rewritable 0.8.0 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "rewritable",
3
- "version": "0.8.0",
3
+ "version": "0.8.1",
4
4
  "description": "CLI for re-writeable: emit and import single-file rwa documents.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -1329,9 +1329,21 @@ function workspacePeerKnown(peer, known) {
1329
1329
  return !!(peer && ((peer.uuid && known.has('uuid:' + peer.uuid)) || (peer.file && known.has('file:' + peer.file))));
1330
1330
  }
1331
1331
 
1332
+ function safeWorkspaceHref(url) {
1333
+ // peer.url arrives over the public presence bus from another page in the origin,
1334
+ // so it is untrusted. escRuntimeHtml blocks attribute breakout but NOT a
1335
+ // `javascript:`/`data:` scheme, which would execute on click. Resolve and accept
1336
+ // only navigable web/file schemes; fall back to '#' for anything else or unparsable.
1337
+ try {
1338
+ const u = new URL(url, location.href);
1339
+ if (u.protocol === 'http:' || u.protocol === 'https:' || u.protocol === 'file:') return u.href;
1340
+ } catch (_) {}
1341
+ return '#';
1342
+ }
1343
+
1332
1344
  function workspacePresenceCard(peer, known) {
1333
1345
  const isKnown = workspacePeerKnown(peer, known);
1334
- const href = peer.url || '#';
1346
+ const href = safeWorkspaceHref(peer.url);
1335
1347
  const aff = peer.affordances && peer.affordances.length ? peer.affordances.map(a => a.kind).join(', ') : 'baseline';
1336
1348
  return '<a class="rwa-ws-card rwa-ws-live-card" href="' + escRuntimeHtml(href) + '">' +
1337
1349
  '<span class="rwa-ws-kind">' + escRuntimeHtml(peer.kind || 'document') + '</span>' +