
180
|
|
|
180
181
|
if (typeof expression === "string") {
|
|
181
182
|
string = expression;
|
|
182
|
-
} else if (expression
|
|
183
|
+
} else if (expression == null) {
|
|
183
184
|
string = "";
|
|
184
185
|
} else {
|
|
185
|
-
if (expression[
|
|
186
|
+
if (expression[symbolIterator] || expression[symbolAsyncIterator]) {
|
|
186
187
|
const isRaw =
|
|
187
188
|
literal !== "" && literal.charCodeAt(literal.length - 1) === 33;
|
|
188
189
|
|
|
@@ -198,19 +199,16 @@ const htmlAsyncGenerator = async function* ({ raw: literals }, ...expressions) {
|
|
|
198
199
|
if (typeof expression === "string") {
|
|
199
200
|
string = expression;
|
|
200
201
|
} else {
|
|
201
|
-
if (expression
|
|
202
|
+
if (expression == null) {
|
|
202
203
|
continue;
|
|
203
204
|
}
|
|
204
205
|
|
|
205
|
-
if (
|
|
206
|
-
expression[Symbol.iterator] ||
|
|
207
|
-
expression[Symbol.asyncIterator]
|
|
208
|
-
) {
|
|
206
|
+
if (expression[symbolIterator] || expression[symbolAsyncIterator]) {
|
|
209
207
|
for await (expression of expression) {
|
|
210
208
|
if (typeof expression === "string") {
|
|
211
209
|
string = expression;
|
|
212
210
|
} else {
|
|
213
|
-
if (expression
|
|
211
|
+
if (expression == null) {
|
|
214
212
|
continue;
|
|
215
213
|
}
|
|
216
214
|
|