hono 4.12.9 → 4.12.18

package/dist/jsx/dom/render.js

@@ -45,6 +45,17 @@ var getEventSpec = (key) => {
 };
 var toAttributeName = (element, key) => nameSpaceContext && element instanceof SVGElement && /[A-Z]/.test(key) && (key in element.style || // Presentation attributes are findable in style object. "clip-path", "font-size", "stroke-width", etc.
 key.match(/^(?:o|pai|str|u|ve)/)) ? key.replace(/([A-Z])/g, "-$1").toLowerCase() : key;
+var normalizeFormValue = (value) => value === null || value === void 0 || value === false ? null : value;
+var applySelectValue = (select, props) => {
+  if (!("value" in props)) {
+    return;
+  }
+  select.value = normalizeFormValue(props["value"]);
+  if (!select.multiple && select.selectedIndex === -1) {
+    select.selectedIndex = 0;
+  }
+};
+var isIgnorableAttributeError = (error) => error instanceof DOMException && error.name === "InvalidCharacterError";
 var applyProps = (container, attributes, oldAttributes) => {
   attributes ||= {};
   for (let key in attributes) {
@@ -88,18 +99,14 @@ var applyProps = (container, attributes, oldAttributes) => {
       } else {
         if (key === "value") {
           const nodeName = container.nodeName;
-          if (nodeName === "INPUT" || nodeName === "TEXTAREA" || nodeName === "SELECT") {
+          if (nodeName === "SELECT") {
+            continue;
+          } else if (nodeName === "INPUT" || nodeName === "TEXTAREA") {
             ;
-            container.value = value === null || value === void 0 || value === false ? null : value;
+            container.value = normalizeFormValue(value);
             if (nodeName === "TEXTAREA") {
               container.textContent = value;
               continue;
-            } else if (nodeName === "SELECT") {
-              if (container.selectedIndex === -1) {
-                ;
-                container.selectedIndex = 0;
-              }
-              continue;
             }
           }
         } else if (key === "checked" && container.nodeName === "INPUT" || key === "selected" && container.nodeName === "OPTION") {
@@ -107,14 +114,20 @@ var applyProps = (container, attributes, oldAttributes) => {
           container[key] = value;
         }
         const k = toAttributeName(container, key);
-        if (value === null || value === void 0 || value === false) {
-          container.removeAttribute(k);
-        } else if (value === true) {
-          container.setAttribute(k, "");
-        } else if (typeof value === "string" || typeof value === "number") {
-          container.setAttribute(k, value);
-        } else {
-          container.setAttribute(k, value.toString());
+        try {
+          if (value === null || value === void 0 || value === false) {
+            container.removeAttribute(k);
+          } else if (value === true) {
+            container.setAttribute(k, "");
+          } else if (typeof value === "string" || typeof value === "number") {
+            container.setAttribute(k, value);
+          } else {
+            container.setAttribute(k, value.toString());
+          }
+        } catch (e) {
+          if (!isIgnorableAttributeError(e)) {
+            throw e;
+          }
         }
       }
     }
@@ -130,7 +143,13 @@ var applyProps = (container, attributes, oldAttributes) => {
         } else if (key === "ref") {
           refCleanupMap.get(container)?.();
         } else {
-          container.removeAttribute(toAttributeName(container, key));
+          try {
+            container.removeAttribute(toAttributeName(container, key));
+          } catch (e) {
+            if (!isIgnorableAttributeError(e)) {
+              throw e;
+            }
+          }
         }
       }
     }
@@ -268,6 +287,9 @@ var applyNodeObject = (node, container, isNew) => {
         el = child.e ||= child.n ? document.createElementNS(child.n, child.tag) : document.createElement(child.tag);
         applyProps(el, child.props, child.pP);
         applyNodeObject(child, el, isNewLocal);
+        if (child.tag === "select") {
+          applySelectValue(el, child.props);
+        }
       }
     }
     if (child.tag === HONO_PORTAL_ELEMENT) {

