securemark 0.222.0 → 0.225.0

package/src/parser/inline/link.test.ts

@@ -1,10 +1,11 @@
 import { link } from './link';
 import { some } from '../../combinator';
 import { inspect } from '../../debug.test';
+import { MarkdownParser } from '../../../markdown';
 
 describe('Unit: parser/inline/link', () => {
   describe('link', () => {
-    const parser = (source: string) => some(link)(source, {});
+    const parser = (source: string, context: MarkdownParser.Context = {}) => some(link)(source, context);
 
     it('xss', () => {
       assert.deepStrictEqual(inspect(parser('[]{javascript:alert}')), [['<a class="invalid">javascript:alert</a>'], '']);
@@ -50,33 +51,40 @@ describe('Unit: parser/inline/link', () => {
       assert.deepStrictEqual(inspect(parser('[]{  }')), undefined);
       assert.deepStrictEqual(inspect(parser('[]{   }')), undefined);
       assert.deepStrictEqual(inspect(parser('[]{{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]{{a}}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]{a\nb}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]{a\\\nb}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]{ a}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]{ a\n}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{{b}}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{b\nb}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{b\\\nb}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{ b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{ b\n}')), undefined);
       assert.deepStrictEqual(inspect(parser('[ ]{}')), undefined);
       assert.deepStrictEqual(inspect(parser('[ ]{ }')), undefined);
-      assert.deepStrictEqual(inspect(parser('[ ]{a}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[  ]{a}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[\n]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[\\ ]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[\\\n]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[[]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[]]{}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[ ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[  ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[\n]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[\\ ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[\\\n]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[&Tab;]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[[]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]]{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('[a]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[ a]{b}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[ a ]{b}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[a\nb]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[a\\\nb]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[<wbr>]{/}')), undefined);
-      assert.deepStrictEqual(inspect(parser('[[# a #]]{#}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[\\ a]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[ \\ a]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[a\nb]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[a\\\nb]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[<wbr>]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[[# a #]]{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('[*a\nb*]{/}')), undefined);
       assert.deepStrictEqual(inspect(parser('[http://host]{http://host}')), undefined);
       assert.deepStrictEqual(inspect(parser('[]{ttp://host}')), [['<a class="invalid">ttp://host</a>'], '']);
       //assert.deepStrictEqual(inspect(parser('[]{http://[::ffff:0:0%1]}')), [['<a class="invalid">http://[::ffff:0:0%1]</a>'], '']);
       //assert.deepStrictEqual(inspect(parser('[]{http://[::ffff:0:0/96]}')), [['<a class="invalid">http://[::ffff:0:0/96]</a>'], '']);
-      assert.deepStrictEqual(inspect(parser(' []{a}')), undefined);
+      assert.deepStrictEqual(inspect(parser('[]{^/.}')), [[`<a class="invalid">^/.</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/..}')), [[`<a class="invalid">^/..</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/../}')), [[`<a class="invalid">^/../</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/../..}')), [[`<a class="invalid">^/../..</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/../b}')), [[`<a class="invalid">^/../b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/../b/..}')), [[`<a class="invalid">^/../b/..</a>`], '']);
+      assert.deepStrictEqual(inspect(parser(' []{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('![]{/}')), undefined);
     });
 
@@ -91,15 +99,28 @@ describe('Unit: parser/inline/link', () => {
       assert.deepStrictEqual(inspect(parser('[]{\\b}')), [[`<a href="\\b">\\b</a>`], '']);
       assert.deepStrictEqual(inspect(parser('[]{?b=c+d&\\#}')), [['<a href="?b=c+d&amp;\\#">?b=c+d&amp;\\#</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[]{?&amp;}')), [['<a href="?&amp;amp;">?&amp;amp;</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[]{./b}')), [['<a href="./b">./b</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[]{^/b}')), [[`<a href="/b">^/b</a>`], '']);
       assert.deepStrictEqual(inspect(parser('[]{#}')), [['<a href="#">#</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[]{#b}')), [['<a href="#b">#b</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[]{./b}')), [['<a href="./b">./b</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}')), [[`<a href="/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b?/../}')), [[`<a href="/b?/../">^/b?/../</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b#/../}')), [[`<a href="/b#/../">^/b#/../</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/dir', location.origin) })), [[`<a href="/dir/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/dir/', location.origin) })), [[`<a href="/dir/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/folder/doc.md', location.origin) })), [[`<a href="/folder/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/folder/doc.md/', location.origin) })), [[`<a href="/folder/doc.md/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/.file', location.origin) })), [[`<a href="/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/0.0a', location.origin) })), [[`<a href="/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/0.a0', location.origin) })), [[`<a href="/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/0.0', location.origin) })), [[`<a href="/0.0/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/0.0,0.0,0z', location.origin) })), [[`<a href="/0.0,0.0,0z/b">^/b</a>`], '']);
+      assert.deepStrictEqual(inspect(parser('[ a]{b}')), [['<a href="b">a</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[ a ]{b}')), [['<a href="b">a</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[a ]{b}')), [['<a href="b">a</a>'], '']);
+      assert.deepStrictEqual(inspect(parser('[a  ]{b}')), [['<a href="b">a</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[a]{b}')), [['<a href="b">a</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[a]{#}')), [['<a href="#">a</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[a]{#b}')), [['<a href="#b">a</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[a ]{b}')), [['<a href="b">a</a>'], '']);
-      assert.deepStrictEqual(inspect(parser('[a  ]{b}')), [['<a href="b">a</a>'], '']);
       assert.deepStrictEqual(inspect(parser('[a b]{c}')), [['<a href="c">a b</a>'], '']);
       assert.deepStrictEqual(inspect(parser(`[]{?#${encodeURIComponent(':/[]{}<>?#=& ')}}`)), [['<a href="?#%3A%2F%5B%5D%7B%7D%3C%3E%3F%23%3D%26%20">?#%3A%2F[]{}&lt;&gt;%3F%23%3D%26%20</a>'], '']);
       assert.deepStrictEqual(inspect(parser('{b}')), [['<a href="b">b</a>'], '']);

