jamdesk 1.1.93 → 1.1.95
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "jamdesk",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.95",
|
|
4
4
|
"description": "CLI for Jamdesk — build, preview, and deploy documentation sites from MDX. Dev server with hot reload, 50+ components, OpenAPI support, AI search, and Mintlify migration",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"jamdesk",
|
|
@@ -28,12 +28,27 @@ export interface CachedDiagram {
|
|
|
28
28
|
height: number;
|
|
29
29
|
}
|
|
30
30
|
|
|
31
|
+
// Coarse tamper check, NOT a sanitizer. mermaid's securityLevel:'strict' is
|
|
32
|
+
// the real defense (it sanitizes at render). This only guards the cache-read
|
|
33
|
+
// path, which re-injects stored bytes via React's raw inner-HTML prop without
|
|
34
|
+
// re-sanitizing — so a tampered same-origin sessionStorage entry is rejected
|
|
35
|
+
// here, forcing a fresh re-sanitized render. Catches the obvious signatures
|
|
36
|
+
// only (non-<svg> root, <script>, inline on*= handlers).
|
|
37
|
+
function looksTampered(svg: string): boolean {
|
|
38
|
+
return (
|
|
39
|
+
!/^\s*<svg/.test(svg) ||
|
|
40
|
+
/<script\b/i.test(svg) ||
|
|
41
|
+
/<[^>]+\son[a-z]+\s*=/i.test(svg)
|
|
42
|
+
);
|
|
43
|
+
}
|
|
44
|
+
|
|
31
45
|
export function readCache(source: string): CachedDiagram | null {
|
|
32
46
|
try {
|
|
33
47
|
const raw = sessionStorage.getItem(CACHE_KEY_PREFIX + hashDiagram(source));
|
|
34
48
|
if (!raw) return null;
|
|
35
49
|
const parsed = JSON.parse(raw) as Partial<CachedDiagram>;
|
|
36
50
|
if (typeof parsed?.svg !== 'string') return null;
|
|
51
|
+
if (looksTampered(parsed.svg)) return null;
|
|
37
52
|
// Normalize the shape so the return honestly matches CachedDiagram:
|
|
38
53
|
// legacy v1 entries predate height tracking, and a tampered/foreign
|
|
39
54
|
// entry could carry a non-numeric height. Coerce both to a number.
|
|
@@ -52,12 +67,17 @@ export function writeCache(source: string, entry: CachedDiagram): void {
|
|
|
52
67
|
} catch {}
|
|
53
68
|
}
|
|
54
69
|
|
|
55
|
-
//
|
|
56
|
-
//
|
|
57
|
-
//
|
|
70
|
+
// Real mermaid output has no `height` attribute (it sizes via viewBox +
|
|
71
|
+
// max-width), so fall back to the viewBox height; an explicit `height` still
|
|
72
|
+
// wins when present (other/older renderers). Markup-parsing instead of
|
|
73
|
+
// getBoundingClientRect keeps this jsdom-safe and reflow-free on the hot path.
|
|
58
74
|
export function readSvgHeight(svgMarkup: string): number {
|
|
59
|
-
const
|
|
60
|
-
|
|
75
|
+
const attr = svgMarkup.match(/<svg\b[^>]*\bheight=["']([\d.]+)(?:px)?["']/i);
|
|
76
|
+
if (attr) return parseFloat(attr[1]);
|
|
77
|
+
const viewBox = svgMarkup.match(
|
|
78
|
+
/<svg\b[^>]*\bviewBox=["']\s*[\d.+-]+\s+[\d.+-]+\s+[\d.+-]+\s+([\d.]+)/i
|
|
79
|
+
);
|
|
80
|
+
return viewBox ? parseFloat(viewBox[1]) : 0;
|
|
61
81
|
}
|
|
62
82
|
|
|
63
83
|
interface MermaidInnerProps {
|