react-next-editor-js 0.1.0

package/dist/chunk-5F6SPYCN.cjs

@@ -0,0 +1,180 @@
+'use strict';
+
+// src/security/sanitize.ts
+var SAFE_LINK_SCHEMES = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:", "ftp:"]);
+var SAFE_IMAGE_SCHEMES = /* @__PURE__ */ new Set(["http:", "https:", "blob:"]);
+var MAX_DATA_URI_LENGTH = 35e5;
+var MAX_URL_LENGTH = 16384;
+var DANGEROUS_SCHEME = /^(javascript|vbscript|data|file):/i;
+function stripControlChars(value) {
+  let out = "";
+  for (let i = 0; i < value.length; i++) {
+    const code = value.charCodeAt(i);
+    if (code <= 32 || code >= 127 && code <= 159) continue;
+    out += value[i];
+  }
+  return out;
+}
+function sanitizeUrl(raw) {
+  if (!raw) return null;
+  if (raw.length > MAX_URL_LENGTH) return null;
+  const value = raw.trim();
+  if (!value) return null;
+  const cleaned = stripControlChars(value);
+  if (!cleaned) return null;
+  if (DANGEROUS_SCHEME.test(cleaned)) return null;
+  if (cleaned.startsWith("//")) return `https:${cleaned}`;
+  if (cleaned.startsWith("/") || cleaned.startsWith("#") || cleaned.startsWith("?") || cleaned.startsWith("./") || cleaned.startsWith("../")) {
+    return cleaned;
+  }
+  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+  if (schemeMatch) {
+    const scheme = `${schemeMatch[1].toLowerCase()}:`;
+    return SAFE_LINK_SCHEMES.has(scheme) ? cleaned : null;
+  }
+  return cleaned;
+}
+function sanitizeImageSrc(raw) {
+  if (!raw) return null;
+  if (raw.length > MAX_DATA_URI_LENGTH) return null;
+  const value = raw.trim();
+  if (!value) return null;
+  const cleaned = stripControlChars(value);
+  if (!cleaned) return null;
+  if (/^data:/i.test(cleaned)) {
+    if (cleaned.length > MAX_DATA_URI_LENGTH) return null;
+    if (/^data:image\/(png|jpe?g|gif|webp|bmp|x-icon|vnd\.microsoft\.icon);/i.test(cleaned)) {
+      return cleaned;
+    }
+    return null;
+  }
+  if (cleaned.startsWith("//")) return `https:${cleaned}`;
+  if (cleaned.startsWith("/") || cleaned.startsWith("./") || cleaned.startsWith("../")) {
+    return cleaned;
+  }
+  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+  if (schemeMatch) {
+    const scheme = `${schemeMatch[1].toLowerCase()}:`;
+    return SAFE_IMAGE_SCHEMES.has(scheme) ? cleaned : null;
+  }
+  return cleaned;
+}
+var ALLOWED_HTML_TAGS = [
+  "p",
+  "br",
+  "span",
+  "div",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "strong",
+  "b",
+  "em",
+  "i",
+  "u",
+  "s",
+  "del",
+  "strike",
+  "sub",
+  "sup",
+  "mark",
+  "code",
+  "pre",
+  "blockquote",
+  "ul",
+  "ol",
+  "li",
+  "a",
+  "img",
+  "table",
+  "thead",
+  "tbody",
+  "tfoot",
+  "tr",
+  "th",
+  "td",
+  "hr",
+  "caption",
+  "colgroup",
+  "col"
+];
+var ALLOWED_HTML_ATTRS = [
+  "href",
+  "title",
+  "target",
+  "src",
+  "alt",
+  "width",
+  "height",
+  "colspan",
+  "rowspan",
+  "style",
+  "align",
+  "start",
+  "type",
+  "data-checked"
+];
+var purifierPromise = null;
+var cachedPurify = null;
+async function getPurifier() {
+  if (purifierPromise) return purifierPromise;
+  purifierPromise = (async () => {
+    if (typeof window === "undefined") return null;
+    const mod = await import('dompurify');
+    const factory = mod.default ?? mod;
+    const purify = factory(window);
+    purify.addHook("afterSanitizeAttributes", (node) => {
+      const el = node;
+      if (el.hasAttribute && el.hasAttribute("href")) {
+        const safe = sanitizeUrl(el.getAttribute("href"));
+        if (safe) el.setAttribute("href", safe);
+        else el.removeAttribute("href");
+      }
+      if (el.tagName === "IMG" && el.hasAttribute("src")) {
+        const safe = sanitizeImageSrc(el.getAttribute("src"));
+        if (safe) el.setAttribute("src", safe);
+        else el.removeAttribute("src");
+      }
+      if (el.tagName === "A") {
+        el.setAttribute("rel", "noopener noreferrer nofollow");
+      }
+    });
+    const fn = (html) => purify.sanitize(html, {
+      // An explicit allow-list (do not combine with USE_PROFILES, which would
+      // widen the tag set and conflict with ALLOWED_TAGS).
