overtype 1.1.5 → 1.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -1
- package/dist/overtype.esm.js +35 -7
- package/dist/overtype.esm.js.map +2 -2
- package/dist/overtype.js +35 -7
- package/dist/overtype.js.map +2 -2
- package/dist/overtype.min.js +10 -10
- package/package.json +1 -1
- package/src/parser.js +66 -11
package/dist/overtype.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* OverType v1.1.
|
|
2
|
+
* OverType v1.1.7
|
|
3
3
|
* A lightweight markdown editor library with perfect WYSIWYG alignment
|
|
4
4
|
* @license MIT
|
|
5
5
|
* @author Demo User
|
|
@@ -164,6 +164,28 @@ var OverType = (() => {
|
|
|
164
164
|
static parseInlineCode(html) {
|
|
165
165
|
return html.replace(new RegExp("(?<!`)(`+)(?!`)((?:(?!\\1).)+?)(\\1)(?!`)", "g"), '<code><span class="syntax-marker">$1</span>$2<span class="syntax-marker">$3</span></code>');
|
|
166
166
|
}
|
|
167
|
+
/**
|
|
168
|
+
* Sanitize URL to prevent XSS attacks
|
|
169
|
+
* @param {string} url - URL to sanitize
|
|
170
|
+
* @returns {string} Safe URL or '#' if dangerous
|
|
171
|
+
*/
|
|
172
|
+
static sanitizeUrl(url) {
|
|
173
|
+
const trimmed = url.trim();
|
|
174
|
+
const lower = trimmed.toLowerCase();
|
|
175
|
+
const safeProtocols = [
|
|
176
|
+
"http://",
|
|
177
|
+
"https://",
|
|
178
|
+
"mailto:",
|
|
179
|
+
"ftp://",
|
|
180
|
+
"ftps://"
|
|
181
|
+
];
|
|
182
|
+
const hasSafeProtocol = safeProtocols.some((protocol) => lower.startsWith(protocol));
|
|
183
|
+
const isRelative = trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?") || trimmed.startsWith(".") || !trimmed.includes(":") && !trimmed.includes("//");
|
|
184
|
+
if (hasSafeProtocol || isRelative) {
|
|
185
|
+
return url;
|
|
186
|
+
}
|
|
187
|
+
return "#";
|
|
188
|
+
}
|
|
167
189
|
/**
|
|
168
190
|
* Parse links
|
|
169
191
|
* @param {string} html - HTML with potential link markdown
|
|
@@ -172,7 +194,8 @@ var OverType = (() => {
|
|
|
172
194
|
static parseLinks(html) {
|
|
173
195
|
return html.replace(/\[(.+?)\]\((.+?)\)/g, (match, text, url) => {
|
|
174
196
|
const anchorName = `--link-${this.linkIndex++}`;
|
|
175
|
-
|
|
197
|
+
const safeUrl = this.sanitizeUrl(url);
|
|
198
|
+
return `<a href="${safeUrl}" style="anchor-name: ${anchorName}"><span class="syntax-marker">[</span>${text}<span class="syntax-marker">](</span><span class="syntax-marker link-url">${url}</span><span class="syntax-marker">)</span></a>`;
|
|
176
199
|
});
|
|
177
200
|
}
|
|
178
201
|
/**
|
|
@@ -183,17 +206,22 @@ var OverType = (() => {
|
|
|
183
206
|
static parseInlineElements(text) {
|
|
184
207
|
let html = text;
|
|
185
208
|
html = this.parseInlineCode(html);
|
|
186
|
-
const
|
|
209
|
+
const sanctuaries = /* @__PURE__ */ new Map();
|
|
187
210
|
html = html.replace(/(<code>.*?<\/code>)/g, (match) => {
|
|
188
|
-
const placeholder = `\uE000${
|
|
189
|
-
|
|
211
|
+
const placeholder = `\uE000${sanctuaries.size}\uE001`;
|
|
212
|
+
sanctuaries.set(placeholder, match);
|
|
190
213
|
return placeholder;
|
|
191
214
|
});
|
|
192
215
|
html = this.parseLinks(html);
|
|
216
|
+
html = html.replace(/(<a[^>]*>.*?<\/a>)/g, (match) => {
|
|
217
|
+
const placeholder = `\uE000${sanctuaries.size}\uE001`;
|
|
218
|
+
sanctuaries.set(placeholder, match);
|
|
219
|
+
return placeholder;
|
|
220
|
+
});
|
|
193
221
|
html = this.parseBold(html);
|
|
194
222
|
html = this.parseItalic(html);
|
|
195
|
-
|
|
196
|
-
html = html.replace(placeholder,
|
|
223
|
+
sanctuaries.forEach((content, placeholder) => {
|
|
224
|
+
html = html.replace(placeholder, content);
|
|
197
225
|
});
|
|
198
226
|
return html;
|
|
199
227
|
}
|