securemark 0.253.1 → 0.253.2

package/.eslintrc.json

@@ -15,8 +15,14 @@
       "error",
       {
         "ignoreErrors": false,
+        "maxPatternSize": 3000,
+        "maxRepeatCount": 256,
+        "maxSimpleRepeatCount": 256,
         "attackTimeout": null,
-        "timeout": 30000
+        "incubationTimeout": null,
+        "recallTimeout": null,
+        "seedingTimeout": null,
+        "timeout": 1e6
       }
     ]
   },

package/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.253.2
+
+- Refactoring.
+
 ## 0.253.1
 
 - Refactoring.

package/dist/index.js

@@ -1,4 +1,4 @@
-/*! securemark v0.253.1 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED License */
+/*! securemark v0.253.2 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED License */
 (function webpackUniversalModuleDefinition(root, factory) {
 	if(typeof exports === 'object' && typeof module === 'object')
 		module.exports = factory(require("DOMPurify"), require("Prism"));
@@ -4545,8 +4545,8 @@ function format(rows) {
 
       if (colSpan > 1) {
         (0, array_1.splice)(cells, j + 1, 0, ...(0, global_1.Array)(colSpan - 1));
-        heads |= (0, global_1.BigInt)(+`0b${`${heads & 1n << jn && 1}`.repeat(colSpan)}`) << jn;
-        highlights |= (0, global_1.BigInt)(+`0b${`${highlights & 1n << jn && 1}`.repeat(colSpan)}`) << jn;
+        heads |= heads & 1n << jn ? ~(~0n << (0, global_1.BigInt)(colSpan)) << jn : 0n;
+        highlights |= highlights & 1n << jn ? ~(~0n << (0, global_1.BigInt)(colSpan)) << jn : 0n;
         j += colSpan - 1;
       }
 
@@ -6209,7 +6209,7 @@ const cache_1 = __webpack_require__(9210);
 
 const array_1 = __webpack_require__(8112);
 