+      ALLOWED_TAGS: ALLOWED_HTML_TAGS,
+      ALLOWED_ATTR: ALLOWED_HTML_ATTRS,
+      FORBID_TAGS: ["script", "style", "iframe", "object", "embed", "form", "svg", "math"],
+      FORBID_ATTR: ["srcset"],
+      ALLOW_DATA_ATTR: false,
+      ALLOW_UNKNOWN_PROTOCOLS: false
+    });
+    cachedPurify = fn;
+    return fn;
+  })();
+  return purifierPromise;
+}
+async function preloadSanitizer() {
+  await getPurifier();
+}
+function basicScrubHtml(html) {
+  return html.replace(/<\s*(script|style|iframe|object|embed|svg|math)\b[\s\S]*?<\s*\/\s*\1\s*>/gi, "").replace(/<\s*(script|style|iframe|object|embed|svg|math)\b[^>]*>/gi, "").replace(/\son[a-z]+\s*=\s*"[^"]*"/gi, "").replace(/\son[a-z]+\s*=\s*'[^']*'/gi, "").replace(/\son[a-z]+\s*=\s*[^\s>]+/gi, "").replace(/(href|src)\s*=\s*"\s*(?:javascript|vbscript|data:text\/html)[^"]*"/gi, '$1="#"').replace(/(href|src)\s*=\s*'\s*(?:javascript|vbscript|data:text\/html)[^']*'/gi, "$1='#'");
+}
+function sanitizeHtmlSync(html) {
+  return cachedPurify ? cachedPurify(html) : basicScrubHtml(html);
+}
+async function sanitizeHtml(html) {
+  const purify = await getPurifier();
+  return purify ? purify(html) : basicScrubHtml(html);
+}
+
+exports.preloadSanitizer = preloadSanitizer;
+exports.sanitizeHtml = sanitizeHtml;
+exports.sanitizeHtmlSync = sanitizeHtmlSync;
+exports.sanitizeImageSrc = sanitizeImageSrc;
+exports.sanitizeUrl = sanitizeUrl;
+//# sourceMappingURL=chunk-5F6SPYCN.cjs.map
+//# sourceMappingURL=chunk-5F6SPYCN.cjs.map

package/dist/chunk-5F6SPYCN.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security/sanitize.ts"],"names":[],"mappings":";;;AAQA,IAAM,iBAAA,uBAAwB,GAAA,CAAI,CAAC,SAAS,QAAA,EAAU,SAAA,EAAW,MAAA,EAAQ,MAAM,CAAC,CAAA;AAGhF,IAAM,qCAAqB,IAAI,GAAA,CAAI,CAAC,OAAA,EAAS,QAAA,EAAU,OAAO,CAAC,CAAA;AAG/D,IAAM,mBAAA,GAAsB,IAAA;AAE5B,IAAM,cAAA,GAAiB,KAAA;AAEvB,IAAM,gBAAA,GAAmB,oCAAA;AAOzB,SAAS,kBAAkB,KAAA,EAAuB;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,UAAA,CAAW,CAAC,CAAA;AAE/B,IAAA,IAAI,IAAA,IAAQ,EAAA,IAAS,IAAA,IAAQ,GAAA,IAAQ,QAAQ,GAAA,EAAO;AACpD,IAAA,GAAA,IAAO,MAAM,CAAC,CAAA;AAAA,EAChB;AACA,EAAA,OAAO,GAAA;AACT;AAOO,SAAS,YAAY,GAAA,EAA+C;AACzE,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,cAAA,EAAgB,OAAO,IAAA;AACxC,EAAA,MAAM,KAAA,GAAQ,IAAI,IAAA,EAAK;AACvB,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,EAAA,MAAM,OAAA,GAAU,kBAAkB,KAAK,CAAA;AACvC,EAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AACrB,EAAA,IAAI,gBAAA,CAAiB,IAAA,CAAK,OAAO,CAAA,EAAG,OAAO,IAAA;AAG3C,EAAA,IAAI,QAAQ,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,SAAS,OAAO,CAAA,CAAA;AAErD,EAAA,IACE,QAAQ,UAAA,CAAW,GAAG,KACtB,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IACtB,OAAA,CAAQ,WAAW,GAAG,CAAA,IACtB,QAAQ,UAAA,CAAW,IAAI,KACvB,OAAA,CAAQ,UAAA,CAAW,KAAK,CAAA,EACxB;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAGA,EAAA,MAAM,WAAA,GAAc,wBAAA,CAAyB,IAAA,CAAK,OAAO,CAAA;AACzD,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAM,SAAS,CAAA,EAAG,WAAA,CAAY,CAAC,CAAA,CAAG,aAAa,CAAA,CAAA,CAAA;AAC/C,IAAA,OAAO,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,GAAI,OAAA,GAAU,IAAA;AAAA,EACnD;AAGA,EAAA,OAAO,OAAA;AACT;AAMO,SAAS,iBAAiB,GAAA,EAA+C;AAC9E,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,mBAAA,EAAqB,OAAO,IAAA;AAC7C,EAAA,MAAM,KAAA,GAAQ,IAAI,IAAA,EAAK;AACvB,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,MAAM,OAAA,GAAU,kBAAkB,KAAK,CAAA;AACvC,EAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AAErB,EAAA,IAAI,SAAA,CAAU,IAAA,CAAK,OAAO,CAAA,EAAG;AAG3B,IAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,mBAAA,EAAqB,OAAO,IAAA;AAEjD,IAAA,IAAI,qEAAA,CAAsE,IAAA,CAAK,OAAO,CAAA,EAAG;AACvF,MAAA,OAAO,OAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,QAAQ,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,SAAS,OAAO,CAAA,CAAA;AACrD,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,IAAK,OAAA,CAAQ,UAAA,CAAW,KAAK,CAAA,EAAG;AACpF,IAAA,OAAO,OAAA;AAAA,EACT;AAEA,EAAA,MAAM,WAAA,GAAc,wBAAA,CAAyB,IAAA,CAAK,OAAO,CAAA;AACzD,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAM,SAAS,CAAA,EAAG,WAAA,CAAY,CAAC,CAAA,CAAG,aAAa,CAAA,CAAA,CAAA;AAC/C,IAAA,OAAO,kBAAA,CAAmB,GAAA,CAAI,MAAM,CAAA,GAAI,OAAA,GAAU,IAAA;AAAA,EACpD;AACA,EAAA,OAAO,OAAA;AACT;AAGA,IAAM,iBAAA,GAAoB;AAAA,EACxB,GAAA;AAAA,EACA,IAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,QAAA;AAAA,EACA,GAAA;AAAA,EACA,IAAA;AAAA,EACA,GAAA;AAAA,EACA,GAAA;AAAA,EACA,GAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,YAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,GAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,kBAAA,GAAqB;AAAA,EACzB,MAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAAA;AASA,IAAI,eAAA,GAAqE,IAAA;AAEzE,IAAI,YAAA,GAAkD,IAAA;AAQtD,eAAe,WAAA,GAA0D;AACvE,EAAA,IAAI,iBAAiB,OAAO,eAAA;AAC5B,EAAA,eAAA,GAAA,CAAmB,YAAY;AAC7B,IAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,IAAA;AAC1C,IAAA,MAAM,GAAA,GAAM,MAAM,OAAO,WAAW,CAAA;AACpC,IAAA,MAAM,OAAA,GAAW,IAAI,OAAA,IAAW,GAAA;AAChC,IAAA,MAAM,MAAA,GAAS,QAAQ,MAA+C,CAAA;AAEtE,IAAA,MAAA,CAAO,OAAA,CAAQ,yBAAA,EAA2B,CAAC,IAAA,KAAS;AAClD,MAAA,MAAM,EAAA,GAAK,IAAA;AACX,MAAA,IAAI,EAAA,CAAG,YAAA,IAAgB,EAAA,CAAG,YAAA,CAAa,MAAM,CAAA,EAAG;AAC9C,QAAA,MAAM,IAAA,GAAO,WAAA,CAAY,EAAA,CAAG,YAAA,CAAa,MAAM,CAAC,CAAA;AAChD,QAAA,IAAI,IAAA,EAAM,EAAA,CAAG,YAAA,CAAa,MAAA,EAAQ,IAAI,CAAA;AAAA,aACjC,EAAA,CAAG,gBAAgB,MAAM,CAAA;AAAA,MAChC;AACA,MAAA,IAAI,GAAG,OAAA,KAAY,KAAA,IAAS,EAAA,CAAG,YAAA,CAAa,KAAK,CAAA,EAAG;AAClD,QAAA,MAAM,IAAA,GAAO,gBAAA,CAAiB,EAAA,CAAG,YAAA,CAAa,KAAK,CAAC,CAAA;AACpD,QAAA,IAAI,IAAA,EAAM,EAAA,CAAG,YAAA,CAAa,KAAA,EAAO,IAAI,CAAA;AAAA,aAChC,EAAA,CAAG,gBAAgB,KAAK,CAAA;AAAA,MAC/B;AACA,MAAA,IAAI,EAAA,CAAG,YAAY,GAAA,EAAK;AACtB,QAAA,EAAA,CAAG,YAAA,CAAa,OAAO,8BAA8B,CAAA;AAAA,MACvD;AAAA,IACF,CAAC,CAAA;AACD,IAAA,MAAM,EAAA,GAAK,CAAC,IAAA,KACV,MAAA,CAAO,SAAS,IAAA,EAAM;AAAA;AAAA;AAAA,MAGpB,YAAA,EAAc,iBAAA;AAAA,MACd,YAAA,EAAc,kBAAA;AAAA,MACd,WAAA,EAAa,CAAC,QAAA,EAAU,OAAA,EAAS,UAAU,QAAA,EAAU,OAAA,EAAS,MAAA,EAAQ,KAAA,EAAO,MAAM,CAAA;AAAA,MACnF,WAAA,EAAa,CAAC,QAAQ,CAAA;AAAA,MACtB,eAAA,EAAiB,KAAA;AAAA,MACjB,uBAAA,EAAyB;AAAA,KAC1B,CAAA;AACH,IAAA,YAAA,GAAe,EAAA;AACf,IAAA,OAAO,EAAA;AAAA,EACT,CAAA,GAAG;AACH,EAAA,OAAO,eAAA;AACT;AAMA,eAAsB,gBAAA,GAAkC;AACtD,EAAA,MAAM,WAAA,EAAY;AACpB;AAUO,SAAS,eAAe,IAAA,EAAsB;AACnD,EAAA,OAAO,IAAA,CACJ,OAAA,CAAQ,4EAAA,EAA8E,EAAE,CAAA,CACxF,OAAA,CAAQ,2DAAA,EAA6D,EAAE,CAAA,CACvE,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,sEAAA,EAAwE,QAAQ,CAAA,CACxF,OAAA,CAAQ,sEAAA,EAAwE,QAAQ,CAAA;AAC7F;AAOO,SAAS,iBAAiB,IAAA,EAAsB;AACrD,EAAA,OAAO,YAAA,GAAe,YAAA,CAAa,IAAI,CAAA,GAAI,eAAe,IAAI,CAAA;AAChE;AAOA,eAAsB,aAAa,IAAA,EAA+B;AAChE,EAAA,MAAM,MAAA,GAAS,MAAM,WAAA,EAAY;AACjC,EAAA,OAAO,MAAA,GAAS,MAAA,CAAO,IAAI,CAAA,GAAI,eAAe,IAAI,CAAA;AACpD","file":"chunk-5F6SPYCN.cjs","sourcesContent":["/**\n * Security primitives (§5.12). These functions are the single ingress point for\n * untrusted content: pasted/imported HTML, link and image URLs. They are\n * dependency-light and (for URLs) DOM-free so the schema can be imported in\n * Node for export/tests without pulling a DOM library.\n */\n\n/** URL schemes permitted in hyperlinks. Everything else is rejected. */\nconst SAFE_LINK_SCHEMES = new Set(['http:', 'https:', 'mailto:', 'tel:', 'ftp:']);\n\n/** URL schemes permitted for images. `data:` is allowed only for image MIME types. */\nconst SAFE_IMAGE_SCHEMES = new Set(['http:', 'https:', 'blob:']);\n\n/** Maximum length of an inline `data:` image URI (characters). */\nconst MAX_DATA_URI_LENGTH = 3_500_000;\n/** Maximum length of a hyperlink URL (characters). */\nconst MAX_URL_LENGTH = 16_384;\n\nconst DANGEROUS_SCHEME = /^(javascript|vbscript|data|file):/i;\n\n/**\n * Strip control characters and spaces used to obfuscate a URL scheme\n * (e.g. \"java\\tscript:\"). Implemented with char-code inspection to avoid\n * embedding control characters in source.\n */\nfunction stripControlChars(value: string): string {\n  let out = '';\n  for (let i = 0; i < value.length; i++) {\n    const code = value.charCodeAt(i);\n    // Drop C0/C1 control ranges and the space character.\n    if (code <= 0x20 || (code >= 0x7f && code <= 0x9f)) continue;\n    out += value[i];\n  }\n  return out;\n}\n\n/**\n * Validate and normalize a hyperlink URL. Returns the cleaned URL, or `null` if\n * the URL is missing or uses an unsafe scheme (e.g. `javascript:`). Relative and\n * fragment/anchor URLs are allowed (F-12.2, F-12.5).\n */\nexport function sanitizeUrl(raw: string | null | undefined): string | null {\n  if (!raw) return null;\n  if (raw.length > MAX_URL_LENGTH) return null;\n  const value = raw.trim();\n  if (!value) return null;\n\n  const cleaned = stripControlChars(value);\n  if (!cleaned) return null;\n  if (DANGEROUS_SCHEME.test(cleaned)) return null;\n\n  // Protocol-relative URLs are upgraded to https (checked before single-'/').\n  if (cleaned.startsWith('//')) return `https:${cleaned}`;\n  // Relative URLs and anchors are safe to keep.\n  if (\n    cleaned.startsWith('/') ||\n    cleaned.startsWith('#') ||\n    cleaned.startsWith('?') ||\n    cleaned.startsWith('./') ||\n    cleaned.startsWith('../')\n  ) {\n    return cleaned;\n  }\n\n  // If it has a scheme, it must be in the allow-list.\n  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);\n  if (schemeMatch) {\n    const scheme = `${schemeMatch[1]!.toLowerCase()}:`;\n    return SAFE_LINK_SCHEMES.has(scheme) ? cleaned : null;\n  }\n\n  // No scheme and not obviously relative: treat as a bare host/path.\n  return cleaned;\n}\n\n/**\n * Validate an image source. Accepts http(s)/blob URLs and `data:image/*` URIs,\n * rejecting SVG data URIs and any active-content scheme (F-12.5).\n */\nexport function sanitizeImageSrc(raw: string | null | undefined): string | null {\n  if (!raw) return null;\n  // Reject oversized input up front (before the O(n) control-char scan).\n  if (raw.length > MAX_DATA_URI_LENGTH) return null;\n  const value = raw.trim();\n  if (!value) return null;\n  const cleaned = stripControlChars(value);\n  if (!cleaned) return null;\n\n  if (/^data:/i.test(cleaned)) {\n    // Bound the size of inline data URIs to avoid memory/DoS from oversized\n    // payloads embedded in a document (~3.4 MB of base64 ≈ 2.5 MB binary).\n    if (cleaned.length > MAX_DATA_URI_LENGTH) return null;\n    // Permit only raster image data URIs; reject SVG (can carry script).