package/src/parser/inline/link.ts

@@ -7,7 +7,7 @@ import { inline, media, shortmedia } from '../inline';
 import { attributes } from './html';
 import { autolink } from '../autolink';
 import { str } from '../source';
-import { startTight, trimEnd, stringify } from '../util';
+import { startLoose, trimNode, stringify } from '../util';
 import { html, define, defrag } from 'typed-dom';
 import { ReadonlyURL } from 'spica/url';
 
@@ -28,7 +28,7 @@ export const link: LinkParser = lazy(() => creator(10, bind(reverse(
       surround('[', shortmedia, ']'),
       surround(
         '[',
-        startTight(
+        startLoose(
         context({ syntax: { inline: {
           annotation: false,
           reference: false,
@@ -39,7 +39,7 @@ export const link: LinkParser = lazy(() => creator(10, bind(reverse(
           media: false,
           autolink: false,
         }}},
-        some(inline, ']', /^\\?\n/))),
+        some(inline, ']', /^\\?\n/)), ']'),
         ']',
         true),
     ]))),
@@ -54,9 +54,9 @@ export const link: LinkParser = lazy(() => creator(10, bind(reverse(
     assert(!INSECURE_URI.match(/\s/));
     const el = create(
       INSECURE_URI,
-      trimEnd(defrag(content)),
+      trimNode(defrag(content)),
       new ReadonlyURL(
-        resolve(INSECURE_URI, context.host || location, context.url || location),
+        resolve(INSECURE_URI, context.host ?? location, context.url ?? context.host ?? location),
         context.host?.href || location.href),
       context.host?.origin || location.origin);
     if (el.classList.contains('invalid')) return [[el], rest];
@@ -81,33 +81,25 @@ export function resolve(uri: string, host: URL | Location, source: URL | Locatio
   assert(uri === uri.trim());
   switch (true) {
     case uri.slice(0, 2) === '^/':
-      const file = host.pathname.slice(host.pathname.lastIndexOf('/') + 1);
-      return file.includes('.')
-        ? `${host.pathname.slice(0, -file.length)}${uri.slice(2)}`
-        : `${fillTrailingSlash(host.pathname)}${uri.slice(2)}`;
+      const last = host.pathname.slice(host.pathname.lastIndexOf('/') + 1);
+      return last.includes('.') // isFile
+          && /^[0-9]*[a-z][0-9a-z]*$/i.test(last.slice(last.lastIndexOf('.') + 1))
+        ? `${host.pathname.slice(0, -last.length)}${uri.slice(2)}`
+        : `${host.pathname.replace(/\/?$/, '/')}${uri.slice(2)}`;
     case host.origin === source.origin
       && host.pathname === source.pathname:
     case uri.slice(0, 2) === '//':
       return uri;
     default:
       const target = new ReadonlyURL(uri, source.href);
-      return target.origin === uri.match(/^[A-Za-z][0-9A-Za-z.+-]*:\/\/[^/?#]*/)?.[0]
-        ? uri
-        : target.origin === host.origin
+      return target.origin === host.origin
           ? target.href.slice(target.origin.length)
           : target.href;
   }
 }
 