package/dist/jsx/jsx-runtime.js

@@ -3,8 +3,11 @@ import { jsxDEV, Fragment } from "./jsx-dev-runtime.js";
 import { jsxDEV as jsxDEV2 } from "./jsx-dev-runtime.js";
 import { html, raw } from "../helper/html/index.js";
 import { escapeToBuffer, stringBufferToString } from "../utils/html.js";
-import { styleObjectForEach } from "./utils.js";
+import { isValidAttributeName, styleObjectForEach } from "./utils.js";
 var jsxAttr = (key, v) => {
+  if (!isValidAttributeName(key)) {
+    return raw("");
+  }
   const buffer = [`${key}="`];
   if (key === "style" && typeof v === "object") {
     let styleStr = "";

package/dist/jsx/utils.js

@@ -10,18 +10,166 @@ var normalizeElementKeyMap = /* @__PURE__ */ new Map([
   ["formAction", "formaction"]
 ]);
 var normalizeIntrinsicElementKey = (key) => normalizeElementKeyMap.get(key) || key;
+var invalidAttributeNameCharRe = /[\s"'<>/=`\\\x00-\x1f\x7f-\x9f]/;
+var validAttributeNameCache = /* @__PURE__ */ new Set();
+var validAttributeNameCacheMax = 1024;
+var invalidTagNameCharRe = /^[!?]|[\s"'<>/=`\\\x00-\x1f\x7f-\x9f]/;
+var validTagNameCache = /* @__PURE__ */ new Set();
+var validTagNameCacheMax = 256;
+var cacheValidName = (cache, max, name) => {
+  if (cache.size >= max) {
+    cache.clear();
+  }
+  cache.add(name);
+};
+var isValidTagName = (name) => {
+  if (validTagNameCache.has(name)) {
+    return true;
+  }
+  if (typeof name !== "string") {
+    return false;
+  }
+  if (name.length === 0) {
+    return true;
+  }
+  if (invalidTagNameCharRe.test(name)) {
+    return false;
+  }
+  cacheValidName(validTagNameCache, validTagNameCacheMax, name);
+  return true;
+};
+var isValidAttributeName = (name) => {
+  if (validAttributeNameCache.has(name)) {
+    return true;
+  }
+  const len = name.length;
+  if (len === 0) {
+    return false;
+  }
+  for (let i = 0; i < len; i++) {
+    const c = name.charCodeAt(i);
+    if (!(c >= 97 && c <= 122 || // a-z
+    c >= 65 && c <= 90 || // A-Z
+    c >= 48 && c <= 57 || // 0-9
+    c === 45 || // -
+    c === 95 || // _
+    c === 46 || // .
+    c === 58)) {
+      if (!invalidAttributeNameCharRe.test(name)) {
+        cacheValidName(validAttributeNameCache, validAttributeNameCacheMax, name);
+        return true;
+      } else {
+        return false;
+      }
+    }
+  }
+  cacheValidName(validAttributeNameCache, validAttributeNameCacheMax, name);
+  return true;
+};
+var invalidStylePropertyNameCharRe = /[\s"'():;\\/\[\]{}\x00-\x1f\x7f-\x9f]/;
+var validStylePropertyNameCache = /* @__PURE__ */ new Set();
+var validStylePropertyNameCacheMax = 1024;
+var isValidStylePropertyName = (name) => {
+  if (validStylePropertyNameCache.has(name)) {
+    return true;
+  }
+  const len = name.length;
+  if (len === 0) {
+    return false;
+  }
+  for (let i = 0; i < len; i++) {
+    const c = name.charCodeAt(i);
+    if (!(c >= 97 && c <= 122 || // a-z
+    c >= 65 && c <= 90 || // A-Z
+    c >= 48 && c <= 57 || // 0-9
+    c === 45 || // -
+    c === 95)) {
+      if (!invalidStylePropertyNameCharRe.test(name)) {
+        cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+        return true;
+      } else {
+        return false;
+      }
+    }
+  }
+  cacheValidName(validStylePropertyNameCache, validStylePropertyNameCacheMax, name);
+  return true;
+};
+var unsafeStyleValueCharRe = /[;"'\\/\[\](){}]/;
+var hasUnsafeStyleValue = (value) => {
+  if (!unsafeStyleValueCharRe.test(value)) {
+    return false;
+  }
+  let quote = 0;
+  const blockStack = [];
+  for (let i = 0, len = value.length; i < len; i++) {
+    const c = value.charCodeAt(i);
+    if (c === 92) {
+      if (i === len - 1) {
+        return true;
+      }
+      i++;
+    } else if (quote !== 0) {
+      if (c === 10 || c === 12 || c === 13) {
+        return true;
+      }
+      if (c === quote) {
+        quote = 0;
+      }
+    } else if (c === 47 && value.charCodeAt(i + 1) === 42) {
+      const end = value.indexOf("*/", i + 2);
+      if (end === -1) {
+        return true;
+      }
+      i = end + 1;
+    } else if (c === 34 || c === 39) {
+      quote = c;
+    } else if (c === 40) {
+      blockStack.push(41);
+    } else if (c === 91) {
+      blockStack.push(93);
+    } else if (c === 123 || c === 125) {
+      return true;
+    } else if (c === 41 || c === 93) {
+      if (blockStack[blockStack.length - 1] !== c) {
+        return true;
+      }
+      blockStack.pop();
+    } else if (c === 59 && blockStack.length === 0) {
+      return true;
+    }
+  }
+  return quote !== 0 || blockStack.length !== 0;
+};
 var styleObjectForEach = (style, fn) => {
   for (const [k, v] of Object.entries(style)) {
     const key = k[0] === "-" || !/[A-Z]/.test(k) ? k : k.replace(/[A-Z]/g, (m) => `-${m.toLowerCase()}`);
-    fn(
-      key,
-      v == null ? null : typeof v === "number" ? !key.match(
+    if (!isValidStylePropertyName(key)) {
+      continue;
+    }
+    if (v == null) {
+      fn(key, null);
+      continue;
+    }
+    let value;
+    if (typeof v === "number") {
+      value = !key.match(
         /^(?:a|border-im|column(?:-c|s)|flex(?:$|-[^b])|grid-(?:ar|[^a])|font-w|li|or|sca|st|ta|wido|z)|ty$/
-      ) ? `${v}px` : `${v}` : v
-    );
+      ) ? `${v}px` : `${v}`;
+    } else if (typeof v === "string") {
+      if (hasUnsafeStyleValue(v)) {
+        continue;
+      }
+      value = v;
+    } else {
+      continue;
+    }
+    fn(key, value);
   }
 };
 export {
+  isValidAttributeName,
+  isValidTagName,
   normalizeIntrinsicElementKey,
   styleObjectForEach
 };