\n    if (/^data:image\\/(png|jpe?g|gif|webp|bmp|x-icon|vnd\\.microsoft\\.icon);/i.test(cleaned)) {\n      return cleaned;\n    }\n    return null;\n  }\n\n  if (cleaned.startsWith('//')) return `https:${cleaned}`;\n  if (cleaned.startsWith('/') || cleaned.startsWith('./') || cleaned.startsWith('../')) {\n    return cleaned;\n  }\n\n  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);\n  if (schemeMatch) {\n    const scheme = `${schemeMatch[1]!.toLowerCase()}:`;\n    return SAFE_IMAGE_SCHEMES.has(scheme) ? cleaned : null;\n  }\n  return cleaned;\n}\n\n/** Allowed tags for pasted HTML — a conservative, document-oriented subset. */\nconst ALLOWED_HTML_TAGS = [\n  'p',\n  'br',\n  'span',\n  'div',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'strong',\n  'b',\n  'em',\n  'i',\n  'u',\n  's',\n  'del',\n  'strike',\n  'sub',\n  'sup',\n  'mark',\n  'code',\n  'pre',\n  'blockquote',\n  'ul',\n  'ol',\n  'li',\n  'a',\n  'img',\n  'table',\n  'thead',\n  'tbody',\n  'tfoot',\n  'tr',\n  'th',\n  'td',\n  'hr',\n  'caption',\n  'colgroup',\n  'col',\n];\n\nconst ALLOWED_HTML_ATTRS = [\n  'href',\n  'title',\n  'target',\n  'src',\n  'alt',\n  'width',\n  'height',\n  'colspan',\n  'rowspan',\n  'style',\n  'align',\n  'start',\n  'type',\n  'data-checked',\n];\n\n/** Minimal structural type for the DOMPurify instance we use (avoids hard dep on its types). */\ninterface DOMPurifyInstance {\n  sanitize(dirty: string, config?: Record<string, unknown>): string;\n  addHook(entryPoint: string, hook: (node: unknown) => void): void;\n}\ntype DOMPurifyFactory = (window: Window & typeof globalThis) => DOMPurifyInstance;\n\nlet purifierPromise: Promise<((html: string) => string) | null> | null = null;\n/** Resolved synchronous purify function, cached after the first async load. */\nlet cachedPurify: ((html: string) => string) | null = null;\n\n/**\n * Lazily build a DOMPurify-backed HTML sanitizer. Returns a function that cleans\n * HTML, or `null` if no DOM is available (in which case callers fall back to\n * ProseMirror's own DOM parsing of the already-browser-provided fragment). This\n * is lazy so importing the schema in Node never loads a DOM library.\n */\nasync function getPurifier(): Promise<((html: string) => string) | null> {\n  if (purifierPromise) return purifierPromise;\n  purifierPromise = (async () => {\n    if (typeof window === 'undefined') return null;\n    const mod = await import('dompurify');\n    const factory = (mod.default ?? mod) as unknown as DOMPurifyFactory;\n    const purify = factory(window as unknown as Window & typeof globalThis);\n    // Force-strip event handlers and dangerous protocols defensively.\n    purify.addHook('afterSanitizeAttributes', (node) => {\n      const el = node as Element;\n      if (el.hasAttribute && el.hasAttribute('href')) {\n        const safe = sanitizeUrl(el.getAttribute('href'));\n        if (safe) el.setAttribute('href', safe);\n        else el.removeAttribute('href');\n      }\n      if (el.tagName === 'IMG' && el.hasAttribute('src')) {\n        const safe = sanitizeImageSrc(el.getAttribute('src'));\n        if (safe) el.setAttribute('src', safe);\n        else el.removeAttribute('src');\n      }\n      if (el.tagName === 'A') {\n        el.setAttribute('rel', 'noopener noreferrer nofollow');\n      }\n    });\n    const fn = (html: string) =>\n      purify.sanitize(html, {\n        // An explicit allow-list (do not combine with USE_PROFILES, which would\n        // widen the tag set and conflict with ALLOWED_TAGS).\n        ALLOWED_TAGS: ALLOWED_HTML_TAGS,\n        ALLOWED_ATTR: ALLOWED_HTML_ATTRS,\n        FORBID_TAGS: ['script', 'style', 'iframe', 'object', 'embed', 'form', 'svg', 'math'],\n        FORBID_ATTR: ['srcset'],\n        ALLOW_DATA_ATTR: false,\n        ALLOW_UNKNOWN_PROTOCOLS: false,\n      });\n    cachedPurify = fn;\n    return fn;\n  })();\n  return purifierPromise;\n}\n\n/**\n * Preload the DOM sanitizer so a later synchronous paste can be cleaned without\n * waiting. Safe to call in the browser on editor mount. No-op in Node.\n */\nexport async function preloadSanitizer(): Promise<void> {\n  await getPurifier();\n}\n\n/**\n * Last-resort, regex-based HTML scrub used when DOMPurify is not (yet) available\n * (e.g. the first paste before the async load completes, or a non-DOM runtime).\n * It removes script/style/active-content blocks, inline event handlers, and\n * dangerous URL schemes. This is defense-in-depth only: ProseMirror parses paste\n * input in an inert document and the schema whitelists nodes, so content never\n * executes regardless.\n */\nexport function basicScrubHtml(html: string): string {\n  return html\n    .replace(/<\\s*(script|style|iframe|object|embed|svg|math)\\b[\\s\\S]*?<\\s*\\/\\s*\\1\\s*>/gi, '')\n    .replace(/<\\s*(script|style|iframe|object|embed|svg|math)\\b[^>]*>/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*\"[^\"]*\"/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*'[^']*'/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*[^\\s>]+/gi, '')\n    .replace(/(href|src)\\s*=\\s*\"\\s*(?:javascript|vbscript|data:text\\/html)[^\"]*\"/gi, '$1=\"#\"')\n    .replace(/(href|src)\\s*=\\s*'\\s*(?:javascript|vbscript|data:text\\/html)[^']*'/gi, \"$1='#'\");\n}\n\n/**\n * Sanitize an HTML string synchronously, best-effort: uses the cached DOM\n * sanitizer if it has been loaded, otherwise applies {@link basicScrubHtml} as a\n * fallback. Use for the paste transform (which must be synchronous).\n */\nexport function sanitizeHtmlSync(html: string): string {\n  return cachedPurify ? cachedPurify(html) : basicScrubHtml(html);\n}\n\n/**\n * Sanitize an HTML string for safe parsing into the editor. No script, inline\n * event handlers, or active content survives (F-12.1, F-12.2). When no DOM\n * sanitizer is available a regex scrub is applied as a fallback.\n */\nexport async function sanitizeHtml(html: string): Promise<string> {\n  const purify = await getPurifier();\n  return purify ? purify(html) : basicScrubHtml(html);\n}\n"]}