-function fillTrailingSlash(pathname: string): string {
-  assert(pathname);
-  return pathname[pathname.length - 1] === '/'
-    ? pathname
-    : pathname + '/';
-}
-
 function create(
-  address: string,
+  INSECURE_URI: string,
   content: readonly (string | HTMLElement)[],
   uri: ReadonlyURL,
   origin: string,
@@ -118,6 +110,12 @@ function create(
     case 'http:':
     case 'https:':
       assert(uri.host);
+      if (INSECURE_URI.slice(0, 2) === '^/' &&
+          /\/\.\.?(?:\/|$)/.test(INSECURE_URI.slice(0, INSECURE_URI.search(/[?#]|$/)))) {
+        type = 'argument';
+        description = 'Dot-segments cannot be used in subresource paths.';
+        break;
+      }
       return html('a',
         {
           href: uri.source,
@@ -128,19 +126,19 @@ function create(
               : undefined,
         },
         content.length === 0
-          ? decode(address)
+          ? decode(INSECURE_URI)
           : content);
     case 'tel:':
       if (content.length === 0) {
-        content = [address];
+        content = [INSECURE_URI];
       }
       const pattern = /^(?:tel:)?(?:\+(?!0))?\d+(?:-\d+)*$/i;
       switch (true) {
         case content.length === 1
           && typeof content[0] === 'string'
-          && pattern.test(address)
+          && pattern.test(INSECURE_URI)
           && pattern.test(content[0])
-          && address.replace(/[^+\d]/g, '') === content[0].replace(/[^+\d]/g, ''):
+          && INSECURE_URI.replace(/[^+\d]/g, '') === content[0].replace(/[^+\d]/g, ''):
           return html('a', { href: uri.source }, content);
       }
       type = 'content';
@@ -155,7 +153,7 @@ function create(
       'data-invalid-description': description ??= 'Invalid protocol.',
     },
     content.length === 0
-      ? address
+      ? INSECURE_URI
       : content);
 }
 

package/src/parser/inline/mark.test.ts

@@ -12,7 +12,10 @@ describe('Unit: parser/inline/mark', () => {
       assert.deepStrictEqual(inspect(parser('==')), undefined);
       assert.deepStrictEqual(inspect(parser('==a')), [['==', 'a'], '']);
       assert.deepStrictEqual(inspect(parser('==a=')), [['==', 'a', '='], '']);
-      assert.deepStrictEqual(inspect(parser('==a  ==')), [['==', 'a', '  '], '==']);
+      assert.deepStrictEqual(inspect(parser('==a ==')), [['==', 'a', ' '], '==']);
+      assert.deepStrictEqual(inspect(parser('==a\n==')), [['==', 'a', '<br>'], '==']);
+      assert.deepStrictEqual(inspect(parser('==a\\ ==')), [['==', 'a', ' '], '==']);
+      assert.deepStrictEqual(inspect(parser('==a\\\n==')), [['==', 'a', '<span class="linebreak"> </span>'], '==']);
       assert.deepStrictEqual(inspect(parser('== ==')), undefined);
       assert.deepStrictEqual(inspect(parser('== a==')), undefined);
       assert.deepStrictEqual(inspect(parser('== a ==')), undefined);
@@ -26,14 +29,10 @@ describe('Unit: parser/inline/mark', () => {
     it('basic', () => {
       assert.deepStrictEqual(inspect(parser('==a==')), [['<mark>a</mark>'], '']);
       assert.deepStrictEqual(inspect(parser('==ab==')), [['<mark>ab</mark>'], '']);
-      assert.deepStrictEqual(inspect(parser('==a ==')), [['<mark>a </mark>'], '']);
-      assert.deepStrictEqual(inspect(parser('==a\n==')), [['<mark>a</mark>'], '']);
       assert.deepStrictEqual(inspect(parser('==a\nb==')), [['<mark>a<br>b</mark>'], '']);
       assert.deepStrictEqual(inspect(parser('==a\\\nb==')), [['<mark>a<span class="linebreak"> </span>b</mark>'], '']);
       assert.deepStrictEqual(inspect(parser('==\\===')), [['<mark>=</mark>'], '']);
       assert.deepStrictEqual(inspect(parser('==a===')), [['<mark>a</mark>'], '=']);
-      assert.deepStrictEqual(inspect(parser('===a==')), [['<mark>=a</mark>'], '']);
-      assert.deepStrictEqual(inspect(parser('===a===')), [['<mark>=a</mark>'], '=']);
     });
 
     it('nest', () => {

package/src/parser/inline/mark.ts

@@ -2,7 +2,7 @@ import { MarkParser } from '../inline';
 import { union, some, creator, surround, lazy } from '../../combinator';
 import { inline } from '../inline';
 import { str } from '../source';
-import { startTight, verifyEndTight, trimEndBR } from '../util';
+import { startTight, isEndTightNodes } from '../util';
 import { html, defrag } from 'typed-dom';
 import { unshift } from 'spica/array';
 
