overtype 1.1.6 → 1.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/overtype.esm.js +25 -2
  2. package/dist/overtype.esm.js.map +2 -2
  3. package/dist/overtype.js +25 -2
  4. package/dist/overtype.js.map +2 -2
  5. package/dist/overtype.min.js +10 -10
  6. package/package.json +1 -1
  7. package/src/parser.js +41 -1
package/dist/overtype.esm.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- * OverType v1.1.6
2
+ * OverType v1.1.7
3
3
  * A lightweight markdown editor library with perfect WYSIWYG alignment
4
4
  * @license MIT
5
5
  * @author Demo User
@@ -140,6 +140,28 @@ var MarkdownParser = class {
140
140
  static parseInlineCode(html) {
141
141
  return html.replace(new RegExp("(?<!`)(`+)(?!`)((?:(?!\\1).)+?)(\\1)(?!`)", "g"), '<code><span class="syntax-marker">$1</span>$2<span class="syntax-marker">$3</span></code>');
142
142
  }
143
+ /**
144
+ * Sanitize URL to prevent XSS attacks
145
+ * @param {string} url - URL to sanitize
146
+ * @returns {string} Safe URL or '#' if dangerous
147
+ */
148
+ static sanitizeUrl(url) {
149
+ const trimmed = url.trim();
150
+ const lower = trimmed.toLowerCase();
151
+ const safeProtocols = [
152
+ "http://",
153
+ "https://",
154
+ "mailto:",
155
+ "ftp://",
156
+ "ftps://"
157
+ ];
158
+ const hasSafeProtocol = safeProtocols.some((protocol) => lower.startsWith(protocol));
159
+ const isRelative = trimmed.startsWith("/") || trimmed.startsWith("#") || trimmed.startsWith("?") || trimmed.startsWith(".") || !trimmed.includes(":") && !trimmed.includes("//");
160
+ if (hasSafeProtocol || isRelative) {
161
+ return url;
162
+ }
163
+ return "#";
164
+ }
143
165
  /**
144
166
  * Parse links
145
167
  * @param {string} html - HTML with potential link markdown
@@ -148,7 +170,8 @@ var MarkdownParser = class {
148
170
  static parseLinks(html) {
149
171
  return html.replace(/\[(.+?)\]\((.+?)\)/g, (match, text, url) => {
150
172
  const anchorName = `--link-${this.linkIndex++}`;
151
- return `<a href="${url}" style="anchor-name: ${anchorName}"><span class="syntax-marker">[</span>${text}<span class="syntax-marker">](</span><span class="syntax-marker link-url">${url}</span><span class="syntax-marker">)</span></a>`;
173
+ const safeUrl = this.sanitizeUrl(url);
174
+ return `<a href="${safeUrl}" style="anchor-name: ${anchorName}"><span class="syntax-marker">[</span>${text}<span class="syntax-marker">](</span><span class="syntax-marker link-url">${url}</span><span class="syntax-marker">)</span></a>`;
152
175
  });
153
176
  }
154
177
  /**