package/dist/middleware/body-limit/index.js

@@ -1,12 +1,6 @@
 // src/middleware/body-limit/index.ts
 import { HTTPException } from "../../http-exception.js";
 var ERROR_MESSAGE = "Payload Too Large";
-var BodyLimitError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "BodyLimitError";
-  }
-};
 var bodyLimit = (options) => {
   const onError = options.onError || (() => {
     const res = new Response(ERROR_MESSAGE, {
@@ -21,40 +15,37 @@ var bodyLimit = (options) => {
     }
     const hasTransferEncoding = c.req.raw.headers.has("transfer-encoding");
     const hasContentLength = c.req.raw.headers.has("content-length");
-    if (hasTransferEncoding && hasContentLength) {
-    }
     if (hasContentLength && !hasTransferEncoding) {
       const contentLength = parseInt(c.req.raw.headers.get("content-length") || "0", 10);
       return contentLength > maxSize ? onError(c) : next();
     }
     let size = 0;
+    const chunks = [];
     const rawReader = c.req.raw.body.getReader();
-    const reader = new ReadableStream({
-      async start(controller) {
-        try {
-          for (; ; ) {
-            const { done, value } = await rawReader.read();
-            if (done) {
-              break;
-            }
-            size += value.length;
-            if (size > maxSize) {
-              controller.error(new BodyLimitError(ERROR_MESSAGE));
-              break;
-            }
-            controller.enqueue(value);
+    for (; ; ) {
+      const { done, value } = await rawReader.read();
+      if (done) {
+        break;
+      }
+      size += value.length;
+      if (size > maxSize) {
+        return onError(c);
+      }
+      chunks.push(value);
+    }
+    const requestInit = {
+      body: new ReadableStream({
+        start(controller) {
+          for (const chunk of chunks) {
+            controller.enqueue(chunk);
           }
-        } finally {
           controller.close();
         }
-      }
-    });
-    const requestInit = { body: reader, duplex: "half" };
+      }),
+      duplex: "half"
+    };
     c.req.raw = new Request(c.req.raw, requestInit);
-    await next();
-    if (c.error instanceof BodyLimitError) {
-      c.res = await onError(c);
-    }
+    return next();
   };
 };
 export {