@@ -11,7 +11,7 @@ export const mark: MarkParser = lazy(() => creator(surround(
   startTight(union([some(inline, '==')])),
   str('=='), false,
   ([as, bs, cs], rest) =>
-    verifyEndTight(bs)
-      ? [[html('mark', defrag(trimEndBR(bs)))], rest]
+    isEndTightNodes(bs)
+      ? [[html('mark', defrag(bs))], rest]
       : [unshift(as, bs), cs[0] + rest],
   ([as, bs], rest) => [unshift(as, bs), rest])));

package/src/parser/inline/math.test.ts

@@ -23,6 +23,7 @@ describe('Unit: parser/inline/math', () => {
       assert.deepStrictEqual(inspect(parser('$-0$-1')), undefined);
       assert.deepStrictEqual(inspect(parser('$-a$')), undefined);
       assert.deepStrictEqual(inspect(parser('$-a$-b')), undefined);
+      assert.deepStrictEqual(inspect(parser('$a $')), undefined);
       assert.deepStrictEqual(inspect(parser('$a-b$')), undefined);
       assert.deepStrictEqual(inspect(parser('$a-b$c-d')), undefined);
       assert.deepStrictEqual(inspect(parser('$a+b$')), undefined);
@@ -33,6 +34,8 @@ describe('Unit: parser/inline/math', () => {
       assert.deepStrictEqual(inspect(parser('$a$b')), undefined);
       assert.deepStrictEqual(inspect(parser('$a$b$')), undefined);
       assert.deepStrictEqual(inspect(parser('$ $')), undefined);
+      assert.deepStrictEqual(inspect(parser('$ a$')), undefined);
+      assert.deepStrictEqual(inspect(parser('$ a $')), undefined);
       assert.deepStrictEqual(inspect(parser('$\n$')), undefined);
       assert.deepStrictEqual(inspect(parser('$a\nb$')), undefined);
       assert.deepStrictEqual(inspect(parser('$a\\\nb$')), undefined);
@@ -59,6 +62,7 @@ describe('Unit: parser/inline/math', () => {
       assert.deepStrictEqual(inspect(parser('${}$')), [['<span class="math" translate="no" data-src="${}$">${}$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('${ }$')), [['<span class="math" translate="no" data-src="${ }$">${ }$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('${a}$')), [['<span class="math" translate="no" data-src="${a}$">${a}$</span>'], '']);
+      assert.deepStrictEqual(inspect(parser('${a}$$')), [['<span class="math" translate="no" data-src="${a}$">${a}$</span>'], '$']);
       assert.deepStrictEqual(inspect(parser('${a}$0')), [['<span class="math" translate="no" data-src="${a}$">${a}$</span>'], '0']);
       assert.deepStrictEqual(inspect(parser('${a}$b')), [['<span class="math" translate="no" data-src="${a}$">${a}$</span>'], 'b']);
       assert.deepStrictEqual(inspect(parser('${ab}$')), [['<span class="math" translate="no" data-src="${ab}$">${ab}$</span>'], '']);
@@ -71,14 +75,15 @@ describe('Unit: parser/inline/math', () => {
       assert.deepStrictEqual(inspect(parser('${\\$}$')), [['<span class="math" translate="no" data-src="${\\$}$">${\\$}$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('${\\\\}$')), [['<span class="math" translate="no" data-src="${\\\\}$">${\\\\}$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('$a$')), [['<span class="math" translate="no" data-src="$a$">$a$</span>'], '']);
+      assert.deepStrictEqual(inspect(parser('$a$$')), [['<span class="math" translate="no" data-src="$a$">$a$</span>'], '$']);
       assert.deepStrictEqual(inspect(parser(`$a'$`)), [[`<span class="math" translate="no" data-src="$a'$">$a'$</span>`], '']);
       assert.deepStrictEqual(inspect(parser(`$a''$`)), [[`<span class="math" translate="no" data-src="$a''$">$a''$</span>`], '']);
       assert.deepStrictEqual(inspect(parser('$a$[A](a)')), [['<span class="math" translate="no" data-src="$a$">$a$</span>'], '[A](a)']);
-      assert.deepStrictEqual(inspect(parser('$a$$')), [['<span class="math" translate="no" data-src="$a$">$a$</span>'], '$']);
       assert.deepStrictEqual(inspect(parser('$A$')), [['<span class="math" translate="no" data-src="$A$">$A$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('$\\$$')), [['<span class="math" translate="no" data-src="$\\$$">$\\$$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('$\\Pi$')), [['<span class="math" translate="no" data-src="$\\Pi$">$\\Pi$</span>'], '']);
-      assert.deepStrictEqual(inspect(parser('$\\Pi $')), [['<span class="math" translate="no" data-src="$\\Pi $">$\\Pi $</span>'], '']);
+      assert.deepStrictEqual(inspect(parser('$\\ 0$')), [['<span class="math" translate="no" data-src="$\\ 0$">$\\ 0$</span>'], '']);
+      assert.deepStrictEqual(inspect(parser('$\\\\0$')), [['<span class="math" translate="no" data-src="$\\\\0$">$\\\\0$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('$|1|$')), [['<span class="math" translate="no" data-src="$|1|$">$|1|$</span>'], '']);
       assert.deepStrictEqual(inspect(parser('$[0,1)$]')), [['<span class="math" translate="no" data-src="$[0,1)$">$[0,1)$</span>'], ']']);
       assert.deepStrictEqual(inspect(parser('$(0, 1]$)')), [['<span class="math" translate="no" data-src="$(0, 1]$">$(0, 1]$</span>'], ')']);