-const tags = global_1.Object.freeze(['wbr', 'sup', 'sub', 'small', 'bdo', 'bdi']);
+const tags = global_1.Object.freeze(['sup', 'sub', 'small', 'bdo', 'bdi']);
 const attrspec = {
   bdo: {
     dir: global_1.Object.freeze(['ltr', 'rtl'])
@@ -6217,7 +6217,8 @@ const attrspec = {
 };
 global_1.Object.setPrototypeOf(attrspec, null);
 global_1.Object.values(attrspec).forEach(o => global_1.Object.setPrototypeOf(o, null));
-exports.html = (0, combinator_1.lazy)(() => (0, combinator_1.creator)((0, combinator_1.validate)('<', (0, combinator_1.validate)(/^<[a-z]+(?=[^\S\n]|>)/, (0, combinator_1.union)([(0, combinator_1.match)(/^<(wbr)(?=[^\S\n]|>)/, (0, memoize_1.memoize)(([, tag]) => (0, combinator_1.surround)(`<${tag}`, (0, combinator_1.some)((0, combinator_1.union)([exports.attribute])), /^\s*>/, true, ([, bs = []], rest) => [[(0, dom_1.html)(tag, attributes('html', [], attrspec[tag], bs))], rest]), ([, tag]) => tags.indexOf(tag), [])), (0, combinator_1.match)(/^<(sup|sub|small|bdo|bdi)(?=[^\S\n]|>)/, (0, memoize_1.memoize)(([, tag]) => (0, combinator_1.surround)((0, combinator_1.surround)((0, source_1.str)(`<${tag}`), (0, combinator_1.some)(exports.attribute), (0, source_1.str)(/^\s*>/), true), (0, util_1.startLoose)((0, combinator_1.some)((0, combinator_1.union)([(0, combinator_1.open)(/^\n?/, (0, combinator_1.some)(inline_1.inline, (0, util_1.blankWith)('\n', `</${tag}>`)), true)])), `</${tag}>`), (0, source_1.str)(`</${tag}>`), false, ([as, bs, cs], rest) => [[elem(tag, as, bs, cs)], rest]), ([, tag]) => tags.indexOf(tag), [])), (0, combinator_1.match)(/^<([a-z]+)(?=[^\S\n]|>)/, (0, memoize_1.memoize)(([, tag]) => (0, combinator_1.surround)((0, combinator_1.surround)((0, source_1.str)(`<${tag}`), (0, combinator_1.some)(exports.attribute), (0, source_1.str)(/^\s*>/), true), (0, util_1.startLoose)((0, combinator_1.some)((0, combinator_1.union)([(0, combinator_1.open)(/^\n?/, (0, combinator_1.some)(inline_1.inline, (0, util_1.blankWith)('\n', `</${tag}>`)), true)])), `</${tag}>`), (0, source_1.str)(`</${tag}>`), false, ([as, bs, cs], rest) => [[elem(tag, as, bs, cs)], rest]), ([, tag]) => tag, new cache_1.Cache(10000)))])))));
+exports.html = (0, combinator_1.lazy)(() => (0, combinator_1.creator)((0, combinator_1.validate)('<', (0, combinator_1.validate)(/^<[a-z]+(?=[^\S\n]|>)/, (0, combinator_1.union)([(0, combinator_1.focus)('<wbr>', () => [[(0, dom_1.html)('wbr')], '']), (0, combinator_1.focus)( // https://html.spec.whatwg.org/multipage/syntax.html#void-elements
+/^<(?:area|base|br|col|embed|hr|img|input|link|meta|source|track|wbr)(?=[^\S\n]|>)/, source => [[source], '']), (0, combinator_1.match)(/^<(sup|sub|small|bdo|bdi)(?=[^\S\n]|>)/, (0, memoize_1.memoize)(([, tag]) => (0, combinator_1.surround)((0, combinator_1.surround)((0, source_1.str)(`<${tag}`), (0, combinator_1.some)(exports.attribute), (0, source_1.str)(/^[^\S\n]*>/), true), (0, util_1.startLoose)((0, combinator_1.some)((0, combinator_1.union)([(0, combinator_1.open)(/^\n?/, (0, combinator_1.some)(inline_1.inline, (0, util_1.blankWith)('\n', `</${tag}>`)), true)])), `</${tag}>`), (0, source_1.str)(`</${tag}>`), false, ([as, bs, cs], rest) => [[elem(tag, as, bs, cs)], rest]), ([, tag]) => tags.indexOf(tag), [])), (0, combinator_1.match)(/^<([a-z]+)(?=[^\S\n]|>)/, (0, memoize_1.memoize)(([, tag]) => (0, combinator_1.surround)((0, combinator_1.surround)((0, source_1.str)(`<${tag}`), (0, combinator_1.some)(exports.attribute), (0, source_1.str)(/^[^\S\n]*>/), true), (0, util_1.startLoose)((0, combinator_1.some)((0, combinator_1.union)([(0, combinator_1.open)(/^\n?/, (0, combinator_1.some)(inline_1.inline, (0, util_1.blankWith)('\n', `</${tag}>`)), true)])), `</${tag}>`), (0, source_1.str)(`</${tag}>`), false, ([as, bs, cs], rest) => [[elem(tag, as, bs, cs)], rest]), ([, tag]) => tag, new cache_1.Cache(10000)))])))));
 exports.attribute = (0, combinator_1.union)([(0, source_1.str)(/^[^\S\n]+[a-z]+(?:-[a-z]+)*(?:="(?:\\[^\n]|[^\\\n"])*")?(?=[^\S\n]|>)/)]);
 
 function elem(tag, as, bs, cs) {

package/markdown.d.ts

@@ -964,11 +964,12 @@ export namespace MarkdownParser {
       }
     }
     export interface HTMLParser extends
-      // Allow: sup, sub, small, bdo, bdi
+      // Allow: wbr, sup, sub, small, bdo, bdi
       // <small>abc</small>
       Inline<'html'>,
       Parser<HTMLElement | string, Context, [
         HTMLParser.OpenTagParser,
+        SourceParser.StrParser,
         HTMLParser.TagParser,
         HTMLParser.TagParser,
       ]> {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securemark",
-  "version": "0.253.1",
+  "version": "0.253.2",
   "description": "Secure markdown renderer working on browsers for user input data.",
   "private": false,
   "homepage": "https://github.com/falsandtru/securemark",
@@ -39,7 +39,7 @@
     "babel-plugin-unassert": "^3.2.0",
     "concurrently": "^7.2.2",
     "eslint": "^8.17.0",
-    "eslint-plugin-redos": "^4.4.0",
+    "eslint-plugin-redos": "^4.4.1",
     "eslint-webpack-plugin": "^3.1.1",
     "glob": "^8.0.3",
     "karma": "^6.4.0",
@@ -49,7 +49,7 @@
     "karma-mocha": "^2.0.1",
     "karma-power-assert": "^1.0.0",
     "mocha": "^10.0.0",
-    "npm-check-updates": "^13.1.5",
+    "npm-check-updates": "^14.0.1",
     "semver": "^7.3.7",
     "spica": "0.0.570",
     "ts-loader": "^9.3.0",

