jamdesk 1.1.94 → 1.1.95
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "jamdesk",
|
|
3
|
-
"version": "1.1.
|
|
3
|
+
"version": "1.1.95",
|
|
4
4
|
"description": "CLI for Jamdesk — build, preview, and deploy documentation sites from MDX. Dev server with hot reload, 50+ components, OpenAPI support, AI search, and Mintlify migration",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"jamdesk",
|
|
@@ -28,26 +28,27 @@ export interface CachedDiagram {
|
|
|
28
28
|
height: number;
|
|
29
29
|
}
|
|
30
30
|
|
|
31
|
+
// Coarse tamper check, NOT a sanitizer. mermaid's securityLevel:'strict' is
|
|
32
|
+
// the real defense (it sanitizes at render). This only guards the cache-read
|
|
33
|
+
// path, which re-injects stored bytes via React's raw inner-HTML prop without
|
|
34
|
+
// re-sanitizing — so a tampered same-origin sessionStorage entry is rejected
|
|
35
|
+
// here, forcing a fresh re-sanitized render. Catches the obvious signatures
|
|
36
|
+
// only (non-<svg> root, <script>, inline on*= handlers).
|
|
37
|
+
function looksTampered(svg: string): boolean {
|
|
38
|
+
return (
|
|
39
|
+
!/^\s*<svg/.test(svg) ||
|
|
40
|
+
/<script\b/i.test(svg) ||
|
|
41
|
+
/<[^>]+\son[a-z]+\s*=/i.test(svg)
|
|
42
|
+
);
|
|
43
|
+
}
|
|
44
|
+
|
|
31
45
|
export function readCache(source: string): CachedDiagram | null {
|
|
32
46
|
try {
|
|
33
47
|
const raw = sessionStorage.getItem(CACHE_KEY_PREFIX + hashDiagram(source));
|
|
34
48
|
if (!raw) return null;
|
|
35
49
|
const parsed = JSON.parse(raw) as Partial<CachedDiagram>;
|
|
36
50
|
if (typeof parsed?.svg !== 'string') return null;
|
|
37
|
-
|
|
38
|
-
// 'strict'), but the cache-read path injects the stored bytes via React's
|
|
39
|
-
// raw inner-HTML prop without re-sanitizing. A tampered sessionStorage
|
|
40
|
-
// entry must not be trusted — reject anything that isn't a bare <svg> root
|
|
41
|
-
// or that carries a <script> or an inline on*= event handler. On rejection
|
|
42
|
-
// we return null so the caller falls back to a fresh, re-sanitized render.
|
|
43
|
-
const svg = parsed.svg.trimStart();
|
|
44
|
-
if (
|
|
45
|
-
!svg.startsWith('<svg') ||
|
|
46
|
-
/<script\b/i.test(svg) ||
|
|
47
|
-
/<[^>]+\son[a-z]+\s*=/i.test(svg)
|
|
48
|
-
) {
|
|
49
|
-
return null;
|
|
50
|
-
}
|
|
51
|
+
if (looksTampered(parsed.svg)) return null;
|
|
51
52
|
// Normalize the shape so the return honestly matches CachedDiagram:
|
|
52
53
|
// legacy v1 entries predate height tracking, and a tampered/foreign
|
|
53
54
|
// entry could carry a non-numeric height. Coerce both to a number.
|
|
@@ -66,12 +67,10 @@ export function writeCache(source: string, entry: CachedDiagram): void {
|
|
|
66
67
|
} catch {}
|
|
67
68
|
}
|
|
68
69
|
|
|
69
|
-
// Real mermaid output
|
|
70
|
-
//
|
|
71
|
-
//
|
|
72
|
-
//
|
|
73
|
-
// getBoundingClientRect works in jsdom and avoids a forced reflow on the
|
|
74
|
-
// production hot path.
|
|
70
|
+
// Real mermaid output has no `height` attribute (it sizes via viewBox +
|
|
71
|
+
// max-width), so fall back to the viewBox height; an explicit `height` still
|
|
72
|
+
// wins when present (other/older renderers). Markup-parsing instead of
|
|
73
|
+
// getBoundingClientRect keeps this jsdom-safe and reflow-free on the hot path.
|
|
75
74
|
export function readSvgHeight(svgMarkup: string): number {
|
|
76
75
|
const attr = svgMarkup.match(/<svg\b[^>]*\bheight=["']([\d.]+)(?:px)?["']/i);
|
|
77
76
|
if (attr) return parseFloat(attr[1]);
|