package/src/parser/inline/math.ts

@@ -1,7 +1,7 @@
 import { MathParser } from '../inline';
 import { union, some, validate, verify, rewrite, creator, surround, lazy } from '../../combinator';
 import { escsource, str } from '../source';
-import { verifyEndTight } from '../util';
+import { isEndTightNodes } from '../util';
 import { html } from 'typed-dom';
 
 const disallowedCommand = /\\(?:begin|tiny|huge|large)(?![0-9a-z])/i;
@@ -21,7 +21,7 @@ export const math: MathParser = lazy(() => creator(validate('$', '$', '\n', rewr
         // $[A-z]*[,.!?()]            : Incomplete syntax before texts
         // $[A-z]*\s?[!@#&*+~=`$[]{<] : Incomplete syntax in or around another syntax
         str(/^(?=[\\^_[(|]|[A-Za-z][0-9A-Za-z]*'*[ ~]?(?:\$|([\\^_(|:=<>])(?!\1)))(?:\\\$|[\x20-\x23\x25-\x7E])*/),
-        verifyEndTight),
+        isEndTightNodes),
       /^\$(?![0-9A-Za-z])/),
   ]),
   (source, { caches: { math: cache } = {} }) => [[

package/src/parser/inline/media.test.ts

@@ -29,26 +29,34 @@ describe('Unit: parser/inline/media', () => {
       assert.deepStrictEqual(inspect(parser('![]{   }')), undefined);
       assert.deepStrictEqual(inspect(parser('![]]{/}')), undefined);
       assert.deepStrictEqual(inspect(parser('![]{{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![]{{a}}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![]{a\nb}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![]{a\\\nb}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![]{ a}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![]{ a\n}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![ ]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![  ]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![\\ ]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![	]{#}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{{b}}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{b\nc}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{a\\\nc}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{ b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{ b\n}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![ ]{}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![ ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![  ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![\n]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![\\ ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![\\\n]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![	]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![[]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]]{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('![a]{}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![ a]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![ a ]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![\\ a ]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![a\nb]{#}')), undefined);
-      assert.deepStrictEqual(inspect(parser('![a\\\nb]{#}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![\\ a ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![ \\ a ]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![a\nb]{b}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![a\\\nb]{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('![]{ttp://host}')), [['<img class="media invalid" data-src="ttp://host" alt="">'], '']);
       assert.deepStrictEqual(inspect(parser('![]{tel:1234567890}')), [['<img class="media invalid" data-src="tel:1234567890" alt="">'], '']);
       //assert.deepStrictEqual(inspect(parser('![]{http://[::ffff:0:0%1]}')), [['<img class="media invalid" alt="">'], '']);
       //assert.deepStrictEqual(inspect(parser('![]{http://[::ffff:0:0/96]}')), [['<img class="media invalid" alt="">'], '']);
-      assert.deepStrictEqual(inspect(parser(' ![]{a}')), undefined);
+      assert.deepStrictEqual(inspect(parser('![]{.}')), [['<img class="media invalid" data-src="." alt="">'], '']);
+      assert.deepStrictEqual(inspect(parser('![]{..}')), [['<img class="media invalid" data-src=".." alt="">'], '']);
+      assert.deepStrictEqual(inspect(parser('![]{../}')), [['<img class="media invalid" data-src="../" alt="">'], '']);
+      assert.deepStrictEqual(inspect(parser('![]{/../b}')), [['<img class="media invalid" data-src="/../b" alt="">'], '']);
+      assert.deepStrictEqual(inspect(parser(' ![]{b}')), undefined);
       assert.deepStrictEqual(inspect(parser('[]{/}')), undefined);
     });
 