package/src/parser/block/extension/table.ts

@@ -248,8 +248,12 @@ function format(rows: Tree<RowParser>[]): HTMLTableSectionElement[] {
       assert(colSpan > 0);
       if (colSpan > 1) {
         splice(cells, j + 1, 0, ...Array(colSpan - 1));
-        heads |= BigInt(+`0b${`${heads & 1n << jn && 1}`.repeat(colSpan)}`) << jn;
-        highlights |= BigInt(+`0b${`${highlights & 1n << jn && 1}`.repeat(colSpan)}`) << jn;
+        heads |= heads & 1n << jn
+          ? ~(~0n << BigInt(colSpan)) << jn
+          : 0n;
+        highlights |= highlights & 1n << jn
+          ? ~(~0n << BigInt(colSpan)) << jn
+          : 0n;
         j += colSpan - 1;
       }
       if (target === thead) {

package/src/parser/inline/html.test.ts

@@ -16,7 +16,6 @@ describe('Unit: parser/inline/html', () => {
       assert.deepStrictEqual(inspect(parser('<small onclick="alert()">a</small>')), [['<span class="invalid">&lt;small onclick="alert()"&gt;a&lt;/small&gt;</span>'], '']);
       assert.deepStrictEqual(inspect(parser('<small><small onclick="alert()">a</small></small>')), [['<small><span class="invalid">&lt;small onclick="alert()"&gt;a&lt;/small&gt;</span></small>'], '']);
       assert.deepStrictEqual(inspect(parser('<bdo dir="rtl\\"><">a</bdo>')), [['<span class="invalid">&lt;bdo dir="rtl\\"&gt;&lt;"&gt;a&lt;/bdo&gt;</span>'], '']);
-      assert.deepStrictEqual(inspect(parser('<wbr onclick="alert()">')), [['<wbr class="invalid">'], '']);
     });
 
     it('invalid', () => {
@@ -84,14 +83,16 @@ describe('Unit: parser/inline/html', () => {
       assert.deepStrictEqual(inspect(parser('<a>')), undefined);
       assert.deepStrictEqual(inspect(parser('<small><a>a</a></small>')), [['<small><span class="invalid">&lt;a&gt;a&lt;/a&gt;</span></small>'], '']);
       assert.deepStrictEqual(inspect(parser('<small>a<a>b</a>c</small>')), [['<small>a<span class="invalid">&lt;a&gt;b&lt;/a&gt;</span>c</small>'], '']);
-      assert.deepStrictEqual(inspect(parser('<img>')), undefined);
+      assert.deepStrictEqual(inspect(parser('<img>')), [['<img'], '>']);
       assert.deepStrictEqual(inspect(parser('<small><img></small>')), [['<small>&lt;img&gt;</small>'], '']);
-      assert.deepStrictEqual(inspect(parser('<img />')), undefined);
+      assert.deepStrictEqual(inspect(parser('<img />')), [['<img'], ' />']);
       assert.deepStrictEqual(inspect(parser('<small><img /></small>')), [['<small>&lt;img /&gt;</small>'], '']);
     });
 