package/dist/chunk-6NTSXJX4.js

@@ -0,0 +1,174 @@
+// src/security/sanitize.ts
+var SAFE_LINK_SCHEMES = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:", "ftp:"]);
+var SAFE_IMAGE_SCHEMES = /* @__PURE__ */ new Set(["http:", "https:", "blob:"]);
+var MAX_DATA_URI_LENGTH = 35e5;
+var MAX_URL_LENGTH = 16384;
+var DANGEROUS_SCHEME = /^(javascript|vbscript|data|file):/i;
+function stripControlChars(value) {
+  let out = "";
+  for (let i = 0; i < value.length; i++) {
+    const code = value.charCodeAt(i);
+    if (code <= 32 || code >= 127 && code <= 159) continue;
+    out += value[i];
+  }
+  return out;
+}
+function sanitizeUrl(raw) {
+  if (!raw) return null;
+  if (raw.length > MAX_URL_LENGTH) return null;
+  const value = raw.trim();
+  if (!value) return null;
+  const cleaned = stripControlChars(value);
+  if (!cleaned) return null;
+  if (DANGEROUS_SCHEME.test(cleaned)) return null;
+  if (cleaned.startsWith("//")) return `https:${cleaned}`;
+  if (cleaned.startsWith("/") || cleaned.startsWith("#") || cleaned.startsWith("?") || cleaned.startsWith("./") || cleaned.startsWith("../")) {
+    return cleaned;
+  }
+  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+  if (schemeMatch) {
+    const scheme = `${schemeMatch[1].toLowerCase()}:`;
+    return SAFE_LINK_SCHEMES.has(scheme) ? cleaned : null;
+  }
+  return cleaned;
+}
+function sanitizeImageSrc(raw) {
+  if (!raw) return null;
+  if (raw.length > MAX_DATA_URI_LENGTH) return null;
+  const value = raw.trim();
+  if (!value) return null;
+  const cleaned = stripControlChars(value);
+  if (!cleaned) return null;
+  if (/^data:/i.test(cleaned)) {
+    if (cleaned.length > MAX_DATA_URI_LENGTH) return null;
+    if (/^data:image\/(png|jpe?g|gif|webp|bmp|x-icon|vnd\.microsoft\.icon);/i.test(cleaned)) {
+      return cleaned;
+    }
+    return null;
+  }
+  if (cleaned.startsWith("//")) return `https:${cleaned}`;
+  if (cleaned.startsWith("/") || cleaned.startsWith("./") || cleaned.startsWith("../")) {
+    return cleaned;
+  }
+  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);
+  if (schemeMatch) {
+    const scheme = `${schemeMatch[1].toLowerCase()}:`;
+    return SAFE_IMAGE_SCHEMES.has(scheme) ? cleaned : null;
+  }
+  return cleaned;
+}
+var ALLOWED_HTML_TAGS = [
+  "p",
+  "br",
+  "span",
+  "div",
+  "h1",
+  "h2",
+  "h3",
+  "h4",
+  "h5",
+  "h6",
+  "strong",
+  "b",
+  "em",
+  "i",
+  "u",
+  "s",
+  "del",
+  "strike",
+  "sub",
+  "sup",
+  "mark",
+  "code",
+  "pre",
+  "blockquote",
+  "ul",
+  "ol",
+  "li",
+  "a",
+  "img",
+  "table",
+  "thead",
+  "tbody",
+  "tfoot",
+  "tr",
+  "th",
+  "td",
+  "hr",
+  "caption",
+  "colgroup",
+  "col"
+];
+var ALLOWED_HTML_ATTRS = [
+  "href",
+  "title",
+  "target",
+  "src",
+  "alt",
+  "width",
+  "height",
+  "colspan",
+  "rowspan",
+  "style",
+  "align",
+  "start",
+  "type",
+  "data-checked"
+];
+var purifierPromise = null;
+var cachedPurify = null;
+async function getPurifier() {
+  if (purifierPromise) return purifierPromise;
+  purifierPromise = (async () => {
+    if (typeof window === "undefined") return null;
+    const mod = await import('dompurify');
+    const factory = mod.default ?? mod;
+    const purify = factory(window);
+    purify.addHook("afterSanitizeAttributes", (node) => {
+      const el = node;
+      if (el.hasAttribute && el.hasAttribute("href")) {
+        const safe = sanitizeUrl(el.getAttribute("href"));
+        if (safe) el.setAttribute("href", safe);
+        else el.removeAttribute("href");
+      }
+      if (el.tagName === "IMG" && el.hasAttribute("src")) {
+        const safe = sanitizeImageSrc(el.getAttribute("src"));
+        if (safe) el.setAttribute("src", safe);
+        else el.removeAttribute("src");
+      }
+      if (el.tagName === "A") {
+        el.setAttribute("rel", "noopener noreferrer nofollow");
+      }
+    });
+    const fn = (html) => purify.sanitize(html, {
+      // An explicit allow-list (do not combine with USE_PROFILES, which would
+      // widen the tag set and conflict with ALLOWED_TAGS).
+      ALLOWED_TAGS: ALLOWED_HTML_TAGS,
+      ALLOWED_ATTR: ALLOWED_HTML_ATTRS,
+      FORBID_TAGS: ["script", "style", "iframe", "object", "embed", "form", "svg", "math"],
+      FORBID_ATTR: ["srcset"],
+      ALLOW_DATA_ATTR: false,
+      ALLOW_UNKNOWN_PROTOCOLS: false
+    });
+    cachedPurify = fn;
+    return fn;
+  })();
+  return purifierPromise;
+}
+async function preloadSanitizer() {
+  await getPurifier();
+}
+function basicScrubHtml(html) {