@@ -61,8 +69,11 @@ describe('Unit: parser/inline/media', () => {
       assert.deepStrictEqual(inspect(parser('![]{\\}')), [['<a href="\\" target="_blank"><img class="media" data-src="\\" alt=""></a>'], '']);
       assert.deepStrictEqual(inspect(parser('![]{\\ }')), [['<a href="\\" target="_blank"><img class="media" data-src="\\" alt=""></a>'], '']);
       assert.deepStrictEqual(inspect(parser('![]{\\b}')), [['<a href="\\b" target="_blank"><img class="media" data-src="\\b" alt=""></a>'], '']);
-      assert.deepStrictEqual(inspect(parser('![]{./b}')), [['<a href="./b" target="_blank"><img class="media" data-src="./b" alt=""></a>'], '']);
+      assert.deepStrictEqual(inspect(parser('![]{?/../}')), [[`<a href="?/../" target="_blank"><img class="media" data-src="?/../" alt=""></a>`], '']);
+      assert.deepStrictEqual(inspect(parser('![]{#/../}')), [[`<a href="#/../" target="_blank"><img class="media" data-src="#/../" alt=""></a>`], '']);
       assert.deepStrictEqual(inspect(parser('![]{^/b}')), [[`<a href="/b" target="_blank"><img class="media" data-src="/b" alt=""></a>`], '']);
+      assert.deepStrictEqual(inspect(parser('![ a]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
+      assert.deepStrictEqual(inspect(parser('![ a ]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
       assert.deepStrictEqual(inspect(parser('![a ]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
       assert.deepStrictEqual(inspect(parser('![a  ]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
       assert.deepStrictEqual(inspect(parser('![a b]{c}')), [['<a href="c" target="_blank"><img class="media" data-src="c" alt="a b"></a>'], '']);

package/src/parser/inline/media.ts

@@ -6,7 +6,6 @@ import { link, uri, option as linkoption, resolve } from './link';
 import { attributes } from './html';
 import { htmlentity } from './htmlentity';
 import { txt, str } from '../source';
-import { verifyStartTight } from '../util';
 import { html, define } from 'typed-dom';
 import { ReadonlyURL } from 'spica/url';
 import { unshift, push, join } from 'spica/array';
@@ -24,28 +23,29 @@ export const media: MediaParser = lazy(() => creator(10, bind(verify(fmap(open(
   validate(['[', '{'], '}', '\n',
   guard(context => context.syntax?.inline?.media ?? true,
   tails([
-    dup(surround(/^\[(?!\\?\s)/, some(union([htmlentity, bracket, txt]), ']', /^\\?\n/), ']', true)),
+    dup(surround(/^\[(?!\s*\\\s)/, some(union([htmlentity, bracket, txt]), ']', /^\\?\n/), ']', true)),
     dup(surround(/^{(?![{}])/, inits([uri, some(option)]), /^[^\S\n]?}/)),
   ])))),
-  ([as, bs]) => bs ? [[join(as)], bs] : [[''], as]),
-  ([[text]]) => verifyStartTight([text || '-'])),
+  ([as, bs]) => bs ? [[join(as).trim() || join(as)], bs] : [[''], as]),
+  ([[text]]) => text === '' || text.trim() !== ''),
   ([[text], params], rest, context) => {
     const INSECURE_URI = params.shift()!;
     assert(INSECURE_URI === INSECURE_URI.trim());
     assert(!INSECURE_URI.match(/\s/));
     const url = new ReadonlyURL(
-      resolve(INSECURE_URI, context.host || location, context.url || location),
+      resolve(INSECURE_URI, context.host ?? location, context.url ?? context.host ?? location),
       context.host?.href || location.href);
-    const cache = context.caches?.media;
-    const cached = cache?.has(url.href);
-    const el = cache && cached
-      ? cache.get(url.href)!.cloneNode(true)
-      : html('img', { class: 'media', 'data-src': url.source, alt: text.trimEnd() });
-    if (!cached && !sanitize(url, el)) return [[el], rest];
-    cached && el.hasAttribute('alt') && el.setAttribute('alt', text.trimEnd());
+    let cache: HTMLElement | undefined;
+    const el = undefined
+      || (cache = context.caches?.media?.get(url.href)?.cloneNode(true))
+      || html('img', { class: 'media', 'data-src': url.source, alt: text });
+    assert(!el.matches('.invalid'));
+    if (!cache && !sanitize(url, el)) return [[el], rest];
+    assert(!el.matches('.invalid'));
+    cache?.hasAttribute('alt') && cache?.setAttribute('alt', text);
     define(el, attributes('media', push([], el.classList), optspec, params));
     assert(el.matches('img') || !el.matches('.invalid'));
-    if (context.syntax?.inline?.link === false || cached && el.tagName !== 'IMG') return [[el], rest];
+    if (context.syntax?.inline?.link === false || cache && cache.tagName !== 'IMG') return [[el], rest];
     return fmap(
       link as MediaParser,
       ([link]) => [define(link, { target: '_blank' }, [el])])
@@ -67,18 +67,29 @@ const option: MediaParser.ParameterParser.OptionParser = union([
 