     it('attribute', () => {
+      assert.deepStrictEqual(inspect(parser('<small\n>a</small>')), undefined);
       assert.deepStrictEqual(inspect(parser('<small >a</small>')), [['<small>a</small>'], '']);
+      assert.deepStrictEqual(inspect(parser('<small \n>a</small>')), undefined);
       assert.deepStrictEqual(inspect(parser('<small  >a</small>')), [['<small>a</small>'], '']);
       assert.deepStrictEqual(inspect(parser('<small __proto__>a</small>')), undefined);
       assert.deepStrictEqual(inspect(parser('<small constructor>a</small>')), [['<span class="invalid">&lt;small constructor&gt;a&lt;/small&gt;</span>'], '']);
@@ -116,9 +117,11 @@ describe('Unit: parser/inline/html', () => {
       assert.deepStrictEqual(inspect(parser('<bdo dir="rtl" >a</bdo>')), [['<bdo dir="rtl">a</bdo>'], '']);
       assert.deepStrictEqual(inspect(parser('<bdo dir="rtl"  >a</bdo>')), [['<bdo dir="rtl">a</bdo>'], '']);
       assert.deepStrictEqual(inspect(parser('<bdo  dir="rtl">a</bdo>')), [['<bdo dir="rtl">a</bdo>'], '']);
-      assert.deepStrictEqual(inspect(parser('<wbr constructor>')), [['<wbr class="invalid">'], '']);
-      assert.deepStrictEqual(inspect(parser('<wbr X>')), undefined);
-      assert.deepStrictEqual(inspect(parser('<wbr x>')), [['<wbr class="invalid">'], '']);
+      assert.deepStrictEqual(inspect(parser('<wbr\n>')), undefined);
+      assert.deepStrictEqual(inspect(parser('<wbr >')), [['<wbr'], ' >']);
+      assert.deepStrictEqual(inspect(parser('<wbr constructor>')), [['<wbr'], ' constructor>']);
+      assert.deepStrictEqual(inspect(parser('<wbr X>')), [['<wbr'], ' X>']);
+      assert.deepStrictEqual(inspect(parser('<wbr x>')), [['<wbr'], ' x>']);
     });
 
   });

package/src/parser/inline/html.ts

@@ -1,6 +1,6 @@
 import { undefined, Object } from 'spica/global';
 import { HTMLParser } from '../inline';
-import { union, some, validate, creator, surround, open, match, lazy } from '../../combinator';
+import { union, some, validate, focus, creator, surround, open, match, lazy } from '../../combinator';
 import { inline } from '../inline';
 import { str } from '../source';
 import { startLoose, blankWith } from '../util';
@@ -9,7 +9,7 @@ import { memoize } from 'spica/memoize';
 import { Cache } from 'spica/cache';
 import { unshift, push, splice } from 'spica/array';
 
-const tags = Object.freeze(['wbr', 'sup', 'sub', 'small', 'bdo', 'bdi']);
+const tags = Object.freeze(['sup', 'sub', 'small', 'bdo', 'bdi']);
 const attrspec = {
   bdo: {
     dir: Object.freeze(['ltr', 'rtl'] as const),
@@ -19,21 +19,19 @@ Object.setPrototypeOf(attrspec, null);
 Object.values(attrspec).forEach(o => Object.setPrototypeOf(o, null));
 
 export const html: HTMLParser = lazy(() => creator(validate('<', validate(/^<[a-z]+(?=[^\S\n]|>)/, union([
-  match(
-    /^<(wbr)(?=[^\S\n]|>)/,
-    memoize(
-    ([, tag]) =>
-      surround(
-        `<${tag}`, some(union([attribute])), /^\s*>/, true,
-        ([, bs = []], rest) =>
-          [[h(tag as 'span', attributes('html', [], attrspec[tag], bs))], rest]),
-    ([, tag]) => tags.indexOf(tag), [])),
+  focus(
+    '<wbr>',
+    () => [[h('wbr')], '']),
+  focus(
+    // https://html.spec.whatwg.org/multipage/syntax.html#void-elements
+    /^<(?:area|base|br|col|embed|hr|img|input|link|meta|source|track|wbr)(?=[^\S\n]|>)/,
+    source => [[source], '']),
   match(
     /^<(sup|sub|small|bdo|bdi)(?=[^\S\n]|>)/,
     memoize(
     ([, tag]) =>
       surround<HTMLParser.TagParser, string>(surround(
-        str(`<${tag}`), some(attribute), str(/^\s*>/), true),
+        str(`<${tag}`), some(attribute), str(/^[^\S\n]*>/), true),
         startLoose(some(union([
           open(/^\n?/, some(inline, blankWith('\n', `</${tag}>`)), true),
         ])), `</${tag}>`),
@@ -46,7 +44,7 @@ export const html: HTMLParser = lazy(() => creator(validate('<', validate(/^<[a-
     memoize(
     ([, tag]) =>
       surround<HTMLParser.TagParser, string>(surround(
-        str(`<${tag}`), some(attribute), str(/^\s*>/), true),
+        str(`<${tag}`), some(attribute), str(/^[^\S\n]*>/), true),
         startLoose(some(union([
           open(/^\n?/, some(inline, blankWith('\n', `</${tag}>`)), true),
         ])), `</${tag}>`),