+  return html.replace(/<\s*(script|style|iframe|object|embed|svg|math)\b[\s\S]*?<\s*\/\s*\1\s*>/gi, "").replace(/<\s*(script|style|iframe|object|embed|svg|math)\b[^>]*>/gi, "").replace(/\son[a-z]+\s*=\s*"[^"]*"/gi, "").replace(/\son[a-z]+\s*=\s*'[^']*'/gi, "").replace(/\son[a-z]+\s*=\s*[^\s>]+/gi, "").replace(/(href|src)\s*=\s*"\s*(?:javascript|vbscript|data:text\/html)[^"]*"/gi, '$1="#"').replace(/(href|src)\s*=\s*'\s*(?:javascript|vbscript|data:text\/html)[^']*'/gi, "$1='#'");
+}
+function sanitizeHtmlSync(html) {
+  return cachedPurify ? cachedPurify(html) : basicScrubHtml(html);
+}
+async function sanitizeHtml(html) {
+  const purify = await getPurifier();
+  return purify ? purify(html) : basicScrubHtml(html);
+}
+
+export { preloadSanitizer, sanitizeHtml, sanitizeHtmlSync, sanitizeImageSrc, sanitizeUrl };
+//# sourceMappingURL=chunk-6NTSXJX4.js.map
+//# sourceMappingURL=chunk-6NTSXJX4.js.map

package/dist/chunk-6NTSXJX4.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/security/sanitize.ts"],"names":[],"mappings":";AAQA,IAAM,iBAAA,uBAAwB,GAAA,CAAI,CAAC,SAAS,QAAA,EAAU,SAAA,EAAW,MAAA,EAAQ,MAAM,CAAC,CAAA;AAGhF,IAAM,qCAAqB,IAAI,GAAA,CAAI,CAAC,OAAA,EAAS,QAAA,EAAU,OAAO,CAAC,CAAA;AAG/D,IAAM,mBAAA,GAAsB,IAAA;AAE5B,IAAM,cAAA,GAAiB,KAAA;AAEvB,IAAM,gBAAA,GAAmB,oCAAA;AAOzB,SAAS,kBAAkB,KAAA,EAAuB;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,MAAM,IAAA,GAAO,KAAA,CAAM,UAAA,CAAW,CAAC,CAAA;AAE/B,IAAA,IAAI,IAAA,IAAQ,EAAA,IAAS,IAAA,IAAQ,GAAA,IAAQ,QAAQ,GAAA,EAAO;AACpD,IAAA,GAAA,IAAO,MAAM,CAAC,CAAA;AAAA,EAChB;AACA,EAAA,OAAO,GAAA;AACT;AAOO,SAAS,YAAY,GAAA,EAA+C;AACzE,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,cAAA,EAAgB,OAAO,IAAA;AACxC,EAAA,MAAM,KAAA,GAAQ,IAAI,IAAA,EAAK;AACvB,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,EAAA,MAAM,OAAA,GAAU,kBAAkB,KAAK,CAAA;AACvC,EAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AACrB,EAAA,IAAI,gBAAA,CAAiB,IAAA,CAAK,OAAO,CAAA,EAAG,OAAO,IAAA;AAG3C,EAAA,IAAI,QAAQ,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,SAAS,OAAO,CAAA,CAAA;AAErD,EAAA,IACE,QAAQ,UAAA,CAAW,GAAG,KACtB,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IACtB,OAAA,CAAQ,WAAW,GAAG,CAAA,IACtB,QAAQ,UAAA,CAAW,IAAI,KACvB,OAAA,CAAQ,UAAA,CAAW,KAAK,CAAA,EACxB;AACA,IAAA,OAAO,OAAA;AAAA,EACT;AAGA,EAAA,MAAM,WAAA,GAAc,wBAAA,CAAyB,IAAA,CAAK,OAAO,CAAA;AACzD,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAM,SAAS,CAAA,EAAG,WAAA,CAAY,CAAC,CAAA,CAAG,aAAa,CAAA,CAAA,CAAA;AAC/C,IAAA,OAAO,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,GAAI,OAAA,GAAU,IAAA;AAAA,EACnD;AAGA,EAAA,OAAO,OAAA;AACT;AAMO,SAAS,iBAAiB,GAAA,EAA+C;AAC9E,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,EAAA,IAAI,GAAA,CAAI,MAAA,GAAS,mBAAA,EAAqB,OAAO,IAAA;AAC7C,EAAA,MAAM,KAAA,GAAQ,IAAI,IAAA,EAAK;AACvB,EAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AACnB,EAAA,MAAM,OAAA,GAAU,kBAAkB,KAAK,CAAA;AACvC,EAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AAErB,EAAA,IAAI,SAAA,CAAU,IAAA,CAAK,OAAO,CAAA,EAAG;AAG3B,IAAA,IAAI,OAAA,CAAQ,MAAA,GAAS,mBAAA,EAAqB,OAAO,IAAA;AAEjD,IAAA,IAAI,qEAAA,CAAsE,IAAA,CAAK,OAAO,CAAA,EAAG;AACvF,MAAA,OAAO,OAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI,QAAQ,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,SAAS,OAAO,CAAA,CAAA;AACrD,EAAA,IAAI,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,IAAK,OAAA,CAAQ,UAAA,CAAW,IAAI,CAAA,IAAK,OAAA,CAAQ,UAAA,CAAW,KAAK,CAAA,EAAG;AACpF,IAAA,OAAO,OAAA;AAAA,EACT;AAEA,EAAA,MAAM,WAAA,GAAc,wBAAA,CAAyB,IAAA,CAAK,OAAO,CAAA;AACzD,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAM,SAAS,CAAA,EAAG,WAAA,CAAY,CAAC,CAAA,CAAG,aAAa,CAAA,CAAA,CAAA;AAC/C,IAAA,OAAO,kBAAA,CAAmB,GAAA,CAAI,MAAM,CAAA,GAAI,OAAA,GAAU,IAAA;AAAA,EACpD;AACA,EAAA,OAAO,OAAA;AACT;AAGA,IAAM,iBAAA,GAAoB;AAAA,EACxB,GAAA;AAAA,EACA,IAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,QAAA;AAAA,EACA,GAAA;AAAA,EACA,IAAA;AAAA,EACA,GAAA;AAAA,EACA,GAAA;AAAA,EACA,GAAA;AAAA,EACA,KAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EACA,YAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,GAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,IAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAEA,IAAM,kBAAA,GAAqB;AAAA,EACzB,MAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,KAAA;AAAA,EACA,KAAA;AAAA,EACA,OAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAAA;AASA,IAAI,eAAA,GAAqE,IAAA;AAEzE,IAAI,YAAA,GAAkD,IAAA;AAQtD,eAAe,WAAA,GAA0D;AACvE,EAAA,IAAI,iBAAiB,OAAO,eAAA;AAC5B,EAAA,eAAA,GAAA,CAAmB,YAAY;AAC7B,IAAA,IAAI,OAAO,MAAA,KAAW,WAAA,EAAa,OAAO,IAAA;AAC1C,IAAA,MAAM,GAAA,GAAM,MAAM,OAAO,WAAW,CAAA;AACpC,IAAA,MAAM,OAAA,GAAW,IAAI,OAAA,IAAW,GAAA;AAChC,IAAA,MAAM,MAAA,GAAS,QAAQ,MAA+C,CAAA;AAEtE,IAAA,MAAA,CAAO,OAAA,CAAQ,yBAAA,EAA2B,CAAC,IAAA,KAAS;AAClD,MAAA,MAAM,EAAA,GAAK,IAAA;AACX,MAAA,IAAI,EAAA,CAAG,YAAA,IAAgB,EAAA,CAAG,YAAA,CAAa,MAAM,CAAA,EAAG;AAC9C,QAAA,MAAM,IAAA,GAAO,WAAA,CAAY,EAAA,CAAG,YAAA,CAAa,MAAM,CAAC,CAAA;AAChD,QAAA,IAAI,IAAA,EAAM,EAAA,CAAG,YAAA,CAAa,MAAA,EAAQ,IAAI,CAAA;AAAA,aACjC,EAAA,CAAG,gBAAgB,MAAM,CAAA;AAAA,MAChC;AACA,MAAA,IAAI,GAAG,OAAA,KAAY,KAAA,IAAS,EAAA,CAAG,YAAA,CAAa,KAAK,CAAA,EAAG;AAClD,QAAA,MAAM,IAAA,GAAO,gBAAA,CAAiB,EAAA,CAAG,YAAA,CAAa,KAAK,CAAC,CAAA;AACpD,QAAA,IAAI,IAAA,EAAM,EAAA,CAAG,YAAA,CAAa,KAAA,EAAO,IAAI,CAAA;AAAA,aAChC,EAAA,CAAG,gBAAgB,KAAK,CAAA;AAAA,MAC/B;AACA,MAAA,IAAI,EAAA,CAAG,YAAY,GAAA,EAAK;AACtB,QAAA,EAAA,CAAG,YAAA,CAAa,OAAO,8BAA8B,CAAA;AAAA,MACvD;AAAA,IACF,CAAC,CAAA;AACD,IAAA,MAAM,EAAA,GAAK,CAAC,IAAA,KACV,MAAA,CAAO,SAAS,IAAA,EAAM;AAAA;AAAA;AAAA,MAGpB,YAAA,EAAc,iBAAA;AAAA,MACd,YAAA,EAAc,kBAAA;AAAA,MACd,WAAA,EAAa,CAAC,QAAA,EAAU,OAAA,EAAS,UAAU,QAAA,EAAU,OAAA,EAAS,MAAA,EAAQ,KAAA,EAAO,MAAM,CAAA;AAAA,MACnF,WAAA,EAAa,CAAC,QAAQ,CAAA;AAAA,MACtB,eAAA,EAAiB,KAAA;AAAA,MACjB,uBAAA,EAAyB;AAAA,KAC1B,CAAA;AACH,IAAA,YAAA,GAAe,EAAA;AACf,IAAA,OAAO,EAAA;AAAA,EACT,CAAA,GAAG;AACH,EAAA,OAAO,eAAA;AACT;AAMA,eAAsB,gBAAA,GAAkC;AACtD,EAAA,MAAM,WAAA,EAAY;AACpB;AAUO,SAAS,eAAe,IAAA,EAAsB;AACnD,EAAA,OAAO,IAAA,CACJ,OAAA,CAAQ,4EAAA,EAA8E,EAAE,CAAA,CACxF,OAAA,CAAQ,2DAAA,EAA6D,EAAE,CAAA,CACvE,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,4BAAA,EAA8B,EAAE,CAAA,CACxC,OAAA,CAAQ,sEAAA,EAAwE,QAAQ,CAAA,CACxF,OAAA,CAAQ,sEAAA,EAAwE,QAAQ,CAAA;AAC7F;AAOO,SAAS,iBAAiB,IAAA,EAAsB;AACrD,EAAA,OAAO,YAAA,GAAe,YAAA,CAAa,IAAI,CAAA,GAAI,eAAe,IAAI,CAAA;AAChE;AAOA,eAAsB,aAAa,IAAA,EAA+B;AAChE,EAAA,MAAM,MAAA,GAAS,MAAM,WAAA,EAAY;AACjC,EAAA,OAAO,MAAA,GAAS,MAAA,CAAO,IAAI,CAAA,GAAI,eAAe,IAAI,CAAA;AACpD","file":"chunk-6NTSXJX4.js","sourcesContent":["/**\n * Security primitives (§5.12). These functions are the single ingress point for\n * untrusted content: pasted/imported HTML, link and image URLs. They are\n * dependency-light and (for URLs) DOM-free so the schema can be imported in\n * Node for export/tests without pulling a DOM library.\n */\n\n/** URL schemes permitted in hyperlinks. Everything else is rejected. */\nconst SAFE_LINK_SCHEMES = new Set(['http:', 'https:', 'mailto:', 'tel:', 'ftp:']);\n\n/** URL schemes permitted for images. `data:` is allowed only for image MIME types. */\nconst SAFE_IMAGE_SCHEMES = new Set(['http:', 'https:', 'blob:']);\n\n/** Maximum length of an inline `data:` image URI (characters). */\nconst MAX_DATA_URI_LENGTH = 3_500_000;\n/** Maximum length of a hyperlink URL (characters). */\nconst MAX_URL_LENGTH = 16_384;\n\nconst DANGEROUS_SCHEME = /^(javascript|vbscript|data|file):/i;\n\n/**\n * Strip control characters and spaces used to obfuscate a URL scheme\n * (e.g. \"java\\tscript:\"). Implemented with char-code inspection to avoid\n * embedding control characters in source.\n */\nfunction stripControlChars(value: string): string {\n  let out = '';\n  for (let i = 0; i < value.length; i++) {\n    const code = value.charCodeAt(i);\n    // Drop C0/C1 control ranges and the space character.\n    if (code <= 0x20 || (code >= 0x7f && code <= 0x9f)) continue;\n    out += value[i];\n  }\n  return out;\n}\n\n/**\n * Validate and normalize a hyperlink URL. Returns the cleaned URL, or `null` if\n * the URL is missing or uses an unsafe scheme (e.g. `javascript:`). Relative and\n * fragment/anchor URLs are allowed (F-12.2, F-12.5).\n */\nexport function sanitizeUrl(raw: string | null | undefined): string | null {\n  if (!raw) return null;\n  if (raw.length > MAX_URL_LENGTH) return null;\n  const value = raw.trim();\n  if (!value) return null;\n\n  const cleaned = stripControlChars(value);\n  if (!cleaned) return null;\n  if (DANGEROUS_SCHEME.test(cleaned)) return null;\n\n  // Protocol-relative URLs are upgraded to https (checked before single-'/').\n  if (cleaned.startsWith('//')) return `https:${cleaned}`;\n  // Relative URLs and anchors are safe to keep.\n  if (\n    cleaned.startsWith('/') ||\n    cleaned.startsWith('#') ||\n    cleaned.startsWith('?') ||\n    cleaned.startsWith('./') ||\n    cleaned.startsWith('../')\n  ) {\n    return cleaned;\n  }\n\n  // If it has a scheme, it must be in the allow-list.\n  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);\n  if (schemeMatch) {\n    const scheme = `${schemeMatch[1]!.toLowerCase()}:`;\n    return SAFE_LINK_SCHEMES.has(scheme) ? cleaned : null;\n  }\n\n  // No scheme and not obviously relative: treat as a bare host/path.\n  return cleaned;\n}\n\n/**\n * Validate an image source. Accepts http(s)/blob URLs and `data:image/*` URIs,\n * rejecting SVG data URIs and any active-content scheme (F-12.5).\n */\nexport function sanitizeImageSrc(raw: string | null | undefined): string | null {\n  if (!raw) return null;\n  // Reject oversized input up front (before the O(n) control-char scan).\n  if (raw.length > MAX_DATA_URI_LENGTH) return null;\n  const value = raw.trim();\n  if (!value) return null;\n  const cleaned = stripControlChars(value);\n  if (!cleaned) return null;\n\n  if (/^data:/i.test(cleaned)) {\n    // Bound the size of inline data URIs to avoid memory/DoS from oversized\n    // payloads embedded in a document (~3.4 MB of base64 ≈ 2.5 MB binary).\n    if (cleaned.length > MAX_DATA_URI_LENGTH) return null;\n    // Permit only raster image data URIs; reject SVG (can carry script).\n    if (/^data:image\\/(png|jpe?g|gif|webp|bmp|x-icon|vnd\\.microsoft\\.icon);/i.test(cleaned)) {\n      return cleaned;\n    }\n    return null;\n  }\n\n  if (cleaned.startsWith('//')) return `https:${cleaned}`;\n  if (cleaned.startsWith('/') || cleaned.startsWith('./') || cleaned.startsWith('../')) {\n    return cleaned;\n  }\n\n  const schemeMatch = /^([a-z][a-z0-9+.