package/dist/middleware/cache/index.js

@@ -1,8 +1,7 @@
 // src/middleware/cache/index.ts
 var defaultCacheableStatusCodes = [200];
 var shouldSkipCache = (res) => {
-  const vary = res.headers.get("Vary");
-  if (vary && vary.includes("*")) {
+  if (res.headers.has("Vary")) {
     return true;
   }
   const cacheControl = res.headers.get("Cache-Control");
@@ -16,7 +15,12 @@ var shouldSkipCache = (res) => {
 };
 var cache = (options) => {
   if (!globalThis.caches) {
-    console.log("Cache Middleware is not enabled because caches is not defined.");
+    if (options.onCacheNotAvailable === false) {
+    } else if (options.onCacheNotAvailable) {
+      options.onCacheNotAvailable();
+    } else {
+      console.log("Cache Middleware is not enabled because caches is not defined.");
+    }
     return async (_c, next) => await next();
   }
   if (options.wait === void 0) {
@@ -58,6 +62,10 @@ var cache = (options) => {
     }
   };
   return async function cache2(c, next) {
+    if (c.req.method !== "GET" || c.req.raw.headers.has("Authorization")) {
+      await next();
+      return;
+    }
     let key = c.req.url;
     if (options.keyGenerator) {
       key = await options.keyGenerator(c);

package/dist/middleware/compress/index.js

@@ -24,6 +24,10 @@ var compress = (options) => {
     ctx.res = new Response(ctx.res.body.pipeThrough(stream), ctx.res);
     ctx.res.headers.delete("Content-Length");
     ctx.res.headers.set("Content-Encoding", encoding);
+    const etag = ctx.res.headers.get("ETag");
+    if (etag && !etag.startsWith("W/")) {
+      ctx.res.headers.set("ETag", `W/${etag}`);
+    }
   };
 };
 var shouldCompress = (res) => {

package/dist/middleware/cors/index.js

@@ -1,13 +1,10 @@
 // src/middleware/cors/index.ts
 var cors = (options) => {
-  const defaults = {
+  const opts = {
     origin: "*",
     allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
     allowHeaders: [],
-    exposeHeaders: []
-  };
-  const opts = {
-    ...defaults,
+    exposeHeaders: [],
     ...options
   };
   const findAllowOrigin = ((optsOrigin) => {