 function sanitize(uri: ReadonlyURL, target: HTMLElement): boolean {
   assert(target.tagName === 'IMG');
+  assert(!target.matches('.invalid'));
+  if (/\/\.\.?(?:\/|$)/.test('/' + uri.source.slice(0, uri.source.search(/[?#]|$/)))) {
+    define(target, {
+      class: void target.classList.add('invalid'),
+      'data-invalid-syntax': 'media',
+      'data-invalid-type': 'argument',
+      'data-invalid-description': 'Dot-segments cannot be used in media paths; use subresource paths instead.',
+    });
+    return false;
+  }
   switch (uri.protocol) {
     case 'http:':
     case 'https:':
       assert(uri.host);
-      return true;
+      break;
+    default:
+      define(target, {
+        class: void target.classList.add('invalid'),
+        'data-invalid-syntax': 'media',
+        'data-invalid-type': 'argument',
+        'data-invalid-description': 'Invalid protocol.',
+      });
+      return false;
   }
-  assert(!target.classList.contains('invalid'));
-  define(target, {
-    class: void target.classList.add('invalid'),
-    'data-invalid-syntax': 'media',
-    'data-invalid-type': 'argument',
-    'data-invalid-description': 'Invalid protocol.',
-  });
-  return false;
+  return true;
 }

package/src/parser/inline/reference.test.ts

@@ -14,8 +14,6 @@ describe('Unit: parser/inline/reference', () => {
       assert.deepStrictEqual(inspect(parser('[[]]')), undefined);
       assert.deepStrictEqual(inspect(parser('[[]]]')), undefined);
       assert.deepStrictEqual(inspect(parser('[[ ]]')), undefined);
-      assert.deepStrictEqual(inspect(parser('[[ a]]')), undefined);
-      assert.deepStrictEqual(inspect(parser('[[ a ]]')), undefined);
       assert.deepStrictEqual(inspect(parser('[[\n]]')), undefined);
       assert.deepStrictEqual(inspect(parser('[[\na]]')), undefined);
       assert.deepStrictEqual(inspect(parser('[[\\ a]]')), undefined);
@@ -34,6 +32,8 @@ describe('Unit: parser/inline/reference', () => {
     });
 
     it('basic', () => {
+      assert.deepStrictEqual(inspect(parser('[[ a]]')), [['<sup class="reference">a</sup>'], '']);
+      assert.deepStrictEqual(inspect(parser('[[ a ]]')), [['<sup class="reference">a</sup>'], '']);
       assert.deepStrictEqual(inspect(parser('[[a]]')), [['<sup class="reference">a</sup>'], '']);
       assert.deepStrictEqual(inspect(parser('[[a ]]')), [['<sup class="reference">a</sup>'], '']);
       assert.deepStrictEqual(inspect(parser('[[a  ]]')), [['<sup class="reference">a</sup>'], '']);

package/src/parser/inline/reference.ts

@@ -3,13 +3,13 @@ import { ReferenceParser } from '../inline';
 import { union, subsequence, some, validate, verify, focus, guard, context, creator, surround, lazy, fmap } from '../../combinator';
 import { inline } from '../inline';
 import { str } from '../source';
-import { startTight, isStartTight, trimEnd, stringify } from '../util';
+import { startLoose, isStartLoose, trimNode, stringify } from '../util';
 import { html, defrag } from 'typed-dom';
 
 export const reference: ReferenceParser = lazy(() => creator(validate('[[', ']]', '\n', fmap(surround(
   '[[',
   guard(context => context.syntax?.inline?.reference ?? true,
-  startTight(
+  startLoose(
   context({ syntax: { inline: {
     annotation: false,
     reference: false,
@@ -24,15 +24,15 @@ export const reference: ReferenceParser = lazy(() => creator(validate('[[', ']]'
     abbr,
     focus('^', c => [['', c], '']),
     some(inline, ']', /^\\?\n/),
-  ])))),
+  ])), ']]')),
   ']]'),
-  ns => [html('sup', attributes(ns), trimEnd(defrag(ns)))]))));
+  ns => [html('sup', attributes(ns), trimNode(defrag(ns)))]))));
 