-]*):/i.exec(cleaned);\n  if (schemeMatch) {\n    const scheme = `${schemeMatch[1]!.toLowerCase()}:`;\n    return SAFE_IMAGE_SCHEMES.has(scheme) ? cleaned : null;\n  }\n  return cleaned;\n}\n\n/** Allowed tags for pasted HTML — a conservative, document-oriented subset. */\nconst ALLOWED_HTML_TAGS = [\n  'p',\n  'br',\n  'span',\n  'div',\n  'h1',\n  'h2',\n  'h3',\n  'h4',\n  'h5',\n  'h6',\n  'strong',\n  'b',\n  'em',\n  'i',\n  'u',\n  's',\n  'del',\n  'strike',\n  'sub',\n  'sup',\n  'mark',\n  'code',\n  'pre',\n  'blockquote',\n  'ul',\n  'ol',\n  'li',\n  'a',\n  'img',\n  'table',\n  'thead',\n  'tbody',\n  'tfoot',\n  'tr',\n  'th',\n  'td',\n  'hr',\n  'caption',\n  'colgroup',\n  'col',\n];\n\nconst ALLOWED_HTML_ATTRS = [\n  'href',\n  'title',\n  'target',\n  'src',\n  'alt',\n  'width',\n  'height',\n  'colspan',\n  'rowspan',\n  'style',\n  'align',\n  'start',\n  'type',\n  'data-checked',\n];\n\n/** Minimal structural type for the DOMPurify instance we use (avoids hard dep on its types). */\ninterface DOMPurifyInstance {\n  sanitize(dirty: string, config?: Record<string, unknown>): string;\n  addHook(entryPoint: string, hook: (node: unknown) => void): void;\n}\ntype DOMPurifyFactory = (window: Window & typeof globalThis) => DOMPurifyInstance;\n\nlet purifierPromise: Promise<((html: string) => string) | null> | null = null;\n/** Resolved synchronous purify function, cached after the first async load. */\nlet cachedPurify: ((html: string) => string) | null = null;\n\n/**\n * Lazily build a DOMPurify-backed HTML sanitizer. Returns a function that cleans\n * HTML, or `null` if no DOM is available (in which case callers fall back to\n * ProseMirror's own DOM parsing of the already-browser-provided fragment). This\n * is lazy so importing the schema in Node never loads a DOM library.\n */\nasync function getPurifier(): Promise<((html: string) => string) | null> {\n  if (purifierPromise) return purifierPromise;\n  purifierPromise = (async () => {\n    if (typeof window === 'undefined') return null;\n    const mod = await import('dompurify');\n    const factory = (mod.default ?? mod) as unknown as DOMPurifyFactory;\n    const purify = factory(window as unknown as Window & typeof globalThis);\n    // Force-strip event handlers and dangerous protocols defensively.\n    purify.addHook('afterSanitizeAttributes', (node) => {\n      const el = node as Element;\n      if (el.hasAttribute && el.hasAttribute('href')) {\n        const safe = sanitizeUrl(el.getAttribute('href'));\n        if (safe) el.setAttribute('href', safe);\n        else el.removeAttribute('href');\n      }\n      if (el.tagName === 'IMG' && el.hasAttribute('src')) {\n        const safe = sanitizeImageSrc(el.getAttribute('src'));\n        if (safe) el.setAttribute('src', safe);\n        else el.removeAttribute('src');\n      }\n      if (el.tagName === 'A') {\n        el.setAttribute('rel', 'noopener noreferrer nofollow');\n      }\n    });\n    const fn = (html: string) =>\n      purify.sanitize(html, {\n        // An explicit allow-list (do not combine with USE_PROFILES, which would\n        // widen the tag set and conflict with ALLOWED_TAGS).\n        ALLOWED_TAGS: ALLOWED_HTML_TAGS,\n        ALLOWED_ATTR: ALLOWED_HTML_ATTRS,\n        FORBID_TAGS: ['script', 'style', 'iframe', 'object', 'embed', 'form', 'svg', 'math'],\n        FORBID_ATTR: ['srcset'],\n        ALLOW_DATA_ATTR: false,\n        ALLOW_UNKNOWN_PROTOCOLS: false,\n      });\n    cachedPurify = fn;\n    return fn;\n  })();\n  return purifierPromise;\n}\n\n/**\n * Preload the DOM sanitizer so a later synchronous paste can be cleaned without\n * waiting. Safe to call in the browser on editor mount. No-op in Node.\n */\nexport async function preloadSanitizer(): Promise<void> {\n  await getPurifier();\n}\n\n/**\n * Last-resort, regex-based HTML scrub used when DOMPurify is not (yet) available\n * (e.g. the first paste before the async load completes, or a non-DOM runtime).\n * It removes script/style/active-content blocks, inline event handlers, and\n * dangerous URL schemes. This is defense-in-depth only: ProseMirror parses paste\n * input in an inert document and the schema whitelists nodes, so content never\n * executes regardless.\n */\nexport function basicScrubHtml(html: string): string {\n  return html\n    .replace(/<\\s*(script|style|iframe|object|embed|svg|math)\\b[\\s\\S]*?<\\s*\\/\\s*\\1\\s*>/gi, '')\n    .replace(/<\\s*(script|style|iframe|object|embed|svg|math)\\b[^>]*>/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*\"[^\"]*\"/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*'[^']*'/gi, '')\n    .replace(/\\son[a-z]+\\s*=\\s*[^\\s>]+/gi, '')\n    .replace(/(href|src)\\s*=\\s*\"\\s*(?:javascript|vbscript|data:text\\/html)[^\"]*\"/gi, '$1=\"#\"')\n    .replace(/(href|src)\\s*=\\s*'\\s*(?:javascript|vbscript|data:text\\/html)[^']*'/gi, \"$1='#'\");\n}\n\n/**\n * Sanitize an HTML string synchronously, best-effort: uses the cached DOM\n * sanitizer if it has been loaded, otherwise applies {@link basicScrubHtml} as a\n * fallback. Use for the paste transform (which must be synchronous).\n */\nexport function sanitizeHtmlSync(html: string): string {\n  return cachedPurify ? cachedPurify(html) : basicScrubHtml(html);\n}\n\n/**\n * Sanitize an HTML string for safe parsing into the editor. No script, inline\n * event handlers, or active content survives (F-12.1, F-12.2). When no DOM\n * sanitizer is available a regex scrub is applied as a fallback.\n */\nexport async function sanitizeHtml(html: string): Promise<string> {\n  const purify = await getPurifier();\n  return purify ? purify(html) : basicScrubHtml(html);\n}\n"]}