package/dist/middleware/ip-restriction/index.js

@@ -1,10 +1,12 @@
 // src/middleware/ip-restriction/index.ts
 import { HTTPException } from "../../http-exception.js";
 import {
+  convertIPv4MappedIPv6ToIPv4,
   convertIPv4ToBinary,
   convertIPv6BinaryToString,
   convertIPv6ToBinary,
-  distinctRemoteAddr
+  distinctRemoteAddr,
+  isIPv4MappedIPv6
 } from "../../utils/ipaddr.js";
 var IS_CIDR_NOTATION_REGEX = /\/[0-9]{0,3}$/;
 var buildMatcher = (rules) => {
@@ -24,12 +26,17 @@ var buildMatcher = (rules) => {
         if (type2 === void 0) {
           throw new TypeError(`Invalid rule: ${rule}`);
         }
-        const isIPv4 = type2 === "IPv4";
-        const prefix = parseInt(separatedRule[1]);
+        let isIPv4 = type2 === "IPv4";
+        let prefix = parseInt(separatedRule[1]);
         if (isIPv4 ? prefix === 32 : prefix === 128) {
           rule = addrStr;
         } else {
-          const addr = (isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(addrStr);
+          let addr = (isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(addrStr);
+          if (type2 === "IPv6" && isIPv4MappedIPv6(addr) && prefix >= 96) {
+            isIPv4 = true;
+            addr = convertIPv4MappedIPv6ToIPv4(addr);
+            prefix -= 96;
+          }
           const mask = (1n << BigInt(prefix)) - 1n << BigInt((isIPv4 ? 32 : 128) - prefix);
           cidrRules.push([isIPv4, addr & mask, mask]);
           continue;
@@ -39,21 +46,38 @@ var buildMatcher = (rules) => {
       if (type === void 0) {
         throw new TypeError(`Invalid rule: ${rule}`);
       }
-      staticRules.add(
-        type === "IPv4" ? rule : convertIPv6BinaryToString(convertIPv6ToBinary(rule))
-        // normalize IPv6 address (e.g. 0000:0000:0000:0000:0000:0000:0000:0001 => ::1)
-      );
+      if (type === "IPv4") {
+        staticRules.add(rule);
+        staticRules.add(`::ffff:${rule}`);
+      } else {
+        const ipv6binary = convertIPv6ToBinary(rule);
+        const ipv6Addr = convertIPv6BinaryToString(ipv6binary);
+        staticRules.add(ipv6Addr);
+        if (isIPv4MappedIPv6(ipv6binary)) {
+          staticRules.add(ipv6Addr.substring(7));
+        }
+      }
     }
   }
   return (remote) => {
     if (staticRules.has(remote.addr)) {
       return true;
     }
+    const remoteAddr = remote.binaryAddr ||= (remote.isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(remote.addr);
+    const remoteIPv4Addr = remote.isIPv4 || isIPv4MappedIPv6(remoteAddr) ? remote.isIPv4 ? remoteAddr : convertIPv4MappedIPv6ToIPv4(remoteAddr) : void 0;
     for (const [isIPv4, addr, mask] of cidrRules) {
-      if (isIPv4 !== remote.isIPv4) {
+      if (isIPv4) {
+        if (remoteIPv4Addr === void 0) {
+          continue;
+        }
+        if ((remoteIPv4Addr & mask) === addr) {
+          return true;
+        }
+        continue;
+      }
+      if (remote.isIPv4) {
         continue;
       }
-      const remoteAddr = remote.binaryAddr ||= (isIPv4 ? convertIPv4ToBinary : convertIPv6ToBinary)(remote.addr);
       if ((remoteAddr & mask) === addr) {
         return true;
       }

package/dist/middleware/method-override/index.js

@@ -28,7 +28,7 @@ var methodOverride = (options) => async function methodOverride2(c, next) {
         return app.fetch(request, c.env, getExecutionCtx(c));
       }
     }
-    if (contentType === "application/x-www-form-urlencoded") {
+    if (contentType?.startsWith("application/x-www-form-urlencoded")) {
       const params = await parseBody(clonedRequest);
       const method = params[methodFormName];
       if (method) {

package/dist/middleware/serve-static/index.js

@@ -24,7 +24,7 @@ var serveStatic = (options) => {
     } else {
       try {
         filename = tryDecodeURI(c.req.path);
-        if (/(?:^|[\/\\])\.\.(?:$|[\/\\])/.test(filename)) {
+        if (/(?:^|[\/\\])\.{1,2}(?:$|[\/\\])|[\/\\]{2,}/.test(filename)) {
           throw new Error();
         }
       } catch {

package/dist/middleware/trailing-slash/index.js

@@ -19,14 +19,14 @@ var trimTrailingSlash = (options) => {
 var appendTrailingSlash = (options) => {
   return async function appendTrailingSlash2(c, next) {
     if (options?.alwaysRedirect) {
-      if ((c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/") {
+      if ((c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/" && !options.skip?.(c.req.path)) {
         const url = new URL(c.req.url);
         url.pathname += "/";
         return c.redirect(url.toString(), 301);
       }
     }
     await next();
-    if (!options?.alwaysRedirect && c.res.status === 404 && (c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/") {
+    if (!options?.alwaysRedirect && c.res.status === 404 && (c.req.method === "GET" || c.req.method === "HEAD") && c.req.path.at(-1) !== "/" && !options?.skip?.(c.req.path)) {
       const url = new URL(c.req.url);
       url.pathname += "/";
       c.res = c.redirect(url.toString(), 301);