 const abbr: ReferenceParser.AbbrParser = creator(fmap(verify(surround(
   '^',
   union([str(/^(?![0-9]+\s?[|\]])[0-9A-Za-z]+(?:(?:-|(?=\W)(?!'\d)'?(?!\.\d)\.?(?!,\S),? ?)[0-9A-Za-z]+)*(?:-|'?\.?,? ?)?/)]),
-  /^\|?(?=]])|^\|[^\S\n]+/),
-  (_, rest, context) => isStartTight(rest, context)),
+  /^\|?(?=]])|^\|[^\S\n]/),
+  (_, rest, context) => isStartLoose(rest, context)),
   ([source]) => [html('abbr', source)]));
 
 function attributes(ns: (string | HTMLElement)[]): Record<string, string | undefined> {

package/src/parser/inline/ruby.ts

@@ -4,7 +4,7 @@ import { eval, exec } from '../../combinator/data/parser';
 import { sequence, validate, verify, focus, creator, surround, lazy, bind } from '../../combinator';
 import { htmlentity } from './htmlentity';
 import { text as txt } from '../source';
-import { verifyStartTight } from '../util';
+import { isStartTightNodes } from '../util';
 import { html, defrag } from 'typed-dom';
 import { unshift, push, join } from 'spica/array';
 
@@ -14,7 +14,7 @@ export const ruby: RubyParser = lazy(() => creator(bind(verify(
     surround('[', focus(/^(?:\\[^\n]|[^\[\]\n])+(?=]\()/, text), ']'),
     surround('(', focus(/^(?:\\[^\n]|[^\(\)\n])+(?=\))/, text), ')'),
   ])),
-  ([texts]) => verifyStartTight(texts)),
+  ([texts]) => isStartTightNodes(texts)),
   ([texts, rubies], rest) => {
     const tail = typeof texts[texts.length - 1] === 'object'
       ? [texts.pop()!]

package/src/parser/inline/strong.test.ts

@@ -10,7 +10,10 @@ describe('Unit: parser/inline/strong', () => {
       assert.deepStrictEqual(inspect(parser('**')), undefined);
       assert.deepStrictEqual(inspect(parser('**a')), [['**', 'a'], '']);
       assert.deepStrictEqual(inspect(parser('**a*')), [['**', 'a', '*'], '']);
-      assert.deepStrictEqual(inspect(parser('**a  **')), [['**', 'a', '  '], '**']);
+      assert.deepStrictEqual(inspect(parser('**a **')), [['**', 'a', ' '], '**']);
+      assert.deepStrictEqual(inspect(parser('**a\n**')), [['**', 'a', '<br>'], '**']);
+      assert.deepStrictEqual(inspect(parser('**a\\ **')), [['**', 'a', ' '], '**']);
+      assert.deepStrictEqual(inspect(parser('**a\\\n**')), [['**', 'a', '<span class="linebreak"> </span>'], '**']);
       assert.deepStrictEqual(inspect(parser('**a*b**')), [['**', 'a', '<em>b</em>', '*'], '']);
       assert.deepStrictEqual(inspect(parser('** **')), undefined);
       assert.deepStrictEqual(inspect(parser('** a**')), undefined);
@@ -27,15 +30,12 @@ describe('Unit: parser/inline/strong', () => {
 
     it('basic', () => {
       assert.deepStrictEqual(inspect(parser('**a**')), [['<strong>a</strong>'], '']);
-      assert.deepStrictEqual(inspect(parser('**a **')), [['<strong>a </strong>'], '']);
-      assert.deepStrictEqual(inspect(parser('**a\n**')), [['<strong>a</strong>'], '']);
-      assert.deepStrictEqual(inspect(parser('**a\\\n**')), [['<strong>a<span class="linebreak"> </span></strong>'], '']);
       assert.deepStrictEqual(inspect(parser('**ab**')), [['<strong>ab</strong>'], '']);
       assert.deepStrictEqual(inspect(parser('**a\nb**')), [['<strong>a<br>b</strong>'], '']);
       assert.deepStrictEqual(inspect(parser('**a\\\nb**')), [['<strong>a<span class="linebreak"> </span>b</strong>'], '']);
       assert.deepStrictEqual(inspect(parser('**a*b*c**')), [['<strong>a<em>b</em>c</strong>'], '']);
       assert.deepStrictEqual(inspect(parser('**a*b*c**d')), [['<strong>a<em>b</em>c</strong>'], 'd']);
-      assert.deepStrictEqual(inspect(parser('**a  *b***')), [['<strong>a  <em>b</em></strong>'], '']);
+      assert.deepStrictEqual(inspect(parser('**a *b***')), [['<strong>a <em>b</em></strong>'], '']);
     });
 
     it('nest', () => {